- ncurses
-
- Add patch fix-bsc1259924.patch (bsc#1259924, CVE-2025-69720)
* Backport from ncurses-6.5-20251213.patch
- shim
-
- Add DER format certificate files for the pretrans script to verify
that the necessary certificate is in the UEFI db
- openSUSE Secure Boot CA, 2013-2035
openSUSE_Secure_Boot_CA_2013.crt
- SUSE Linux Enterprise Secure Boot CA, 2013-2035
SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
- Microsoft Corporation UEFI CA 2011, 2011-2026
Microsoft_Corporation_UEFI_CA_2011.crt
- Microsoft UEFI CA 2023, 2023-2038
Microsoft_UEFI_CA_2023.crt
- shim.spec: Add a pretrans script to verify that the necessary certificate
is in the UEFI db.
- Always put SUSE Linux Enterprise Secure Boot CA to target array.
(bsc#1254679)
- Update to 16.1
- RPMs
shim-16.1-150300.4.31.1.x86_64.rpm
- submitreq: https://build.suse.de/request/show/395247
- repo: https://build.suse.de/package/show/SUSE:Maintenance:39913/shim.SUSE_SLE-15-SP3_Update
- Patches (git log --oneline --reverse 16.0..16.1)
4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols
39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses
3133d19 test-mock-variables: make our filter list entries safer.
d44405e mock-variables: remove unused variable
0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04
d16a5a6 SbatLevel_Variable.txt: minor typo fix.
32804cf Realloc() needs one more byte for sprintf()
431d370 IPv6: Add more check to avoid multiple double colon and illegal char
5e4d93c Loader Proto: make freeing of bprop.buffer conditional.
33deac2 Prepare to move things from shim.c to verify.c
030e7df Move a bunch of stuff from shim.c to verify.c
f3ddda7 handle_image(): make verification conditional
774f226 Cache sections of a loaded image and sub-images from them.
eb0d20b loader-protocol: handle sub-section loading for UKIs
2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
1abc7ca loader-protocol: NULL output variable in load_image on failure
fb77b44 Generate Authenticode for the entire PE file
b86b909 README: mention new loader protocol and interaction with UKIs
8522612 ci: add mkosi configuration and CI
9ebab84 mkosi workflow: fix the branch name for main.
72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX
a2f0dfa This is an organizational patch to move some things around in mok.c
54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint()
a5a6922 get_max_var_sz(): add more debugging for apple platforms
77a2922 Add a "VariableInfo" variable to mok-variables.
efc71c9 build: Avoid passing *FLAGS to sub-make
7670932 Fixes for 'make TOPDIR=... clean'
13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1
617aed5 Update version to 16.1~rc1
d316ba8 format_variable_info(): fix wrong size test.
f5fad0e _do_sha256_sum(): Fix missing error check.
3a9734d doc: add howto for running mkosi locally
ced5f71 mkosi: remove spurious slashes from script
0076155 ci: update mkosi commit
5481105 fix http boot
121cddf loader-protocol: Handle UnloadImage after StartImage properly
6a1d1a9 loader-protocol: Fix memory leaks
27a5d22 gitignore: add more mkosi dirs and vscode dir
346ed15 mkosi: disable repository key check on Fedora
afc4955 Update version to 16.1
- 16.1 release note https://github.com/rhboot/shim/releases
shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738
Fix uncompressed ipv6 netboot by @hrvach in #742
fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739
Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749
SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751
Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746 (bsc#1240871)
IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753
Loader proto v2 by @vathpela in #748
loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750
Generate Authenticode for the entire PE file by @esnowberg in #604
README: mention new loader protocol and interaction with UKIs by @bluca in #755
ci: add mkosi configuration and CI by @bluca in #764
shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761
Save var info by @vathpela in #763
build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758
Fixes for 'make TOPDIR=... clean' by @bluca in #762
add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766
Coverity fixes 20250804 by @vathpela in #767
ci: fixlets and docs for mkosi workflow by @bluca in #768
fix http boot by @jsetje in #770
Fix double free and leak in the loader protocol by @rosslagerwall in #769
gitignore: add more mkosi dirs and vscode dir by @bluca in #771
- Drop upstreamed patch:
The following patches are merged to 16.1
- shim-alloc-one-more-byte-for-sprintf.patch
- 32804cf5d9 Realloc() needs one more byte for sprintf() [16.1]
- shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch (bsc#1205588)
- 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1]
- Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n (bsc#1205588)
- Building with the latest version of gcc in the codebase:
- The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem
- We prefer that building shim with the latest version of gcc in codebase.
- Set the minimum version is gcc-13.
(bsc#1247432)
- SLE shim should includes vendor-dbx-sles.esl instead of
vendor-dbx-opensuse.esl. Fixed it in shim.spec.
- perl
-
- Fix stack buffer overflow in Storable's deserialization of hooks
code [bsc#1262486] [CVE-2017-20230]
new patch: perl-storable-overflow.diff
- python-pyOpenSSL
-
- CVE-2026-27448: unhandled exception can result in connection not being cancelled (bsc#1259804)
Add patch CVE-2026-27448.patch
- python3
-
- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
the same security model as open(). The documented limitations
ensure compatibility with non-filesystem loaders; Python
doesn't check that. (bsc#1259989, CVE-2026-3479,
gh#python/cpython#146121).
- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
gh#python/cpython#143930).
- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
TarInfo DIRTYPE normalization during GNU long name handling
(bsc#1259611, CVE-2025-13462).
- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
unbound C recursion in conv_content_model in pyexpat.c
(bsc#1259735, CVE-2026-4224).
- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
control characters in http.cookies.Morsel.update() and
http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).
- mozilla-nss
-
- update to NSS 3.112.4
* bmo#2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
* bmo#2029752 - Improving the allocation of S/MIME DecryptSymKey.
* bmo#2029462 - store email on subject cache_entry in NSS trust domain.
* bmo#2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
* bmo#2029323 - Improve size calculations in CMS content buffering.
* bmo#2028001 - avoid integer overflow while escaping RFC822 Names.
* bmo#2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder.
* bmo#2027365 - Deep copy profile data in CERT_FindSMimeProfile.
* bmo#2027345 - Improve input validation in DSAU signature decoding.
* bmo#2026311 - avoid integer overflow in RSA_EMSAEncodePSS.
* bmo#2019357 - RSA_EMSAEncodePSS should validate the length of mHash.
* bmo#2026156 - Add a maximum cert uncompressed len and tests.
* bmo#2026089 - Clarify extension negotiation mechanism for TLS Handshakes.
* bmo#2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
* bmo#2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
* bmo#2019224 - Remove invalid PORT_Free().
* bmo#1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
* bmo#1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie.
- libpng16
-
- added patches
CVE-2026-34757: Information disclosure and data corruption via use-after-free vulnerability [bsc#1261957]
* libpng16-CVE-2026-34757.patch
- added patches
CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code execution (bsc#1260754)
* libpng16-CVE-2026-33416-1.patch
* libpng16-CVE-2026-33416-2.patch
* libpng16-CVE-2026-33416-3.patch
* libpng16-CVE-2026-33416-4.patch
- tigervnc
-
- U_Prevent-other-users-reading-x0vncserver-screen.patch
* Prevent other users from observing the screen, or modifying
what is sent to the client. Malicious attackers could even
crash x0vncserver if they timed the modifications right.
(CVE-2026-34352, bsc#1260871)
- sed
-
- Add CVE-2026-5958.patch
* Fix CVE-2026-5958 (bsc#1262144):
A TOCTOU race can allow to read attacker-controlled content and write
it to an unintended file
- tiff
-
- CVE-2025-61143: Fix NULL pointer dereference (bsc#1258798)
Add tiff-CVE-2025-61143.patch
- CVE-2025-61144: Fix stack overflow in readSeparateStripsIntoBuffer (bsc#1258801)
Add tiff-CVE-2025-61144.patch
- python36
-
- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
the same security model as open(). The documented limitations
ensure compatibility with non-filesystem loaders; Python
doesn't check that. (bsc#1259989, CVE-2026-3479,
gh#python/cpython#146121).
- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
gh#python/cpython#143930).
- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
TarInfo DIRTYPE normalization during GNU long name handling
(bsc#1259611, CVE-2025-13462).
- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
unbound C recursion in conv_content_model in pyexpat.c
(bsc#1259735, CVE-2026-4224).
- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
control characters in http.cookies.Morsel.update() and
http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).
- libpng12
-
- version update to 1.2.59 [jsc#PED-16191]
Added png_check_chunk_length() function, and check all chunks except
IDAT against the default 8MB limit; check IDAT against the maximum
size computed from IHDR parameters (Fixes CVE-2017-12652).
Initialize memory allocated by png_inflate to zero, using memset, to
stop an oss-fuzz "use of uninitialized value" detection in png_set_text_2()
due to truncated iTXt or zTXt chunk.
Added png_check_chunk_length() function, and check all chunks except
IDAT against the default 8MB limit; check IDAT against the maximum
size computed from IHDR parameters (Fixes CVE-2017-12652).
Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts
in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706,
and 162707).
Fixed a potential null pointer dereference in png_set_text_2() (bug report
and patch by Patrick Keshishian, CVE-2016-10087).
Fixed an out-of-range read in png_check_keyword() (Bug report from
Qixue Xiao, CVE-2015-8540).
Avoid potential pointer overflow in png_handle_iTXt(), png_handle_zTXt(),
png_handle_sPLT(), and png_handle_pCAL() (Bug report by John Regehr).
Fixed new bug with CRC error after reading an over-length palette
(bug report by Cosmin Truta) (CVE-2015-8126).- deleted patches
Check for 0 return from png_get_rowbytes() and added some (size_t) typecasts
in contrib/pngminus/*.c to stop some Coverity issues (162705, 162706,
and 162707).
Fixed typecast in a png_debug2() statement in png_set_text_2() to
avoid a compiler warning in PNG_DEBUG builds.
Fixed printf formats in pngtest.c to avoid compiler warnings and a
Coverity warning in PNG_DEBUG builds.
Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds.
Removed WRITE_WEIGHTED_FILTERED code.
Avoid potentially dereferencing NULL info_ptr in png_info_init_3().
Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c
because usleep() is deprecated (port from libpng16).
Fixed some bad links in the man page.
Added a safety check in png_set_tIME() (Fixes CVE-2015-7981, bug report
from Qixue Xiao).
Issue a png_error() instead of a png_warning() when width is
potentially too large for the architecture, in case the calling
application has overridden the default 1,000,000-column limit
(fixes CVE-2014-9495 and CVE-2015-0973).
Quieted some harmless warnings from Coverity-scan.
Avoid out-of-bounds memory access while checking version string in
pngread.c and pngwrite.c
* libpng-1.2.50-CVE-2013-7353.patch (upstreamed)
* libpng-1.2.50-CVE-2013-7354.patch (upstreamed)
* libpng12-CVE-2015-7981.patch (upstreamed)
* libpng12-CVE-2015-8126-complete.patch (upstreamed)
* libpng12-CVE-2015-8126.patch (upstreamed)
* libpng12-CVE-2015-8540.patch (upstreamed)
* libpng12-CVE-2016-10087.patch (upstreamed)
* libpng12-CVE-2017-12652.patch (upstreamed)
* libpng12-CVE-2026-25646.patch (upstreamed)
- added patches
* libpng-1.2.51-CVE-2013-7353.patch
* libpng-1.2.51-CVE-2013-7354.patch
CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code execution [bsc#1260754]
* libpng12-CVE-2026-33416.patch
CVE-2026-34757: Information disclosure and data corruption via use-after-free vulnerability [bsc#1261957]
* libpng12-CVE-2026-34757.patch
- avahi
-
- Add avahi-CVE-2026-24401.patch: Fix unsolicited mDNS response
containing a recursive CNAME record (bsc#1257235).
- util-linux
-
- Use full hostname for PAM to ensure correct access control for
"login -h" (bsc#1258859, CVE-2026-3184,
util-linux-CVE-2026-3184.patch).
- util-linux-systemd
-
- Use full hostname for PAM to ensure correct access control for
"login -h" (bsc#1258859, CVE-2026-3184,
util-linux-CVE-2026-3184.patch).
- kernel-default
-
- crypto: authencesn - Fix src offset when decrypting in-place
(bsc#1262573 CVE-2026-31431).
- commit 447ae9a
- crypto: authencesn - Do not place hiseq at end of dst for
out-of-place decryption (bsc#1262573 CVE-2026-31431).
- commit ce75b61
- crypto: authenc - use memcpy_sglist() instead of null skcipher
(bsc#1262573 CVE-2026-31431).
- Refresh
patches.suse/crypto-authencesn-reject-too-short-AAD-assoclen-8-to.patch
- commit 2ef1585
- crypto: aead - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
(bsc#1262573 CVE-2026-31431).
- commit 3389719
- kABI: Restore af_alg_{count,pull}_tsgl() signatures (bsc#1262573
CVE-2026-31431).
- commit e0a7432
- crypto: algif_aead - Revert to operating out-of-place
(bsc#1262573 CVE-2026-31431).
- commit 3324e92
- crypto: algif_aead - use memcpy_sglist() instead of null skcipher
(bsc#1262573 CVE-2026-31431).
- commit e04265b
- crypto: aead - prevent using AEADs without setting key
(bsc#1262573 CVE-2026-31431).
- commit 81b8a54
- crypto: scatterwalk - Fix memcpy_sglist() to always succeed
(bsc#1262573 CVE-2026-31431).
- commit b51c829
- crypto: scatterwalk - Add memcpy_sglist (bsc#1262573
CVE-2026-31431).
- commit 18c7752
- HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks
missing them (CVE-2026-23382 bsc#1260551).
- commit 0938773
- ALSA: usb-audio: Use correct version for UAC3 header validation
(CVE-2026-23318 bsc#1260536).
- commit d97948d
- net/sched: teql: fix NULL pointer dereference in iptunnel_xmit
on TEQL slave xmit (CVE-2026-23277 bsc#1259997).
- commit 1e064e8
- netfilter: nf_tables: unconditionally bump set->nelems before
insertion (CVE-2026-23272 bsc#1260009).
- commit 09c01da
- icmp: fix NULL pointer dereference in icmp_tag_validation()
(CVE-2026-23398 bsc#1260730).
- commit 4a6435e
- gve: Fix stats report corruption on queue count change
(CVE-2026-23262 bsc#1259870).
- commit 9fb91de
- btrfs: fix reservation leak in some error paths when inserting
inline extent (CVE-2025-71268 bsc#1259865).
- commit 9f5a354
- btrfs: do not free data reservation in fallback from inline
due to -ENOSPC (CVE-2025-71269 bsc#1259889).
- commit 1264408
- gve: fix incorrect buffer cleanup in
gve_tx_clean_pending_packets for QPL (CVE-2026-23386
bsc#1260799).
- commit cbe159d
- can: bcm: fix locking for bcm_op runtime updates (CVE-2026-23362
bsc#1260489).
- commit 2c7a147
- RDMA/umad: Reject negative data_len in ib_umad_write (CVE-2026-23243 bsc#1259797)
- commit f1f6f9a
- net/tls: return ENOTSUPP on tls_init() (CVE-2024-26584
bsc#1220186).
- blacklist.conf: blacklist original commit.
- commit eedeb3a
- btrfs: fix processing of delayed data refs during backref walking (bsc#1228031).
- commit 4e68ed0
- fs: skip superblock shrink on frozen xfs filesystems
(bsc#1259770).
- commit f01e7af
- libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CVE-2026-22990 bsc#1257221).
- commit 48abf39
- btrfs: qgroup: fix race between quota disable and quota rescan
ioctl (CVE-2025-39759 bsc#1249522).
- commit 80667fb
- kABI fix for ipvlan: Make the addrs_lock be per port
(CVE-2026-23103 bsc#1257773).
- commit d449598
- sched/rt: Fix race in push_rt_task (CVE-2025-38234 bsc#1246057)
- commit 2ff5901
- Refresh
patches.suse/0001-apparmor-validate-DFA-start-states-are-in-bounds-in-.patch.
- commit c19850e
- l2tp: avoid one data-race in l2tp_tunnel_del_work() (CVE-2026-23120 bsc#1258280)
- commit 30aaeff
- ipvlan: Make the addrs_lock be per port (CVE-2026-23103
bsc#1257773).
- Delete patches.kabi/ipvlan_addr_lock_kabi.patch.
- commit 9627a6e
- Use unified maintainers' email address
- commit 0ed1513
- gdk-pixbuf
-
- Add gdk-pixbuf-CVE-2026-5201.patch: jpeg: Reject unsupported
number of components (bsc#1261210 CVE-2026-5201
glgo#GNOME/gdk-pixbuf#266).
- cups
-
- cups-1.7.5-CVE-2026-34980.patch is based on
https://github.com/OpenPrinting/cups/commit/8d0f51cac24cb5bf949c5b6a221e51a150d982e3
backported to CUPS 1.7.5 to fix CVE-2026-34980
"Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf
bsc#1261569
- cups-1.7.5-CVE-2026-34990.patch is is based on
https://github.com/OpenPrinting/cups/commit/e052dc44da9d12adfbebc51de4975fbadb2ce356
backported to CUPS 1.7.5 to fix CVE-2026-34990
"Local print admin token disclosure using temporary printers"
as far as matching code parts were found in CUPS 1.7.5
in particular CUPS 1.7.5 has no function to
"Create a local (temporary) [print] queue"
so CUPS 1.7.5 should not be affected by issues
which are related to "using temporary printers"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
bsc#1261568
- Incompatible changes needed to properly fix CVE-2026-34990:
The scheduler incorrectly allowed local certificates over the
loopback interface. Now this is only via domain sockets allowed.
The ability to create/overwrite files via a 'file:' device URI
is removed. Now the specified file must already exist
and is opened only for writing in exclusive mode.
In general: Historically 'file:' devices were provided
for backwards compatibility with System V interface scripts
that talked to serial printers over a character device, with
very limited debugging support for writing to an ordinary file.
It is not and never was intended as a way to "print to a file".
For a proper debugging method see the section
"A backend that sends its input into a file for debugging" in
https://en.opensuse.org/SDB:Using_Your_Own_Backends_to_Print_with_CUPS
- libcap
-
- CVE-2026-4878: Fixed a a potential TOCTOU race condition in cap_set_file() (bsc#1261809)
0001-Address-a-potential-TOCTOU-race-condition-in-cap_set.patch:
- python-urllib3
-
- fix regression in CVE-2025-66471.patch when downloading large files
(bsc#1259829)
- CVE-2025-66471: excessive resource consumption via decompression
of highly compressed data in Streaming API (bsc#1254867)
added CVE-2025-66471.patch
- CVE-2025-66418: resource exhaustion via unbounded number of links
in the decompression chain (bsc#1254866)
added CVE-2025-66418.patch
- CVE-2026-21441: excessive resource consumption during decompression
of data in HTTP redirect responses (bsc#1256331)
added CVE-2026-21441.patch
- disabled response decompression with brotli due to missing brotli
feature (jsc#PED-15380)
- Add security patches:
* CVE-2025-66471 (bsc#1254867)
* CVE-2025-66418 (bsc#1254866)
* CVE-2026-21441 (bsc#1256331)
- polkit
-
- avoid reading endless amounts of memory (CVE-2026-4897 bsc#1260859)
0001-CVE-2026-4897-getline-string-overflow.patch
- vim
-
- Fix bsc#1261191 / CVE-2026-34714.
- Fix bsc#1261271 / CVE-2026-34982.
- Fix bsc#1259985 / CVE-2026-33412.
- Update to 9.2.0280:
* patch 9.2.0280: [security]: path traversal issue in zip.vim
* patch 9.2.0279: terminal: out-of-bounds write with overlong CSI argument list
* patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file
* patch 9.2.0277: tests: test_modeline.vim fails
* patch 9.2.0276: [security]: modeline security bypass
* patch 9.2.0275: tests: test_options.vim fails
* patch 9.2.0274: BSU/ESU are output directly to the terminal
* patch 9.2.0273: tabpanel: undefined behaviour with large tabpanelop columns
* patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline
* patch 9.2.0271: buffer underflow in vim_fgets()
* patch 9.2.0270: test: trailing spaces used in tests
* patch 9.2.0269: configure: Link error on Solaris
* patch 9.2.0268: memory leak in call_oc_method()
* patch 9.2.0267: 'autowrite' not triggered for :term
* patch 9.2.0266: typeahead buffer overflow during mouse drag event
* patch 9.2.0265: unnecessary restrictions for defining dictionary function names
* patch 9.2.0264: Cannot disable kitty keyboard protocol in vim :terminal
* patch 9.2.0263: hlset() cannot handle attributes with spaces
* patch 9.2.0262: invalid lnum when pasting text copied blockwise
* patch 9.2.0261: terminal: redraws are slow
* patch 9.2.0260: statusline not redrawn after closing a popup window
* patch 9.2.0259: tabpanel: corrupted display during scrolling causing flicker
* patch 9.2.0258: memory leak in add_mark()
* patch 9.2.0257: unnecessary memory allocation in set_callback()
* patch 9.2.0256: visual selection size not shown in showcmd during test
* patch 9.2.0255: tests: Test_popup_opacity_vsplit() fails in a wide terminal
* patch 9.2.0254: w_locked can be bypassed when setting recursively
* patch 9.2.0253: various issues with wrong b_nwindows after closing buffers
* patch 9.2.0252: Crash when ending Visual mode after curbuf was unloaded
* patch 9.2.0251: Link error when building without channel feature
* patch 9.2.0250: system() does not support bypassing the shell
* patch 9.2.0249: clipboard: provider reacts to autoselect feature
* patch 9.2.0248: json_decode() is not strict enough
* patch 9.2.0247: popup: popups may not wrap as expected
* patch 9.2.0246: memory leak in globpath()
* patch 9.2.0245: xxd: color output detection is broken
* patch 9.2.0244: memory leak in eval8()
* patch 9.2.0243: memory leak in change_indent()
* patch 9.2.0242: memory leak in check_for_cryptkey()
* patch 9.2.0241: tests: Test_visual_block_hl_with_autosel() is flaky
* patch 9.2.0240: syn_name2id() is slow due to linear search
* patch 9.2.0239: signcolumn may cause flicker
* patch 9.2.0238: showmode message may not be displayed
* patch 9.2.0237: filetype: ObjectScript routines are not recognized
* patch 9.2.0236: stack-overflow with deeply nested data in json_encode/decode()
* patch 9.2.0235: filetype: wks files are not recognized.
* patch 9.2.0234: test: Test_close_handle() is flaky
* patch 9.2.0233: Compiler warning in strings.c
* patch 9.2.0232: fileinfo not shown after :bd of last listed buffer
* patch 9.2.0231: Amiga: Link error for missing HAVE_LOCALE_H
* patch 9.2.0230: popup: opacity not working accross vert splits
* patch 9.2.0229: keypad keys may overwrite keycode for another key
* patch 9.2.0228: still possible flicker
* patch 9.2.0227: MS-Windows: CSI sequences may be written to screen
* patch 9.2.0226: No 'incsearch' highlighting support for :uniq
* patch 9.2.0225: runtime(compiler): No compiler plugin for just
* patch 9.2.0224: channel: 2 issues with out/err callbacks
* patch 9.2.0223: Option handling for key:value suboptions is limited
* patch 9.2.0222: "zb" scrolls incorrectly with cursor on fold
* patch 9.2.0221: Visual selection drawn incorrectly with "autoselect"
* patch 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw
* patch 9.2.0219: call stack can be corrupted
* patch 9.2.0218: visual selection highlighting in X11 GUI is wrong.
* patch 9.2.0217: filetype: cto files are not recognized
* patch 9.2.0216: MS-Windows: Rendering artifacts with DirectX
* patch 9.2.0215: MS-Windows: several tests fail in the Windows CUI.
* patch 9.2.0214: tests: Test_gui_system_term_scroll() is flaky
* patch 9.2.0213: Crash when using a partial or lambda as a clipboard provider
* patch 9.2.0212: MS-Windows: version packing may overflow
* patch 9.2.0211: possible crash when setting 'winhighlight'
* patch 9.2.0210: tests: Test_xxd tests are failing
* patch 9.2.0209: freeze during wildmenu completion
* patch 9.2.0208: MS-Windows: excessive scroll-behaviour with go+=!
* patch 9.2.0207: MS-Windows: freeze on second :hardcopy
* patch 9.2.0206: MS-Window: stripping all CSI sequences
* patch 9.2.0205: xxd: Cannot NUL terminate the C include file style
* patch 9.2.0204: filetype: cps files are not recognized
* patch 9.2.0203: Patch v9.2.0185 was wrong
* patch 9.2.0202: [security]: command injection via newline in glob()
* patch 9.2.0201: filetype: Wireguard config files not recognized
* patch 9.2.0200: term: DECRQM codes are sent too early
* patch 9.2.0199: tests: test_startup.vim fails
* patch 9.2.0198: cscope: can escape from restricted mode
* patch 9.2.0197: tabpanel: frame width not updated for existing tab pages
* patch 9.2.0196: textprop: negative IDs and can cause a crash
* patch 9.2.0195: CI: test-suite gets killed for taking too long
* patch 9.2.0194: tests: test_startup.vim leaves temp.txt around
* patch 9.2.0193: using copy_option_part() can be improved
* patch 9.2.0192: not correctly recognizing raw key codes
* patch 9.2.0191: Not possible to know if Vim was compiled with Android support
* patch 9.2.0190: Status line height mismatch in vertical splits
* patch 9.2.0189: MS-Windows: opacity popups flicker during redraw in the console
* patch 9.2.0188: Can set environment variables in restricted mode
* patch 9.2.0187: MS-Windows: rendering artifacts with DirectX renderer
* patch 9.2.0186: heap buffer overflow with long generic function name
* patch 9.2.0185: buffer overflow when redrawing custom tabline
* patch 9.2.0184: MS-Windows: screen flicker with termguicolors and visualbell
* patch 9.2.0183: channel: using deprecated networking APIs
* patch 9.2.0182: autocmds may leave windows with w_locked set
* patch 9.2.0181: line('w0') moves cursor in terminal-normal mode
* patch 9.2.0180: possible crash with winminheight=0
* patch 9.2.0179: MS-Windows: Compiler warning for converting from size_t to int
* patch 9.2.0178: DEC mode requests are sent even when not in raw mode
* patch 9.2.0177: Vim9: Can set environment variables in restricted mode
* patch 9.2.0176: external diff is allowed in restricted mode
* patch 9.2.0175: No tests for what v9.2.0141 and v9.2.0156 fixes
* patch 9.2.0174: diff: inline word-diffs can be fragmented
* patch 9.2.0173: tests: Test_balloon_eval_term_visual is flaky
* patch 9.2.0172: Missing semicolon in os_mac_conv.c
* patch 9.2.0171: MS-Windows: version detection is deprecated
* patch 9.2.0170: channel: some issues in ch_listen()
* patch 9.2.0169: assertion failure in syn_id2attr()
* patch 9.2.0168: invalid pointer casting in string_convert() arguments
* patch 9.2.0167: terminal: setting buftype=terminal may cause a crash
* patch 9.2.0166: Coverity warning for potential NULL dereference
* patch 9.2.0165: tests: perleval fails in the sandbox
* patch 9.2.0164: build error when XCLIPBOARD is not defined
* patch 9.2.0163: MS-Windows: Compile warning for unused variable
* patch 9.2.0162: tests: unnecessary CheckRunVimInTerminal in test_quickfix
* patch 9.2.0161: intro message disappears on startup in some terminals
* patch 9.2.0160: terminal DEC mode handling is overly complex
* patch 9.2.0159: Crash when reading quickfix line
* patch 9.2.0158: Visual highlighting might be incorrect
* patch 9.2.0157: Vim9: concatenation can be improved
* patch 9.2.0156: perleval() and rubyeval() ignore security settings
* patch 9.2.0155: filetype: ObjectScript are not recognized
* patch 9.2.0154: if_lua: runtime error with lua 5.5
* patch 9.2.0153: No support to act as a channel server
* patch 9.2.0152: concatenating strings is slow
* patch 9.2.0151: blob_from_string() is slow for long strings
* patch 9.2.0150: synchronized terminal update may cause display artifacts
* patch 9.2.0149: Vim9: segfault when unletting an imported variable
* patch 9.2.0148: Compile error when FEAT_DIFF is not defined
* patch 9.2.0147: blob: concatenation can be improved
* patch 9.2.0146: dictionary lookups can be improved
* patch 9.2.0145: UTF-8 decoding and length calculation can be improved
* patch 9.2.0144: 'statuslineopt' is a global only option
* patch 9.2.0143: termdebug: no support for thread and condition in :Break
* patch 9.2.0142: Coverity: Dead code warning
* patch 9.2.0141: :perl ex commands allowed in restricted mode
* patch 9.2.0140: file reading performance can be improved
* patch 9.2.0139: Cannot configure terminal resize event
* patch 9.2.0138: winhighlight option handling can be improved
* patch 9.2.0137: [security]: crash with composing char in collection range
* patch 9.2.0136: memory leak in add_interface_from_super_class()
* patch 9.2.0135: memory leak in eval_tuple()
* patch 9.2.0134: memory leak in socket_server_send_reply()
* patch 9.2.0133: memory leak in netbeans_file_activated()
* patch 9.2.0132: tests: Test_recover_corrupted_swap_file1 fails on be systems
* patch 9.2.0131: potential buffer overflow in regdump()
* patch 9.2.0130: missing range flags for the :tab command
* patch 9.2.0129: popup: wrong handling of wide-chars and opacity:0
* patch 9.2.0128: Wayland: using _Boolean instead of bool type
* patch 9.2.0127: line('w0') and line('w$') return wrong values in a terminal
* patch 9.2.0126: String handling can be improved
* patch 9.2.0125: tests: test_textformat.vim leaves swapfiles behind
* patch 9.2.0124: auto-format may swallow white space
* patch 9.2.0123: GTK: using deprecated gdk_pixbuf_new_from_xpm_data()
* patch 9.2.0122: Vim still supports compiling on NeXTSTEP
* patch 9.2.0120: tests: test_normal fails
* patch 9.2.0119: incorrect highlight initialization in win_init()
* patch 9.2.0118: memory leak in w_hl when reusing a popup window
* patch 9.2.0117: tests: test_wayland.vim fails
* patch 9.2.0116: terminal: synchronized output sequences are buffered
* patch 9.2.0115: popup: screen flickering possible during async callbacks
* patch 9.2.0114: MS-Windows: terminal output may go to wrong terminal
* patch 9.2.0113: winhighlight pointer may be used uninitialized
* patch 9.2.0112: popup: windows flicker when updating text
* patch 9.2.0111: 'winhighlight' option not always applied
- python
-
- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
the same security model as open(). The documented limitations
ensure compatibility with non-filesystem loaders; Python
doesn't check that. (bsc#1259989, CVE-2026-3479,
gh#python/cpython#146121).
- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
gh#python/cpython#143930).
- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
TarInfo DIRTYPE normalization during GNU long name handling
(bsc#1259611, CVE-2025-13462).
- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
unbound C recursion in conv_content_model in pyexpat.c
(bsc#1259735, CVE-2026-4224).
- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
control characters in http.cookies.Morsel.update() and
http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).
- suseconnect-ng
-
- Update version to 1.21.1:
- Fix nil token handling (bsc#1261155)
- Switch to using go1.24-openssl as the default Go version to
install to support building the package (jsc#SCC-585).
- Update version to 1.21:
- Add expanded metric collection for kernel modules and hardware
detection (jsc#TEL-226).
- Support new profile based metric collection
- Fix ignored --root parameter hanbling when reading and
writing configuration (bsc#1257667)
- Add expanded metric collection for system vendor/manfacturer
(jsc#TEL-260).
- Removed backport patch: fix-libsuseconnect-and-pci.patch
- Add missing product id to allow yast2-registration to not break (bsc#1257825)
- Fix libsuseconnect APIError detection logic (bsc#1257825)
- Regressions found during QA test runs:
- Ignore product in announce call (bsc#1257490)
- Registration to SMT server with failed (bsc#1257625)
- Backported by PATCH: fix-libsuseconnect-and-pci.patch
- Update version to 1.20:
- Update error message for Public Cloud instances with registercloudguest
installed. SUSEConnect -d is disabled on PYAG and BYOS when the
registercloudguest command is available. (bsc#1230861)
- Enhanced SAP detected. Take TREX into account and remove empty values when
only /usr/sap but no installation exists (bsc#1241002)
- Fixed modules and extension link to point to version less documentation. (bsc#1239439)
- Fixed SAP instance detection (bsc#1244550)
- Remove link to extensions documentation (bsc#1239439)
- Migrate to the public library
- Version 1.14 public library release
This version is only available on Github as a tag to release the
new golang public library which can be consumed without the need
to interface with SUSEConnect directly.
- openssl-1_1
-
- Security fix:
* CVE-2026-28390: NULL pointer dereference during processing of a crafted
CMS EnvelopedData message with KeyTransportRecipientInfo (bsc#1261678)
* Add openssl-CVE-2026-28390.patch