Packages changed: MicroOS-release (20260407 -> 20260408) bluez cryptsetup (2.8.4 -> 2.8.6) openexr (3.4.6 -> 3.4.9) python-charset-normalizer (3.4.6 -> 3.4.7) sudo === Details === ==== MicroOS-release ==== Version update (20260407 -> 20260408) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== bluez ==== Subpackages: bluez-cups libbluetooth3 - Add bluez-mainloop-Only-connect-to-NOTIFY_SOCKET-if-STATUS-Sta.patch to fix that systemd 259.3 causes timeout in starting home-assistant using podman systemd unit / quadlet. (bsc#1259656) ==== cryptsetup ==== Version update (2.8.4 -> 2.8.6) Subpackages: libcryptsetup12 - Update to 2.8.6. - Release notes for 2.8.6: * Fixes an autotools regression in 2.8.5 in the locking tmpfiles.d directory configuration. - Release notes for 2.8.5: * Add a specific error for failed detached header allocation. * Check the UUID of the resumed device to match the UUID stored in metadata. * Fix FileVault (fvault2) metadata parsing. * Fix LUKS2 reencryption lock name. * Fix OpenSSL crypto backend if built with LibreSSL. * Fix reading FileVault image metadata from incorrect image offset. * Fix tests not to use aes-generic kernel cipher name. * OpenSSL backend: Increase the number of allowed threads to 64. * Several compatibility fixes to the alternative Meson configuration system. * Various code fixes based on AI-assisted reviews. ==== openexr ==== Version update (3.4.6 -> 3.4.9) Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33 - version update to 3.4.9 * [CVE-2026-34589](https://www.cve.org/CVERecord?id=CVE-2026-34589) DWA Lossy Decoder Heap Out-of-Bounds Write * [CVE-2026-34588](https://www.cve.org/CVERecord?id=CVE-2026-34588) Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write * [CVE-2026-34380](https://www.cve.org/CVERecord?id=CVE-2026-34380) Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression * [CVE-2026-34379](https://www.cve.org/CVERecord?id=CVE-2026-34379) Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression) * [CVE-2026-34378](https://www.cve.org/CVERecord?id=CVE-2026-34378) Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x * Fix signed integer overflow in `LossyDctDecoder_execute()` pointer arithmatic * fix integer overflow in PIZ wavelet buffer arithmetic * Add a message about image size limits and OOM errors to SECURITY.md and website * Fix shared lib symlink installation path * Fix misaligned memory access in `LossyDctDecoder_execute` HALF→FLOAT expansion * fix signed integer overflow in `undo_pxr24_impl()` * Fix integer overflow in `srcbuffer` pointer arithmetic in `unpack_*` * Add "cherry" and "changes" options to release.py * Fix an integer-overflow bug reading malformed files compressed with * B44A/B44B * Fix a buffer-overrun bug reading malformed files compressed with PXR24 * Fix a bug compressing half data with ZIPS/ZIP data when the * compressed size equals packed size * Single part files no longer get assigned a part name when writing * via the python module * Fix a build failure on FreeBSD involving `threads.h` * Fix an integer overflow decoding very wide htj2k images * Fix build failure with glibc 2.43 * Fix Windows symbol visibility warnings - fixes CVE-2026-34545 [bsc#1261344] CVE-2026-34543 [bsc#1261339] CVE-2026-34544 [bsc#1261342] - deleted patches * openexr-glibc-2.43.patch (upstreamed) ==== python-charset-normalizer ==== Version update (3.4.6 -> 3.4.7) - update to 3.4.7: * Pre-built optimized version using mypy[c] v1.20. * Relax `setuptools` constraint to `setuptools>=68,<82.1`. * Correctly remove SIG remnant in utf-7 decoded string. (#718) ==== sudo ==== - CVE-2026-35535: potential privilege escalation when running the mailer (bsc#1261420) * fix-CVE-2026-35535.patch - Move tests under /usr/share for transactional system support (jsc#PED-14830)