Packages changed: MicroOS-release (20260425 -> 20260426) at-spi2-core (2.60.0 -> 2.60.1) bubblewrap (0.11.0 -> 0.11.1) cups (2.4.17 -> 2.4.18) ethtool (6.15 -> 6.19) gcc16 (16.0.1+git8711 -> 16.0.1+git8812) gsettings-desktop-schemas (50.0 -> 50.1) gvfs harfbuzz (14.1.0 -> 14.2.0) md4c (0.5.2 -> 0.5.3) ngtcp2 (1.22.0 -> 1.22.1) openexr openssh (10.2p1 -> 10.3p1) passt (20251215.b40f5cd -> 20260120.386b5f5) systemd (259.5 -> 260.1) xdg-dbus-proxy (0.1.6 -> 0.1.7) === Details === ==== MicroOS-release ==== Version update (20260425 -> 20260426) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== at-spi2-core ==== Version update (2.60.0 -> 2.60.1) Subpackages: libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0 - Update to version 2.60.1: + Detect unresponsive applications, and do not expose them as children of the desktop. + Attempt to fix a crash when opening a group chat in pidgin that contains new messages. ==== bubblewrap ==== Version update (0.11.0 -> 0.11.1) - Really drop the nobwrap.helper script as intended on Sep 29 2025. - update to 0.11.1: * Reset disposition of `SIGCHLD`, restoring normal subprocess management if bwrap was run from a process that was ignoring that signal, such as Erlang or volumeicon * Don't ignore `--userns 0`, `--userns2 0` or `--pidns 0` if used * Note that using a fd number ≥ 3 for these purposes is still * preferred, to avoid confusion with the stdin, stdout, stderr * that will be inherited by the command inside the container. * Fix grammar in an error message * Fix a broken link in the documentation * Enable user namespaces in Github Actions configuration, fixing a CI regression with newer Ubuntu * Clarify comments - Drop the nobwrap.helper again: glycin could find a solution to detect it running in a CI/BuildEnvironment and it disarms bubblewrap in this case, making this wrapper obsolete ==== cups ==== Version update (2.4.17 -> 2.4.18) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.18: See https://github.com/openprinting/cups/releases The new release 2.4.18 contains hotfix after CVE-2026-27447 fix: * Fixed cupsd crash if user does not exist (Issue #1555) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.18 ==== ethtool ==== Version update (6.15 -> 6.19) - Update to release 6.19 * tsinfo: Add support for PTP hardware source * monitor: Add notification handling for PLCA configuration * rxfh: IPv6 Flow Label hash support * netlink: fec: add errors histogram statistics - Delete 5a6848026277296a151664666ef1c25821787043.patch (merged) - Move bash-completions into main package. - add netlink support for RX CQE Coalescing params (bsc#1261256) 5a6848026277296a151664666ef1c25821787043.patch d35d87fbcda97fe31df79d62277743214641892a.patch bf023af442f63e16f1699128c7ce467eddc6d340.patch ==== gcc16 ==== Version update (16.0.1+git8711 -> 16.0.1+git8812) Subpackages: libgcc_s1 libgomp1 libstdc++6 - Update to 16.0.1+git8812, includes GCC 16.1 release candidate #2. - Update to 16.0.1+git8809, GCC 16.1 release candidate. ==== gsettings-desktop-schemas ==== Version update (50.0 -> 50.1) - Update to version 50.1: + Updated translations. ==== gvfs ==== Subpackages: gvfs-backends - Split out cdda in own separate sub package (gvfs-backend-cdda). ==== harfbuzz ==== Version update (14.1.0 -> 14.2.0) Subpackages: libharfbuzz-gobject0 libharfbuzz-subset0 libharfbuzz0 typelib-1_0-HarfBuzz-0_0 - Update to version 14.2.0: + In this release, the experimental raster, vector, and GPU libraries went through several rounds of code review and cleanup to make sure they follow the high standards expected of HarfBuzz code. The API has also been extensively reviewed based on experience gained from using these libraries. We consider the code and API to be ready for stabilization, and we expect to graduate them from experimental in the near future. If you are using or planning to use these libraries and have any concerns about the API, it is time to raise them. Once a library is deemed stable, we will never change the API or ABI in an incompatible way. ==== md4c ==== Version update (0.5.2 -> 0.5.3) - Update to 0.5.3 * Avoid repeated prefix language- in code block language specification if the input already explicitly includes the prefix * Permissive autolink extensions (MD_FLAG_PERMISSIVExxxAUTOLINKS) are now tiny bit more permissive, allowing + and - characters to be anywhere in the path portion of the URL. This also improves compatibility with GFM * Make Unicode-specific code compliant to Unicode 18.0 * Fix quadratic time behavior caused by one-by-one walking over block lines instead of calling md_lookup_line() * Fix quadratic time and output size behavior caused by malicious misuse of link reference definitions * The strike-through extension (with flag MD_FLAG_STRIKETHROUGH) now follows same logic as other emphasis spans in respect to punctuation character and word boundaries * Fix handling tab when removing trailing whitespace, especially in connection with ATX headers * We now correctly abort the parser when a callback returns non-zero. (Previously it worked correctly only for negative values, values greater than zero were causing strange and inconsistent behavior) * Fix handling a code span whose closer is on the next line and yet another text follows. In the case we erroneously outputted the closer code span mark as part of the text * Fix md_decode_utf16le_before__(). (Only affected MD4C builds built with -MD4C_USE_UTF16 on Windows) * Do not try to interpret characters in a link URL as Markdown syntax characters * Fix detection of closing code block fence if it has a trailing tabulator * Fix invalid free() in an error path ==== ngtcp2 ==== Version update (1.22.0 -> 1.22.1) Subpackages: libngtcp2-16 libngtcp2_crypto_gnutls8 libngtcp2_crypto_ossl0 - update to 1.22.1 (bsc#1262273, CVE-2026-40170): * Fixes CVE-2026-40170 ==== openexr ==== Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33 - Disable testLargeDataWindowOffsets on 32-bit arm ==== openssh ==== Version update (10.2p1 -> 10.3p1) Subpackages: openssh-clients openssh-common openssh-server - Update to openssh 10.3p1: = Potentially-incompatible changes * ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. * sshd(8): prior to this release, a certificate that had an empty principals section would be treated as matching any principal (i.e. as a wildcard) when used via authorized_keys principals="" option. This was intentional, but created a surprising and potentially risky situation if a CA accidentally issued a certificate with an empty principals section: instead of being useless as one might expect, it could be used to authenticate as any user who trusted the CA via authorized_keys. [Note that this condition did not apply to CAs trusted via the sshd_config(5) TrustedUserCAKeys option.] This release treats an empty principals section as never matching any principal, and also fixes interpretation of wildcard characters in certificate principals. Now they are consistently implemented for host certificates and not supported for user certificates. * ssh(1): the -J and equivalent -oProxyJump="..." options now validate user and host names for ProxyJump/-J options passed via the command-line (no such validation is performed for this option in configuration files). This prevents shell injection in situations where these were directly exposed to adversarial input, which would have been a terrible idea to begin with. Reported by rabbit. = Security * ssh(1): validation of shell metacharacters in user names supplied on the command-line was performed too late to prevent some situations where they could be expanded from %-tokens in ssh_config. For certain configurations, such as those that use a "%u" token in a "Match exec" block, an attacker who can control the user name passed to ssh(1) could potentially execute arbitrary shell commands. Reported by Florian Kohnhäuser. We continue to recommend against directly exposing ssh(1) and other tools' command-lines to untrusted input. Mitigations such as this can not be absolute given the variety of shells and user configurations in use. * sshd(8): when matching an authorized_keys principals="" option against a list of principals in a certificate, an incorrect algorithm was used that could allow inappropriate matching in cases where a principal name in the certificate contains a comma character. Exploitation of the condition requires an authorized_keys principals="" option that lists more than one principal *and* a CA that will issue a certificate that encodes more than one of these principal names separated by a comma (typical CAs strongly constrain which principal names they will place in a certificate). This condition only applies to user- trusted CA keys in authorized_keys, the main certificate authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported by Vladimir Tokarev. * scp(1): when downloading files as root in legacy (-O) mode and without the -p (preserve modes) flag set, scp did not clear setuid/setgid bits from downloaded files as one might typically expect. This bug dates back to the original Berkeley rcp program. Reported by Christos Papakonstantinou of Cantina and Spearbit. * sshd(8): fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys. Previously if one of these directives contains any ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA algorithm would be accepted in its place regardless of whether it was listed or not. Reported by Christos Papakonstantinou of Cantina and Spearbit. * ssh(1): connection multiplexing confirmation (requested using "ControlMaster ask/autoask") was not being tested for proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by Michalis Vasileiadis. = New features * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. Support for the pre-standardisation "@openssh.com" extensions for agent forwarding remains supported. * ssh-agent(1): implement support for draft-ietf-sshm-ssh-agent "query" extension. * ssh-add(1): support querying the protocol extensions via the agent "query" extension with a new -Q flag. * ssh(1): support multiple files in a ssh_config RevokedHostKeys directive. * sshd(8): support multiple files in a sshd_config RevokedKeys directive. * ssh(1): add a ~I escape option that shows information about the current SSH connection. * ssh(1): add an "ssh -Oconninfo user@host" multiplexing command that shows connection information, similar to the ~I escapechar. * ssh(1): add an "ssh -O channels user@host" multiplexing command to get a running mux process to show information about what channels are currently open. * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. * sshd(8): add a GSSAPIDelegateCredentials option for the server, controlling whether it accepts delegated credentials offered by the client. This option mirrors the same option in ssh_config. * ssh(1), sshd(8): support the VA DSCP codepoint in the IPQoS ... changelog too long, skipping 134 lines ... * 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch ==== passt ==== Version update (20251215.b40f5cd -> 20260120.386b5f5) Subpackages: passt-selinux - Update to version 20260120.386b5f5: * flow: Remove EPOLLFD_ID_INVALID * tcp: Register fds with epoll at flow creation * tcp_splice: Register fds with epoll at flow creation * conf, pasta: Add --splice-only option * flow, fwd: Optimise forwarding rule lookup using epoll ref when possible * fwd, tcp, udp: Add forwarding rule to listening socket epoll references * fwd: Remap ports based directly on forwarding rule * flow, fwd: Consult rules table when forwarding a new flow from socket * fwd: Generate auto-forward exclusions from socket fd tables * conf, fwd: Check forwarding table for conflicting rules * tcp, udp: Remove old auto-forwarding socket arrays * fwd, tcp, udp: Set up listening sockets based on forward table * ip: Add ipproto_name() function * fwd: Make space to store listening sockets in forward table * conf, fwd: Record "auto" port forwards in forwarding table * conf: Accurately record ifname and address for outbound forwards * conf, fwd: Keep a table of our port forwarding configuration * inany: Extend inany_ntop() to treat NULL as a fully unspecified address * hooks/pre-push: Use mandoc(1) to get HTML anchors to command-line options * selinux: Enable open permissions on netns directory, operations on container_var_run_t * igmp: Remove apparently unneeded suppression * epoll_ctl: Move u64 variant first for safer initialisation * treewide: Fix more pointers which can be const * tcp, udp: Make {tcp,udp}_listen() return socket fds * tcp, udp, conf: Don't silently ignore listens on unsupported IP versions * flow: Introduce flow_epoll_set() to centralize epoll operations * tcp_splice: Refactor tcp_splice_conn_epoll_events() to per-side computation * udp_flow: Assign socket to flow inside udp_flow_sock() * udp_flow: remove unneeded epoll_ref indirection * tcp: cleanup timer creation * tcp: remove timer update in tcp_epoll_ctl() * apparmor: Upgrade ABI version to 4.0, explicitly enable user namespace creation * tcp: Fix rounding issue in check for approximating window to zero * treewide: Fix places where we incorrectly indented with spaces * tcp: Remove some no longer used includes * fwd: Minor cleanup to fwd_nat_from_splice() * fwd: Remove now-unnecessary handling of unspecified oaddr from splice * udp_vu: Discard datagrams when RX virtqueue is not usable * fwd, tcp, udp: Consolidate epoll refs for listening sockets * epoll_ctl: Add missing description for flowside field of epoll_ref * tcp: Remove unused tcp_epoll_ref * test: Include sshd-auth in mbuto guest image * test: Handle Operating System Command escapes in terminal output * treewide: Don't rely on terminator records in ip[46].dns arrays * migrate: Don't use terminator element for versions[] array * util: Be more defensive about buffer overruns in read_file() * apparmor: Allow reading TCP RTO sysctl parameters * tcp: Update EPOLL_TYPE_TCP_TIMER fd * udp: Rename udp_sock_init() to udp_listen() with small cleanups * tcp: Combine tcp_sock_init_one() and tcp_sock_init() into tcp_listen() * pasta: Warn, disable matching IP version if not supported, in local mode * selinux: Enable read and watch permissions on netns directory as well ==== systemd ==== Version update (259.5 -> 260.1) Subpackages: libsystemd0 libudev1 systemd-boot systemd-container udev - Upgrade to v260.1 (commit c0a5a2516d28601fb3afc1a77d7b42fcfe38fced) See https://github.com/openSUSE/systemd/blob/SUSE/v260/NEWS for details. - Drop support for System V service scripts. - Drop 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch - Drop 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch - Required versions of various library dependencies have been raised. - systemd-update-helper: switch to the new command 'enqueue-marked'. - Restore autovt@.service alias (a fallout from upstream commit 072e72424b2e6da1c96489ef6996f49fabd46474) - systemd.spec: introduce %{container} bcond for container subpackage - Enable systemd-boot on loongarch64. ==== xdg-dbus-proxy ==== Version update (0.1.6 -> 0.1.7) - Update to version 0.1.7: + Drop the autotools build system + Prevent a crash on disconnect + Fix building with glibc >= 2.43 + Fix the eavesdrop filtering to prevent message interception + Fix CVE-2026-34080