Packages changed:
  at-spi2-core (2.60.2 -> 2.60.3)
  glib2 (2.88.0 -> 2.88.1)
  gnutls (3.8.12 -> 3.8.13)
  gtk4 (4.22.3 -> 4.22.4)
  libass
  libgsf (1.14.56 -> 1.14.58)
  libsemanage
  mariadb (11.8.5 -> 11.8.6)
  mozc (2.31.5810.102 -> 3.33.6133.102)
  mozjs140 (140.10.0 -> 140.10.1)
  nvidia-open-driver-G06-signed
  postgresql
  postgresql18
  selinux-policy
  smartmontools
  sratom (0.6.20 -> 0.6.22)
  yast2-storage-ng (5.0.42 -> 5.0.43)

=== Details ===

==== at-spi2-core ====
Version update (2.60.2 -> 2.60.3)
Subpackages: at-spi2-core-lang libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0

- Update to version 2.60.3:
  + libatspi: Fix another NULL pointer dereference.

==== glib2 ====
Version update (2.88.0 -> 2.88.1)
Subpackages: glib2-lang glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 typelib-1_0-GIRepository-3_0 typelib-1_0-GLib-2_0 typelib-1_0-GLibUnix-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0

- Update to version 2.88.1:
  + Fix miscompilation with GCC 16 due to GLib’s use of the wrong
    function attribute.
  + Fix flag confusion security issue when using `GRegex` with
    `G_REGEX_RAW` which can result in unbounded out-of-bounds heap
    reads off the start of a regex input string.
  + Fix various minor (low severity) security issues, typically
    one-to-five-byte out-of-bounds reads or ones relying on very
    specific (and unlikely) API calls or ones relying on
    discouraged P2P D-Bus configurations.
  + Updated translations.

==== gnutls ====
Version update (3.8.12 -> 3.8.13)
Subpackages: libgnutls-dane0 libgnutls30 libgnutls30-32bit

- Update to 3.8.13:
  * libgnutls: Add more checks to DTLS reassembly
    [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846, bsc#1263705]
  * libgnutls: Fix qsort comparator in DTLS reassembly
    [GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009, bsc#1263708]
  * libgnutls: Fix crashing on an underflow with a DTLS datagram
    A remotely triggerable underflow in the DTLS reassembly code led to
    a heap overrun.
    [GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845, bsc#1263704]
  * libgnutls: Fix RSA-PSK identity truncation
    [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010, bsc#1263709]
  * libgnutls: Fix case-sensitivity of domain name comparison in name constraints
    [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833, bsc#1263707]
  * libgnutls: Fix intersecting empty constraints
    [GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011, bsc#1263710]
  * libgnutls: Suppress CN fallback in presence of URI and SRV SAN
    [GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012, bsc#1263711]
  * libgnutls: Suppress CN fallback for oversized SAN
    [GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013, bsc#1263712]
  * libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin
    [GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014, bsc#1263713]
  * libgnutls: Fix overread in RSA key exchange with PKCS#11 keys
    [GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260, bsc#1263715]
  * libgnutls: Fix off-by-one in PKCS#12 bag element bounds check
    [GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015, bsc#1263714]
  * libgnutls: Fix multi-entry OCSP response revocation bypass
    [GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832, bsc#1263706]
  * libgnutls: Fix timing side-channel in PKCS#7 padding removal
    [GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419, bsc#1263716]
  * libgnutls: Fix PSK username comparison during rehandshake
  * libgnutls: Fix OID length check for OCSP delegated signer EKU
  * libgnutls: Fix AES keys persisting with pkcs11-provider
  * libgnutls: Fix missing RSA key coprimality check in verify_params
  * libgnutls: Fix overread when parsing OpenSSL PEM private keys
  * libgnutls: Fix a theoretical double-free during certificate import
  * libgnutls: Fix heap overread in SCT extension parser
  * libgnutls: Zeroize shared secret derived during hybrid key exchange
  * build: Support building with Nettle 4.0
    Nettle 4.0 was released in Feburary 2026, with API incompatibile
    changes from 3.10. The library can now compile with it, while
    Nettle 3.10 is still supported (#1791).
  * libgnutls: Support deriving ML-DSA public key from an expanded private key
    RFC 9881 defines 3 private key formats for ML-DSA: "seed",
    "expandedKey" and both. It is now possible to derive a public key
    from a private key in the "expandedKey" format (#1723).
  * libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11
    For compatibility reasons, the library supports two formats for
    EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING
    (DER). Previously, loading a private key in the former format
    resulted in a failure, which is now fixed (#1749).
  * libgnutls: HPKE (RFC 9180) is now supported as a technology preview
    The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic
    protocol which enables to encrypt arbitrary data to a recipient, by
    combining key encapsulation mechanism (KEM) and authenticated
    encryption with additional data (AEAD). GnuTLS now includes the
    implementation contributed by David Dudas. Given this is a
    technology preview, the implementation and the API might suffer
    modification in the following period. Use --enable-hpke to turn on
    this feature (#1506).
  * libgnutls: Fix TLS 1.3 client certificate selection
    For servers that send a signature_algorithms extension in CertificateRequest
    with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones,
    the client now properly considers RSA when selecting a certificate to send.
    This fixes TLS 1.3 interoperability with newer Java servers
    when using client certificates.
  * libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2
    When using kTLS with ChaCha20-Poly1305 under TLS 1.2,
    an incorrect value was passed as the IV to the kernel,
    causing connections to fail early.
  * libgnutls: Allow fetching object type metadata for PKCS#11 keys
    A new library function, gnutls_pkcs11_obj_get_pk_algorithm,
    has been added to check the public key algorithms of PKCS#11 key objects.
    Object types other than CKO_PRIVATE_KEY are currently not supported.
  * API and ABI modifications:
  - gnutls_hpke_kem_t: New enum
  - gnutls_hpke_kdf_t: New enum
  - gnutls_hpke_aead_t: New enum
  - gnutls_hpke_mode_t: New enum
  - gnutls_hpke_role_t: New enum
  - gnutls_hpke_context_st: New context structure
  - gnutls_hpke_init: New function
  - gnutls_hpke_deinit: New function
  - gnutls_hpke_encap: New function
  - gnutls_hpke_seal: New function
  - gnutls_hpke_decap: New function
  - gnutls_hpke_open: New function
  - gnutls_hpke_derive_keypair: New function
  - gnutls_hpke_export: New function
  - gnutls_pkcs11_obj_get_pk_algorithm: New function
  * Rebase gnutls-FIPS-140-3-references.patch
  * Remove patches upstream:
  - gnutls-libnettle4-2075.patch
  - gnutls-libnettle4-2080.patch

==== gtk4 ====
Version update (4.22.3 -> 4.22.4)
Subpackages: gtk4-lang gtk4-schema gtk4-tools libgtk-4-1 typelib-1_0-Gtk-4_0

- Update to version 4.22.4:
  + Bugs fixed:
  - Misc backports
  - popoverbin: Point to the center of the widget when popping up
  + Updated translations.

==== libass ====

- Add patch d013d97631bf86577e7eb44941b2b7b9cf4192d0.patch to fix
  a leak with libfontconfig

==== libgsf ====
Version update (1.14.56 -> 1.14.58)
Subpackages: gsf-office-thumbnailer libgsf-1-114 libgsf-lang

- Update to version 1.14.58:
  + Fix gsf_infile_msole_child_by_index
- Update to version 1.14.57:
  + Fix problems with ole files bigger than 4G.
  + Document property fix.
  + Introspection fixes.
  + Make gzip, bzip, zip handle 4G+ writes.
  + Make gzip, bzip, zip handle 4G+ reads.
  + Improve testing.
  + Ole performace improvements with loads of children.

==== libsemanage ====
Subpackages: libsemanage-conf libsemanage2

- Change store root-path for selinux modules from /var/lib/selinux
  to /etc (fixes bsc#1221342 PED-12492)

==== mariadb ====
Version update (11.8.5 -> 11.8.6)
Subpackages: libmariadbd19 mariadb-client mariadb-errormessages

- Update to 11.8.6:
    https://mariadb.com/docs/release-notes/community-server/11.8/11.8.6
    https://mariadb.com/docs/release-notes/community-server/changelogs/11.8/11.8.6
  * fixes for the following security vulnerabilities:
    11.8.6: CVE-2026-32710 (bsc#1260081)
- Update skipped test list
- Add MDEV-38811.patch
  * Fixes crash in information_schema.table_constraints when --skip-grant-tables
    (bsc#1263153)

==== mozc ====
Version update (2.31.5810.102 -> 3.33.6133.102)
Subpackages: ibus-mozc ibus-mozc-candidate-window mozc-gui-tools

- Upstream update to 3.33.6133
  * Updated dictionaries: 20251026, Q4 2025
  * Added OOV words / expressions to seed dictionary
  * Demoted Hieroglyph symbols
  * Overrode the top history suggestion with dictionary suggestion
    when the post correction is reasonably high enough
  * Supported `{HOUR}` and `{MINUTE}` for `DateRewriter`
  * Fixed the failure of importing user dictionaries in the ATOK
    format
- Upstream update to 3.33.6089
  * Demote the ranking of some Kana variants (e.g. Hentaigana,
    Ainu-kana, voiced-kana, etc.)
  * Changed the ranking of alphabet transliteration candidates
  * Promote Emoji more than Emoticon
  * Supported new inline style for reading correction
  * Supported multiple custom date formats
- Upstream update to 2.32.5994
  * Do not remember punctuation-ending non-Japanese (ASCII) strings
    directly input by the composer
  * Stop providing "did you mean" description on language aware
    rewriter
  * Updated the language model
  * Updated zip-code as of 2025-08-30
  * Removed the 62-day storage limit for input history. Retain the
    history up to the data size limit
  * Fix an overfiltering of candidates that have the same key and
    longer common prefix value
  * Updated some data entries
  * Updated the candidate filtering rule
  * Updated the logic of word suggestion for multiple segments
    (aka inner boundary)
  * Fix an issue that the top candidate with multiple segments may
    get broken
  * Linux: Fix a crash issue on some Linux environment that does
    not support _SC_GETPW_R_SIZE_MAX
  * Updated dependencies
  * Upstream update to 2.31.5851
  * Improved over triggering of number variants expansion
  * Stopped adding punctuation characters for suggestion candidates
  * Fixed a regression issue of SwitchKanaType by the Muhenkan key
  * Linux: Fixed a regression issue that selected characters are
    deleted on some applications
- Drop Leap 15 support
  * Drop use-system-python-3.12.patch
- Refresh use-system-python.patch
- Refresh fcitx-mozc-bazel-build.patch

==== mozjs140 ====
Version update (140.10.0 -> 140.10.1)

- Update to version 140.10.1:
  + Various security fixes
  + See https://www.firefox.com/en-US/firefox/140.10.1/releasenotes/

==== nvidia-open-driver-G06-signed ====

- fix-objtool-warnings.patch (not applied on aarch64)
  * Get rid of "'naked' return found in MITIGATION_RETHUNK build"
    objtool warnings (boo#1212841, boo#1263834)
- remove again disable-objtool-override.patch

==== postgresql ====
Subpackages: postgresql-contrib postgresql-llvmjit postgresql-server

- Get rid of update-alternatives and support immutable mode.
  See README.SUSE for details. (bsc#1245862, jsc#PED-14820)

==== postgresql18 ====
Subpackages: libpq5 postgresql18-contrib postgresql18-llvmjit postgresql18-server

- bsc#1263804: After dropping update-alternatives we have to
  package /usr/bin/pg_config as an actual symlink, not %ghost.
- Fix spelling of build conditionals.
- Get rid of update-alternatives for openSUSE/SLE 16.0 and newer
  to support immutable systems and transactional updates.
  (jsc#PED-14820)

==== selinux-policy ====
Subpackages: selinux-policy-targeted

- start cleanoldsepoldir.service after successfull health-checker.service
  fixes occational fail on transactional systems when boot failed
  (boo#1261698)
- Change store root-path for selinux modules from /var/lib/selinux
  to /etc (fixes bsc#1221342 PED-12492)
  * Service file and script is installed to eventually delete
    /var/lib/selinux once no snapshot is using it
  * Fix copy custom modules to /etc and can be checked by the provided script
    `/usr/libexec/selinux/cleanoldsepoldir.sh --check-custom-selinux-modules`
  * Add filters for duplicate entries to rpmlintrc for now
  * Drop dir-or-file-outside-snapshot rpmlint filter

==== smartmontools ====

- NEW DEFAULT: Never check disks that do not spin
  (boo#1259501, smartmontools-suse-default.patch).
- Generate smartd.opts, even if smartd_opts is empty.
- Use "systemctl" instead of "service"
  (boo#1259501#c4, smartmontools.generate_smartd_opts.in).
- Fix the package for immutable mode
  (jsc#PED-14826, smartmontools.tmpfiles.in).
- Remove obsolete checks from smartmontools-rpmlintrc.

==== sratom ====
Version update (0.6.20 -> 0.6.22)

- update to 0.6.22:
  * Add clang nullability annotations
  * Address new warnings in clang and clang-tidy 21
  * Fix documentation build without sphinx_lv2_theme
  * Gracefully handle reading vectors with missing childType
    properties
  * Gracefully handle writing vectors with zero childSize
    properties
  * Improve error handling

==== yast2-storage-ng ====
Version update (5.0.42 -> 5.0.43)

- Add device parameter to EncryptionProcess#finish_installation
  (related to jsc#PED-10703).
- 5.0.43