Packages changed: Mesa (26.0.0 -> 26.0.1) Mesa-drivers (26.0.0 -> 26.0.1) MicroOS-release (20260224 -> 20260226) btrfsprogs (6.17.1 -> 6.19) cockpit-tukit conmon (2.2.0 -> 2.2.1) docker (28.5.1_ce -> 29.2.1_ce) leancrypto mozilla-nss (3.119.1 -> 3.120.1) ncurses (6.6.20260207 -> 6.6.20260221) netavark (1.17.1 -> 1.17.2) passt permissions (1699_20260109 -> 1699_20260217) podman (5.7.1 -> 5.8.0) qemu (10.2.0 -> 10.2.1) samba (4.23.5+git.458.200d9061a31 -> 4.23.5+git.463.513487e87f1) suse-module-tools (16.1.3 -> 16.1.4) util-linux util-linux-systemd xkeyboard-config (2.46 -> 2.47) === Details === ==== Mesa ==== Version update (26.0.0 -> 26.0.1) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to Mesa 26.0.1 bugfix and security release * prevent out-of-bounds memory access in WebGPU (bsc#1258910) * various bugfixes - -> https://docs.mesa3d.org/relnotes/26.0.1 ==== Mesa-drivers ==== Version update (26.0.0 -> 26.0.1) Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Update to Mesa 26.0.1 bugfix and security release * prevent out-of-bounds memory access in WebGPU (bsc#1258910) * various bugfixes - -> https://docs.mesa3d.org/relnotes/26.0.1 ==== MicroOS-release ==== Version update (20260224 -> 20260226) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== btrfsprogs ==== Version update (6.17.1 -> 6.19) Subpackages: btrfsprogs-udev-rules libbtrfs0 libbtrfsutil1 - update to 6.19 * mkfs: * make block-group-tree default (support since linux 6.1), use -O ^bgt to * unset it for backward compatibility * speed up initial device discard by procesing the ranges in order * disable block-grooup-tree feature if a dependent feature is explicitly unselected (like disabling no-holes), instead of erroring out * check: * add ability to detect and fix missing orphan items in deleted subvolumes * add ability to fix inode refs from directory items * enhance detection on unknown inode keys * libbtrfsutil: * minor version update to 1.4.0 * add missing aliases for API updates done in 0.1.3, C and python * libbtrfs: * patchlevel version update 0.1.5 * error handling updates * fixes: * with DUP profile and mixed sequential and conventional zoned make sure to track the right write pointers * scrub: fix ETA wraparound calculations, when many files get deleted during the operation bytes_scrubbed and bytes_total get too much out of sync, the ETA will be 0 * corrupt-block: add ability to specify key value when corrupting item keys * experimental features: * initial remap tree support (new logical-to-logical mapping layer), coming in linux 7.0 * other: * error handling improvements * CI updates * code cleanups and refactoring * documentation updates ==== cockpit-tukit ==== - Update dependencies bsc#1257836/CVE-2026-25547, bsc#1258641/CVE-2026-26996 ==== conmon ==== Version update (2.2.0 -> 2.2.1) - Update to version 2.2.1: * Release v2.2.1 * Fix EAGAIN busy-loop in drain_stdio() * Add CRI-O critest * Fix test for reverted F-sequence behavior * Revert PR #592 * Revert PR #629 * Skip test if RUNTIME_BINARY is not runc * Fix k8s-file log format for terminating F-sequence * tests: Ensure necessary dependencies are available * Release v2.2.0 ==== docker ==== Version update (28.5.1_ce -> 29.2.1_ce) Subpackages: docker-buildx docker-rootless-extras - Fix package from immutable mode (jsc#PED-14748) * Migrate /var/lib/docker creation to docker.tmpfiles - Replace obsolete packageand syntax with newer syntax - Update to Docker 29.2.1. See upstream changelog online at - Rebased patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch - Update to docker-buildx v0.31.1. Upstream changelog: - Update to Docker 29.2.0. See upstream changelog online at Fix CVE-2025-67499 (bsc#255500) - Update to buildx 0.31.0. See upstream changelog online at - Rebased patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch - Build of buildx moved from Makefile to go build to not use Dockerfile. ==== leancrypto ==== - Add upstream patch to fix build with kernel 6.19 on aarch64: * 0469d92f.patch ==== mozilla-nss ==== Version update (3.119.1 -> 3.120.1) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.120.1 * no upstream releasenotes - update to NSS 3.120 * bmo#2008768 - Fix docs generation bug. * bmo#2007908 - CID 1678226: Dereferencing null pointer plaintext.data(). * bmo#2004694 - Run PKCS12 fuzz target with --fuzz=tls in CI. * bmo#1978603 - Allowing RT be started several times. * bmo#2005751 - move linux decision and build tasks to d2g worker pools. - Revert back to original naming scheme of tarballs ==== ncurses ==== Version update (6.6.20260207 -> 6.6.20260221) Subpackages: libncurses6 ncurses-utils terminfo-base - Add ncurses patch 20260214 + add ech to screen terminfo (Debian #707308). + review/update screen5, adding screen5.xterm-new and screen4.xterm-new -TD - Add ncurses patch 20260221 + correct strikeout for iterm2 -TD + add some xterm-style modified special-keys to iterm2 -TD + modify configure script regex check to provide for Windows libraries having regcomp (report by Juergen Pfeifer). + modify configure script --with-pcre2 option to allow specifying the pkgconfig name for pcre2 (prompted by discussion with George Goffe). ==== netavark ==== Version update (1.17.1 -> 1.17.2) - Update to version 1.17.2: * release v1.17.2 * release notes for v1.17.2 * netlink_route: remove NLM_F_ACK from dump requests * netlink: validate buffer length * netlink: zero out buffer before sending * netlink: socket read logic * bridge: read mtu from vrf table if set * only consult main routing table for default interface ==== passt ==== Subpackages: passt-selinux - selinux: Use `selinux_requires_min` macro for dependencies ==== permissions ==== Version update (1699_20260109 -> 1699_20260217) Subpackages: permctl permissions-config - Declare a BuildConflict instead of a build-dependency. - Don't BuildRequire rpmlint, but rpmlint-mini, otherwise we re-introduce the build cycles that rpmlint-mini is supposed to break. - BuildRequire a recent enough rpmlint to avoid rpmlint choking on the new :package: coupling syntax. - Update to version 1699_20260217: * tests: catch errors in parsing package lines with space after comma * ProfileParser: increase robustness in package line parsing * TestBase: _checkForASANErrors: drop extra errors increment * profiles: introduce package coupling for existing entries * profiles: drop "disable set*id bits" entries * profiles: remove useless /etc/crontab entry * etc/permissions: add :package: coupling * tests: add coverage for package coupling syntax * TestBase: fix some typos * EntryProcessor::matchingPkg(): catch "not owned by any package" case * EntryProcessor::matchingPkg(): take multi-ownership into account * tests: drop m_ prefix on member variables * tests: fix flake8 findings * man pages: document new :package: syntax; general improvements * meson: switch to `install_emptydir()` for permissions.d directory * EntryProcessor: enforce package ownership limitation * ProfileParser: support parsing of :package: list specifications * profiles: remove extensive documentation from files in favor of man page * profiles: harmonize, simplify and update copyright statement - Add Provides permissions-doc to config sub-package as is suggested by rpmlint. - properly escape % in comments in %check section ==== podman ==== Version update (5.7.1 -> 5.8.0) - Update to version 5.8.0: * Bump to v5.8.0 * Final release notes for v5.8.0 * update github.com/containers/gvisor-tap-vsock to v0.8.8 * Bump Podman to v5.8.0-dev * Bump to v5.8.0-RC1 * Extent timeout on Build Each Commit * Update release notes for v5.8.0-RC1 * fix: remove unnecessary -t flag from podman run commands in documentation * Add /usr/libexec/podman/qemu-system-arch * test/system: skip podman volumes with XFS quotas on fedora * cirrus: ensure NOTIFY_SOCKET is properly unset for all tests * docs: Update filter options and add podman ps documentation * docs: Deduplicate --filter descriptions * Deterministically order pod inspect fields * bindings: fix handling of env secrets in remote builds * Add perl to make validatepr * Fix `unless-stopped` restart policy to match Docker behavior * docs/podman.1: Fix leftover rootless mention * fix: improve userns validation when joining pods * docs: further tweaks * docs: improve note about Quadlet TimeoutStartSec * [Fixes: #27571] Fix 'shouldResolveWinPaths' returning 'false' on Windows * fix(api/compat): typo in the remove secret handle * Clamp rootless rlimits to host on format * Add ulimits to `podman update` API * podman-systemd.unit.5: document /sbin/nologin accounts * feat(exec): Add --no-session flag for improved performance * quadlet install: multiple quadlets from single file should share app * quadlet: add support for multiple quadlets in a single file * chore: fix the inconsistent method names in the comments * docs: Add references to quadlet * test/system: Update test to handle new error message from runc 1.3.3 * Ignore auth header with empty JSON object * Fixes: #27444, Fix tiny typos in some artifact docs * Fixes #27421 aritfact push and pull with authfile * Bumping timeout for aarch64 machine * Fix remote client rejecting empty --detach-keys string * Makefile: Drop dead CONTAINER_RUNTIME * Fixes #27378 Missing network type in events document * Update docs/source/markdown/podman-run.1.md.in * Escape periods in path * Escape RequiresMountsFor value * Introduce assert-has-key assertion * Rename misleading assertion name * docs: expand --mount section with detailed type descriptions (#25888) * Fix tmpfs U/chown documentation * [CI:DOCS]Fix minor typo in buildah test * Add system test * Fix podman build "newer" pull policy * test/e2e: fix 'block all syscalls' seccomp for runc * [play_kube] Add validation to container image field * test: Fix PODMAN_BATS_LEAK_CHECK * Fix docs for Volume User= and Group= options * test/system: fix log timestamp work around * extract shared TTY handling code into helper function * test: Fix --hostuser octal UID test flakiness * Fixes #27651 - Fix health inspect/ps for rootfs containers with empty healthcheck * test/e2e: Skip privileged container test if NoNewPrivs is set * Don't assume v1.41 is the default docker * Bump Compat API version to supported v1.44 * libpod: fix Volume.Mount() returning empty path for plugin volumes * fix: correct env/envFrom precedence in kube play * Fix PowerShell `Write-Error` multi-line argument * fix: generate correct error message if Wix is not installed * Fix interfering escaping of commas and spaces in no_proxy variable * Write DefaultEnvironment proxy values to /etc/systemd/user.conf.d/default-env.conf * Fix test proxyenv/env_test.go for systems that use proxy variables * Fix healthcheck argument with spaces split in Docker API (#27818) * fix: prevent race condition during database initialization by using INSERT OR IGNORE. * Release notes for v5.8.0-RC1 (initial) * Fix podman run equivalent for HealthStartPeriod * libpod: simplify unnecessary loops * secrets/create: remove pipe check and allow interactive stdin * Fix container export emitting incorrect event type. * Add AppArmor key to quadlet .container files * fix(logs): enhance timestamp format to include timezone in logs * fix(logs): add tests for nanosecond precision in log timestamps * fix(logs): improve timestamp precision in container logs * Fix missing newlines in stderr error messages * test/system: remove apk from build * libpod: fix healthchecks not executing every interval on linux * fix: skip execution of probes when initialDelaySeconds is not elapsed * test/buildah-bud: skip failed remote test * [v5.8] Bump Buildah to v1.43.0 * Add migration code for BoltDB to SQLite * Deterministically order pod inspect fields * [v5.8] artifact: Skip AddLocal optimization on WSL * [v5.8] Require absolute path for local API * [v5.8] Add local artifact add API endpoint * Add GET /quadlets/{name}/exists * Add DELETE /libpod/quadlets * Add POST /libpod/quadlets * Add GET /quadlets/{name}/file * Use explicit download-artifact name and path for win-installer release * Bump Podman to v5.7.2-dev ==== qemu ==== Version update (10.2.0 -> 10.2.1) - Update to stable release 10.2.1: Full backport list here: https://lore.kernel.org/qemu-devel/20260213060607.200695-1-mjt@tls.msk.ru/ This release includes the fixes for (among others): bsc#1255400 (CVE-2025-14876) A selection of them is reported here below: scripts/qemugdb: timers: Fix KeyError in 'qemu timers' command Revert "tcg/user: do not set exit_request gratuitously" linux-user/syscall.c: Prevent acquiring clone_lock while fork() hw/cxl: Take into account how many media operations are requested for param check hw/cxl: Check for overflow on santize media as both base and offset 64bit. virtio-gpu: fix error handling in virgl_cmd_resource_create_blob virtio-pmem: ignore empty queue notifications virtio-gpu-virgl: correct parent for blob memory region cryptodev-builtin: Limit the maximum size hw/virtio/virtio-crypto: verify asym request size q35: Fix migration of SMRAM state pcie_sriov: Fix PCI_SRIOV_* accesses in pcie_sriov_pf_exit() virtio: Fix crash when sriov-pf is set for non-PCI-Express device virtio-dmabuf: Ensure UUID persistence for hash table insertion vdpa: fix vhost-vdpa suspended state not be shared hw/i2c/aspeed_i2c: Fix DMA moving data into incorrect address hw/i2c/aspeed: Fix wrong I2CC_DMA_LEN when I2CM_DMA_TX/RX_ADDR set first hw/arm/aspeed_ast27x0: Fix EHCI3/4 IRQ routing to GIC hw/i2c/aspeed_i2c.c: Add a check for dma_read hw/adc: Fix out-of-bounds write in Aspeed ADC model hw/uefi: fix size negotiation hw/nvme: Fix bootindex suffix use-after-free python: fix msys64 wheel directory specification tests/qtest/ufs-test: Add test for mcq completion queue wraparound hw/ufs: Fix mcq completion queue wraparound hw/ufs: fix CQE endianness and UPIU length hw/ufs: Ensure DBC of PRDT uses only lower 18 bits tests/functional: migrate sbsa_ref test images pc-bios/optionrom: Use 32-bit linker emulation for the optionroms gitlab: preserve base rules for container template target/i386/tcg: fix a few instructions that do not support VEX.L=1 linux-user: fixup termios2 related things on PowerPC linux-user: Add missing termios baud rates linux-user: Add termios2 support to sparc target linux-user: Add termios2 support to sh4 target linux-user: Add termios2 support to mips target linux-user: Add termios2 support to hppa target linux-user: Add termios2 support to alpha target linux-user: Add termios2 support hw/intc: avoid byte swap fiddling in gicv3 its path ... - Fix bsc#1257492: * [openSUSE][RPM] spec: Tie guest-agent supplements to the kernel package (bsc#1257492) ==== samba ==== Version update (4.23.5+git.458.200d9061a31 -> 4.23.5+git.463.513487e87f1) Subpackages: libldb2 samba-ad-dc-libs samba-client samba-client-libs samba-libs - The "include system krb5 conf" option searchs for /usr/etc/krb5.conf if /etc/krb5.conf does not exist; (bsc#1257940); ==== suse-module-tools ==== Version update (16.1.3 -> 16.1.4) Subpackages: suse-module-tools-scriptlets - Update to version 16.1.4: * Remove erofs from the list of blacklisted file systems (jsc#PED-14573) * weak-modules2: don't remove symlinks in the rpm --reinstall case (bsc#1257055) ==== util-linux ==== Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 - Prevent leaking of NETLINK_ROUTE socket to login, which causes SELinux AVC denial (gh#util-linux/util-linux#4032, util-linux-lib-netlink-fix5.patch). ==== util-linux-systemd ==== Subpackages: lastlog2 liblastlog2-2 - Prevent leaking of NETLINK_ROUTE socket to login, which causes SELinux AVC denial (gh#util-linux/util-linux#4032, util-linux-lib-netlink-fix5.patch). ==== xkeyboard-config ==== Version update (2.46 -> 2.47) - update to 2.47 * Layouts / New + Added the Slavistic Phonetic Alphabet variant for Polish * Miscellaneous / Breaking changes + Made behave like On Linux Kernel before v6.17, the scancode for F24 was bound to the otherwise unused keycode. v6.17 fixed this. To have a consistent behaviour across kernel versions, make both and behave the same. * New + Added keycodes from recent Linux kernels: `` for `KEY_LINK_PHONE` `` for `KEY_PERFORMANCE` + inet: Added mapping to the following new keysyms: `XF86LinkPhone` `XF86Fn_F1` `XF86Fn_F2` `XF86Fn_F3` `XF86Fn_F4` `XF86Fn_F5` `XF86Fn_F6` `XF86Fn_F7` `XF86Fn_F8` `XF86Fn_F9` `XF86Fn_F10` `XF86Fn_F11` `XF86Fn_F12` `XF86Fn_1` `XF86Fn_2` `XF86Fn_D` `XF86Fn_E` `XF86Fn_F` `XF86Fn_S` `XF86Fn_B` `XF86PerformanceMode` `XF86AudioBassBoost` + inet: Mapped `F19` for the rare occasion that it exists e.g. on custom keyboards. + inet: Mapped `F24`, which has a special alternative function as pressing the touchpad toggle key on some notebooks produces the key sequence `Super + Control + F24`. - supersedes U_Make-ua-winkeysenhanced-compatible-with-ckbcomp.patch