Packages changed: apparmor container-selinux (2.247.0 -> 2.248.0) expat (2.7.5 -> 2.8.1) ffmpeg-8 gpg2 (2.5.19 -> 2.5.20) kernel-source (7.0.6 -> 7.0.7) libapparmor libei (1.5.0 -> 1.6.0) libinput (1.31.1 -> 1.31.2) libmodulemd libselinux libselinux-bindings openssl-3 pipewire (1.6.4 -> 1.6.5) python-urllib3 (2.6.3 -> 2.7.0) selinux-policy (20260414 -> 20260508) suse-module-tools (16.1.4 -> 16.1.5) xen (4.21.1_04 -> 4.21.1_06) === Details === ==== apparmor ==== - add wpa_supplicant.diff: fix wpa_supplicant profile (boo#1265377) ==== container-selinux ==== Version update (2.247.0 -> 2.248.0) - Update to version 2.248.0: * Condition ptrace permission on deny_ptrace boolean ==== expat ==== Version update (2.7.5 -> 2.8.1) - update to 2.8.1 (bsc#1264713, CVE-2026-45186, bsc#1262263, CVE-2026-41080): * Fix quadratic runtime from attribute name collision checks that allowed denial of service attacks through moderately sized crafted XML input (CWE-407). Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * CVE-2026-41080 -- The existing hash flooding protection only used 4 to 8 bytes of entropy for * a salt, when 16 bytes of salt are supported by the * implementation of SipHash used by Expat. Now full 16 bytes * of entropy are used to improve protection against hash * flooding attacks. * Existing API function XML_SetHashSalt is now deprecated * because of its limitations, and its use should be * considered a vulnerability. Please either use the new API * function XML_SetHashSalt16Bytes (with known-high-quality * entropy input only!) instead, or leave the derivation of * a 16-bytes hash salt from high quality entropy to Expat's * internal machinery (by *not* calling either of the two * XML_SetHashSalt* functions). ==== ffmpeg-8 ==== Subpackages: libavcodec62 libavfilter11 libavformat62 libavutil60 libswresample6 libswscale9 - Enable glslang filters ==== gpg2 ==== Version update (2.5.19 -> 2.5.20) - Update to 2.5.20: * gpgsm: Implement GCM encryption. Note that decryption works since version 2 * gpgsm: New option --attribute and server command SETATTR to include arbitrary signed or unsigned attributes into a signature. Enable only with libksba 1 * gpgsm: Introduce system attribute _signingCertificateV2. * gpg: Fix wrong assertion failure which could very rarely occur during key signature checking * gpg: Consider certify-only keys for revocation signature check. * gpgsm: Fix possible double free in the CMS parser * gpgsm: Fix possible too early removal of ephemeral keys * gpgsm: Avoid emitting a final FAILURE status line if --status-fd is not used * gpgsm: Fix a regression in 2.5.19 for password encrypted GCM data * agent: Fix not using cache for pinentry loopback * agent: Fix command PUT_SECRET by saving input line * keyboxd: Mark keys searched but not imported via LDAP correctly as ephemeral * scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA keys > 2k * dirmngr: Fix uninitialized use of the dns_any union in dns_rr_cmp ==== kernel-source ==== Version update (7.0.6 -> 7.0.7) - Update patches.kernel.org/7.0.2-014-f2fs-fix-to-avoid-uninit-value-access-in-f2fs_s.patch (bsc#1012628 CVE-2026-43349 bsc#1265131). - Update patches.kernel.org/7.0.2-024-smb-client-require-a-full-NFS-mode-SID-before-r.patch (bsc#1012628 CVE-2026-43350 bsc#1264985). - Update patches.kernel.org/7.0.2-042-mshv_vtl-Fix-vmemmap_shift-exceeding-MAX_FOLIO_.patch (bsc#1012628 CVE-2026-43348 bsc#1264981). - Update patches.kernel.org/7.0.7-306-ksmbd-validate-inherited-ACE-SID-length.patch (bsc#1012628 CVE-2026-43490). suse-add-cves - commit f1d450c - ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308). - commit 67ebcde - selftests/namespaces: Skip efault tests when listns() is not available (poo#196367). - selftests/namespaces: Fix waitpid race in listns_efault_test cleanup (poo#196367). - selftests/namespaces: Kill grandchild in nsid fixture teardown (poo#196367). - commit 37898a9 - Linux 7.0.7 (bsc#1012628). - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() (bsc#1012628). - ipmi: Add limits to event and receive message requests (bsc#1012628). - ipmi: Check event message buffer response for bad data (bsc#1012628). - ipmi:si: Return state to normal if message allocation fails (bsc#1012628). - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free (bsc#1012628). - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states (bsc#1012628). - ACPI: scan: Use acpi_dev_put() in object add error paths (bsc#1012628). - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO (bsc#1012628). - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug (bsc#1012628). - ACPI: video: force native backlight on HP OMEN 16 (8A44) (bsc#1012628). - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() (bsc#1012628). - iommufd: Fix a race with concurrent allocation and unmap (bsc#1012628). - ASoC: SOF: Don't allow pointer operations on unconfigured streams (bsc#1012628). - wifi: mt76: mt7925: fix incorrect TLV length in CLC command (bsc#1012628). - spi: rockchip: fix controller deregistration (bsc#1012628). - ksmbd: rewrite stop_sessions() with restartable iteration (bsc#1012628). - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (bsc#1012628). - flow_dissector: do not dissect PPPoE PFC frames (bsc#1012628). - smb: client/smbdirect: fix MR registration for coalesced SG lists (bsc#1012628). - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked (bsc#1012628). - exit: prevent preemption of oopsing TASK_DEAD task (bsc#1012628). - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr (bsc#1012628). - wifi: mt76: mt7925: fix incorrect length field in txpower command (bsc#1012628). - wifi: mt76: mt7921: fix a potential clc buffer length underflow (bsc#1012628). - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work (bsc#1012628). - wifi: b43legacy: enforce bounds check on firmware key index in RX path (bsc#1012628). - wifi: mac80211: drop stray 'static' from fast-RX rx_result (bsc#1012628). - wifi: rsi: fix kthread lifetime race between self-exit and external-stop (bsc#1012628). - wifi: mac80211: use safe list iteration in radar detect work (bsc#1012628). - wifi: ath5k: do not access array OOB (bsc#1012628). - wifi: mac80211: remove station if connection prep fails (bsc#1012628). - wifi: b43: enforce bounds check on firmware key index in b43_rx() (bsc#1012628). - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task (bsc#1012628). - usb: usblp: fix heap leak in IEEE 1284 device ID via short response (bsc#1012628). - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl (bsc#1012628). - ALSA: usb-audio: midi2: Restart output URBs on resume (bsc#1012628). - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() (bsc#1012628). - ALSA: usb-audio: Fix UAC3 cluster descriptor size check (bsc#1012628). - usb: dwc3: Move GUID programming after PHY initialization (bsc#1012628). ... changelog too long, skipping 623 lines ... - commit 96c854d ==== libapparmor ==== - add wpa_supplicant.diff: fix wpa_supplicant profile (boo#1265377) ==== libei ==== Version update (1.5.0 -> 1.6.0) - Update to release 1.6.0 * A new ei_text interface that provides the ei_text.keysym and ei_text.utf8 requests and events. These allow an emulating client to send keysyms or straight utf8, useful for situations where a keysym needs to be sent independent of the available keymap on the ei_keyboard device. * Preparatory work for future table support: * ei_device.ready is a request sent by compatible clients after ei_device.done to notify the EIS implementation that the client is done with any device-specific configuration. * ei_seat.request_device is a request sent by compatible clients to request a device with specific capabilities. The EIS implementation is not required to honor this request. ==== libinput ==== Version update (1.31.1 -> 1.31.2) - Update to release 1.31.2 * A bunch of device-specific quirks * Fix for the new fast-swipe interaction during 3fg dragging. A wrong timestamp calculation could cause slow movements to be interpreted as swipes in some cases. * A fix for the Acer Swift SFX14-73G (and likely other devices with a similar touchpad) fixes a stuttering cursor caused by wrong SYN_REPORT handling in libinput. ==== libmodulemd ==== - Build different flavors for Python subpackages ==== libselinux ==== Subpackages: libselinux1 selinux-tools - Change License from SUSE-Public-Domain to LicenseRef-SUSE-Public-Domain due to rpmlint invalid-license warning. ==== libselinux-bindings ==== - Change License from SUSE-Public-Domain to LicenseRef-SUSE-Public-Domain due to rpmlint invalid-license warning. ==== openssl-3 ==== Subpackages: libopenssl3 - POWER performance enhancements * Optimized MLDSA NTT, supports p8 and above architectures (jsc#PED-14569) * Add patch: openssl-ppc64le-Optimized-MLKEM-NTT-supports-p8-ISA-2.07-and-above-architectures.patch ==== pipewire ==== Version update (1.6.4 -> 1.6.5) Subpackages: gstreamer-plugin-pipewire libpipewire-0_3-0 pipewire-alsa pipewire-modules-0_3 pipewire-pulseaudio pipewire-spa-plugins-0_2 pipewire-spa-tools pipewire-tools - Update to version 1.6.5: * This is a bugfix release that is API and ABI compatible with the previous 1.6.x releases. * Highlights - Fix muted output in some cases. - Removed the pipe filter in filter-graph. - More fixes and improvements. * PipeWire - Fix an issue in pw-filter where it could end up in a loop where buffers are stuck on a port and the port becomes silent. (#5249 (closed)) * Modules - Improve ROC receiver start/stop, fixes memory leaks. (#5250 (closed)) - Remove the pipe filter from filter-graph, it's broken by design and a security nightmare. - Fix the midi buffer size in jack-tunnel. * SPA - Rate limit out-of-buffers errors. (#5249 (closed)) - Partially revert the line-out mute patch, it seems to break things and leave audio muted when plugging-unplugging jacks. (#5246) - Improve renegotiation in audioconvert when the graph rate changes and the resampler was disabled. (#4933 (closed)). - Fix potential crash in alsa when logging. * Pulse-server - A whole bunch of extra security checks and hardening fixes. ==== python-urllib3 ==== Version update (2.6.3 -> 2.7.0) - Update to 2.7.0 (CVE-2026-44432, bsc#1265266, CVE-2026-44431, bsc#1265267): [#]# Security Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal. * Decompression-bomb safeguards of the streaming API were bypassed: See GHSA-mf9v-mfxr-j63j for details. * HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc) [#]# Deprecations and Removals * Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (#3763) * Removed support for end-of-life Python 3.9. (#3720) * Removed support for end-of-life PyPy3.10. (#4979) * Bumped the minimum supported pyOpenSSL version to 19.0.0. (#3777) [#]# Bugfixes * Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (#3636) * Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (#4967) * Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (#3793) * Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (#3798) * Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (#3352) * Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (#3764) ==== selinux-policy ==== Version update (20260414 -> 20260508) Subpackages: selinux-policy-targeted - Update to version 20260508: * Add boolean ntp_refclock_access (bsc#1262711) * Add /var/log/ntp in ntp named filetrans interface (bsc#1262711) * Allow thump_t setattr on thumb_tmp_t lnk_files * Allow accounts-daemon read accountsd_share_t symlinks (bsc#1262502) * Label /usr/bin/sudo-rs and /usr/bin/su-rs * Allow pwupdd to read cracklib (bsc#1259138) * Allow pwupdd to log to audit log (bsc#1259138) * Move accountutils_pwaccessd_varlink_socket_connect from auth_use_pam (bsc#1259138) * Allow gpsd the setcap process capability * Add note about the process to merge template * Add mgetty_allow_sendfax boolean (bsc#1258666) * Do not backslash-escape underscores in file context specifications * Label /var/log/mgetty.* getty_log_t (bsc#1258666) * Allow systemd_homework_t to delete systemd_homed_record_t dirs (bsc#1261359) * Allow sshd-auth/sshd-session get attributes of their sshd parent * Allow systemd-tmpfiles to adjust resource limits * Allow logwatch to getattr nsfs files * Allow xdm dbus chat with rhsmcertd * Allow dhcpc_hook_t unix_dgram_socket and module_request * Allow accountsd list accountsd_share_t dirs ==== suse-module-tools ==== Version update (16.1.4 -> 16.1.5) Subpackages: suse-module-tools-scriptlets - Update to version 16.1.5: * Support XBOOTLDR (jsc#PED-16142) * modprobe.conf: split RNDIS blacklist, add interactive unblacklist support (boo#1262299, boo#1217268) * weak-modules2: don't remove symlinks in the rpm --reinstall case (bsc#1257055) ==== xen ==== Version update (4.21.1_04 -> 4.21.1_06) - bsc#1264066 - VUL-0: CVE-2025-54518: xen: AMD-SN-7052: CPU OP Cache Corruption 6a034fca-x86-mitigate-AMD-SN-7052.patch