Packages changed: apache2-mod_php8 (8.4.18 -> 8.4.19) curl (8.18.0 -> 8.19.0) grub2 kernel-source (6.19.6 -> 6.19.7) libdbusmenu-gtk2 libdbusmenu-gtk3 libplacebo (7.360.0 -> 7.360.1) libsolv (0.7.35 -> 0.7.36) libsrtp2 (2.7.0 -> 2.8.0) libstorage-ng (4.5.305 -> 4.5.307) libvpl nfs-utils nghttp3 (1.14.0 -> 1.15.0) ngtcp2 (1.19.0 -> 1.21.0) open-iscsi openSUSE-release (20260313 -> 20260314) pcsc-cyberjack (3.99.5final.SP16 -> 3.99.5final.SP17) php8 (8.4.18 -> 8.4.19) python-gobject python-httpx python-tornado6 (6.5.4 -> 6.5.5) qt6-base systemd (259.3 -> 259.5) === Details === ==== apache2-mod_php8 ==== Version update (8.4.18 -> 8.4.19) - version update to 8.4.19 Core: Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered by setRawValueWithoutLazyInitialization() and newLazyGhost()). Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when accessing properties on Reflection LazyProxy via isset()). Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked property backing value). Fixed bug GH-21215 (Build fails with -std=). Fixed bug GH-13674 (Build system installs libtool wrappers when using slibtool). Curl: Fixed bug GH-21023 (CURLOPT_XFERINFOFUNCTION crash with a null callback). Don't truncate length. Date: Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start). Fix timezone offset with seconds losing precision. DOM: Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError). Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). MBString: Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge list of candidate encodings (with 200,000+ entries). Opcache: Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). Fixed bug GH-21227 (Borked SCCP of array containing partial object). Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). OpenSSL: Fix a bunch of leaks and error propagation. PCNTL: Fixed pcntl_setns() internal errors handling regarding errnos. Fixed cpuset leak in pcntl_setcpuaffinity on out-of-range CPU ID on NetBSD/Solaris platforms. Fixed pcntl_signal() signal table registering the callback first OS-wise before the internal list. Fixed pcntl_signal_dispatch() stale pointer and exception handling. PCRE: Fixed preg_match memory leak with invalid regexes. PDO_PGSQL: Fixed bug GH-21055 (connection attribute status typo for GSS negotiation). PGSQL: Fixed bug GH-21162 (pg_connect() memory leak on error). Sockets: Fixed bug GH-21161 (socket_set_option() crash with array 'addr' entry as null). Fixed possible addr length overflow with socket_connect() and AF_UNIX family sockets. Windows: Fixed compilation with clang (missing intrin.h include). ==== curl ==== Version update (8.18.0 -> 8.19.0) Subpackages: libcurl4 - Update to 8.19.0: * Security fixes: - CVE-2026-1965: Bad reuse of HTTP Negotiate connection (bsc#1259362) - CVE-2026-3783: Token leak with redirect and netrc (bsc#1259363) - CVE-2026-3784: Wrong proxy connection reuse with credentials (bsc#1259364) - CVE-2026-3805: Use after free in SMB connection reuse (bsc#1259365) * Changes: - BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 - cmake: add 'CURL_BUILD_EVERYTHING' option - mqtt: initial support for MQTTS - tool: support fractions for --limit-rate and --max-filesize - tool_cb_hdr: with -J, use the redirect name as a backup - vquic: drop support for OpenSSL-QUIC * Bugfixes: - altsvc: only accept 17 byte dates from files - asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails - build: move curl stat struct type to the curlx namespace - build: require POSIX 'strdup()' - build: tidy up and dedupe 'strdup' functions - cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks - cf-socket: use SOCK_CLOEXEC in socket_open when available - cmake: reference OpenSSL and ZLIB imported targets only when enabled - cmake: skip binutils ld hack if zlib/openssl target is not 'IMPORTED' - config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST - curl: add -I and -i to -h important - curl_setup.h: simplify curl memory macro mappings - curlx: drop unused 'curlx_saferealloc()' - digest: escape double quotes and backslashes in realm and nonce - digest: fix memory leak in auth_create_digest_http_message() - digest: handle quotes in the path - easy: reset errorbuf on eyeballing success - easy: reset pausing when resetting request - ftp: replace a 'curlx_free()' with 'curlx_dyn_free()' - ftp: split ftp_state_use_port into sub functions - GOVERNANCE.md: Post-Daniel BDFL - gss: exclude verbose error logic from non-verbose builds - h2+h3: align stream close handling - hostip.c: fix leak of addrinfo - hostip6: remove debug-only code - hostip: fix unreachable code in rare build configuration - http/3: add description for known server error codes - http1: fix potential NULL dereference in 'Curl_h1_req_parse_read()' - http: only send bearer if auth is allowed - imap: add a check for Curl_meta_get() - imap: check 'imap_sendf()' printf masks at compile-time - imap: skip literals inside quoted strings - include: mask computed auth/proto bitmasks to 32 bits - lib: disable websockets early if no http - lib: make sigpipe handling more lazy - lib: reorder protocol functions to avoid forward declarations (email,ftp, misc, ssh) - lib: separate scheme info from protocol implementation - lib: use (u)int64_t instead of long long - mbedtls: guard TLS 1.3 + session tickets usage inside ifdef - mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE - md4, md5: drop redundant forward declarations - md4, md5: replace custom types with 'uint32_t' - mimepost: allocate main struct on-demand - mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos - mqtt: better too-big-message-check - mqtt: fix EOF handling - mqtt: verify Remaining Length for CONNACK and PUBACK - multi: avoid a theoretical 32-bit wrap - multi: probe for IPv6 functionality in multi_init() - noproxy: simplify, don't mix const non-const in strchr() - openldap: avoid forward declarations in ldaps code - openssl+ech: workaround for insecure handshakes - openssl: adapt to OpenSSL master adding const to more APIs - OpenSSL: check reuse of sessions for verify status - openssl: disable local keylog feature if built-in upstream - openssl: fix compiler warning with OpenSSL master - openssl: fix potential OOB read in debug/verbose logging - quiche: use PRIu64 for outputting the stream id - request.h: rename parameter 'buf' to 'req' in Curl_req_send - rtsp: fix assertion failure on zero-length RTP payload - rtspd: fix to check 'realloc()' result - setopt: refuse blobs with zero length - ssh: dedupe state change function - tftp: correct the filename length check - timeout handling: auto-detect effective timeout - tls: add new SSLSUPP flags for several options - tls: remove checks for DEFAULT - tool: enable header separation for HTTPS proxies - tool_cb_hdr: suppress header output when --out-null - tool_operate: reset the URL --url-query between --next - url: fix reuse of connections using HTTP Negotiate - urlapi: use U_CURLU_URLDECODE when toggling it off unsigned - urldata: byebye 'conn->hostname_resolve' - urldata: change 'keep_post' into three distinct bitfields - urldata: convert 'long' fields to fixed variable types - urldata: switch to uint* types - usercertinmem: use the correct cert BIO - vquic: handle SOCKEMSGSIZE correctly - vtls: dedupe common on-session-reuse logic - vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests - VULN-DISCLOSURE-POLICY.md: push reports to the web form - VULN-DISCLOSURE-POLICY.md: use hackerone - x509asn1: make encodeOID stop on too long input * Remove now unrecognized option --with-openssl-quic * Rebase patches: - curl-disabled-redirect-protocol-message.patch - dont-mess-with-rpmoptflags.patch - libcurl-ocloexec.patch - Build with --enable-ntlm. Certain Exchange Server endpoints oddly permit NTLM but not Basic-type authentication. ==== grub2 ==== Subpackages: grub2-common grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Fix LoaderConfigTimeout and LoaderConfigTimeoutOneshot (bsc#1259477) * grub2-bls-loader-config-timeout-fix.patch ==== kernel-source ==== Version update (6.19.6 -> 6.19.7) - Linux 6.19.7 (bsc#1012628). - perf/core: Fix refcount bug and potential UAF in perf_mmap (bsc#1012628). - drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release (bsc#1012628). - drm/vmwgfx: Return the correct value in vmw_translate_ptr functions (bsc#1012628). - debugobject: Make it work with deferred page initialization - again (bsc#1012628). - drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() (bsc#1012628). - KVM: arm64: Hide S1POE from guests when not supported by the host (bsc#1012628). - KVM: arm64: Fix ID register initialization for non-protected pKVM guests (bsc#1012628). - drm/fourcc: fix plane order for 10/12/16-bit YCbCr formats (bsc#1012628). - drm/tiny: sharp-memory: fix pointer error dereference (bsc#1012628). - irqchip/sifive-plic: Fix frozen interrupt due to affinity setting (bsc#1012628). - scsi: lpfc: Properly set WC for DPP mapping (bsc#1012628). - scsi: pm8001: Fix use-after-free in pm8001_queue_command() (bsc#1012628). - accel: ethosu: Fix shift overflow in cmd_to_addr() (bsc#1012628). - drm/imx: parallel-display: check return value of devm_drm_bridge_add() in imx_pd_probe() (bsc#1012628). - drm/bridge: synopsys: dw-dp: Check return value of devm_drm_bridge_add() in dw_dp_bind() (bsc#1012628). - ALSA: scarlett2: Fix DSP filter control array handling (bsc#1012628). - ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices (bsc#1012628). - ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP (bsc#1012628). - gpio: shared: fix memory leaks (bsc#1012628). - x86/fred: Correct speculative safety in fred_extint() (bsc#1012628). - x86/bug: Handle __WARN_printf() trap in early_fixup_exception() (bsc#1012628). - x86/cfi: Fix CFI rewrite for odd alignments (bsc#1012628). - sched/fair: Rename cfs_rq::avg_load to cfs_rq::sum_weight (bsc#1012628). - sched/fair: Rename cfs_rq::avg_vruntime to ::sum_w_vruntime, and helper functions (bsc#1012628). - sched/fair: Introduce and use the vruntime_cmp() and vruntime_op() wrappers for wrapped-signed aritmetics (bsc#1012628). - sched/fair: Fix zero_vruntime tracking (bsc#1012628). - sched/fair: Only set slice protection at pick time (bsc#1012628). - sched/eevdf: Update se->vprot in reweight_entity() (bsc#1012628). - sched/fair: Fix lag clamp (bsc#1012628). - rseq: Clarify rseq registration rseq_size bound check comment (bsc#1012628). - perf/core: Fix invalid wait context in ctx_sched_in() (bsc#1012628). - accel/amdxdna: Remove buffer size check when creating command BO (bsc#1012628). - accel/amdxdna: Switch to always use chained command (bsc#1012628). - accel/amdxdna: Fix crash when destroying a suspended hardware context (bsc#1012628). - accel/amdxdna: Reduce log noise during process termination (bsc#1012628). - accel/amdxdna: Fix dead lock for suspend and resume (bsc#1012628). - accel/amdxdna: Fix suspend failure after enabling turbo mode (bsc#1012628). - accel/amdxdna: Fix command hang on suspended hardware context (bsc#1012628). - accel/amdxdna: Fix out-of-bounds memset in command slot handling (bsc#1012628). - accel/amdxdna: Prevent ubuf size overflow (bsc#1012628). - accel/amdxdna: Validate command buffer payload count (bsc#1012628). - drm/xe/wa: Steer RMW of MCR registers while building default LRC (bsc#1012628). - cgroup/cpuset: Fix incorrect change to effective_xcpus in partition_xcpus_del() (bsc#1012628). - cgroup/cpuset: Fix incorrect use of cpuset_update_tasks_cpumask() in update_cpumasks_hier() (bsc#1012628). - clk: scu/imx8qxp: do not register driver in probe() (bsc#1012628). - cxl: Move devm_cxl_add_nvdimm_bridge() to cxl_pmem.ko (bsc#1012628). - cxl: Fix race of nvdimm_bus object when creating nvdimm objects (bsc#1012628). - cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() (bsc#1012628). - scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume (bsc#1012628). - regulator: fp9931: Fix PM runtime reference leak in fp9931_hwmon_read() (bsc#1012628). - regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio() (bsc#1012628). - irqchip/ls-extirq: Fix devm_of_iomap() error check ... changelog too long, skipping 482 lines ... - commit 7f7ff04 ==== libdbusmenu-gtk2 ==== - drop unneeded dependency on gnome-doc-utils (boo#1259023) ==== libdbusmenu-gtk3 ==== - drop unneeded dependency on gnome-doc-utils (boo#1259023) ==== libplacebo ==== Version update (7.360.0 -> 7.360.1) - Update libplacebo to version 7.360.1. See details in: https://code.videolan.org/videolan/libplacebo/-/tags/v7.360.1 ==== libsolv ==== Version update (0.7.35 -> 0.7.36) Subpackages: libsolv-tools-base libsolv1 ruby-solv - respect the "default" attribute in environment optionlist in the comps parser - support suse namespace deps in boolean dependencies [bsc#1258193] - support for the Elbrus2000 (e2k) architecture - support language() suse namespace rewriting - bump version to 0.7.36 ==== libsrtp2 ==== Version update (2.7.0 -> 2.8.0) - Update to release 2.8 * Properly support null crypto and null auth scenario (fixes unencrypted SRTP failing with gstreamer's gstsrtp plugin). * The key derivation function was not compliant with the RFC6188 when dealing with AES192CM, which has been fixed. ==== libstorage-ng ==== Version update (4.5.305 -> 4.5.307) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Spanish) (bsc#1149754) - 4.5.307 - merge gh#openSUSE/libstorage-ng#1062 - use ssh control master in remote probing example - 4.5.306 ==== libvpl ==== - adjusted logic for %suse_version bump with SLE16.1 Beta2 (jsc#PED-15824) ==== nfs-utils ==== Subpackages: libnfsidmap1 nfs-client nfs-kernel-server - Fix nfsrahead crash (bsc#1259595) - Add nfsrahead-quieten-misleading-error-for-non-NFS-block-devic.patch - Add nfsrahead-zero-initialise-device_info-struct.patch ==== nghttp3 ==== Version update (1.14.0 -> 1.15.0) - Update to 1.15.0: * Add nghttp3_conn_submit_request2 to set client-side scheduling hint * Make client-side scheduling incremental by default * Remove nghttp3_conn_submit_request2 * Introduce nghttp3_strlen_lit * Move aux objects into the individual frames * Add const to nghttp3_frame_settings.local_settings ==== ngtcp2 ==== Version update (1.19.0 -> 1.21.0) Subpackages: libngtcp2-16 libngtcp2-16-32bit libngtcp2_crypto_gnutls8 libngtcp2_crypto_gnutls8-32bit - Update tto 1.21.0: * Fix Initial/Handshake packet construction * bbr: Rework spurious loss handling based on the latest draft * Assert that nwrite is not larger than the provided buffer length * log: Remove unused ngtcp2_log_tx_cancel * Remove ngtcp2_datagram.rdata * Rename in6_addr to s6_addr * bbr: Add const qualifier ==== open-iscsi ==== Subpackages: iscsiuio libopeniscsiusr0 - Update to version 2.1.11.suse+88.8e0635b3: * Make iface.example a doc file. (#526) * Updated SPEC file to deliver iface.example as a %doc file, no longer in the database directory. ==== openSUSE-release ==== Version update (20260313 -> 20260314) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pcsc-cyberjack ==== Version update (3.99.5final.SP16 -> 3.99.5final.SP17) - update to 3.99.5 Service Pack 17 * Update to the Reiner-SCT repository cyberJack DriverPackage master f3674bb325fa3580aff1ce6e200e60a36ae38038 - update supplements device list - update the 40-cyberjack.rules ==== php8 ==== Version update (8.4.18 -> 8.4.19) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.4.19 Core: Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered by setRawValueWithoutLazyInitialization() and newLazyGhost()). Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when accessing properties on Reflection LazyProxy via isset()). Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked property backing value). Fixed bug GH-21215 (Build fails with -std=). Fixed bug GH-13674 (Build system installs libtool wrappers when using slibtool). Curl: Fixed bug GH-21023 (CURLOPT_XFERINFOFUNCTION crash with a null callback). Don't truncate length. Date: Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start). Fix timezone offset with seconds losing precision. DOM: Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError). Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). MBString: Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge list of candidate encodings (with 200,000+ entries). Opcache: Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). Fixed bug GH-21227 (Borked SCCP of array containing partial object). Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). OpenSSL: Fix a bunch of leaks and error propagation. PCNTL: Fixed pcntl_setns() internal errors handling regarding errnos. Fixed cpuset leak in pcntl_setcpuaffinity on out-of-range CPU ID on NetBSD/Solaris platforms. Fixed pcntl_signal() signal table registering the callback first OS-wise before the internal list. Fixed pcntl_signal_dispatch() stale pointer and exception handling. PCRE: Fixed preg_match memory leak with invalid regexes. PDO_PGSQL: Fixed bug GH-21055 (connection attribute status typo for GSS negotiation). PGSQL: Fixed bug GH-21162 (pg_connect() memory leak on error). Sockets: Fixed bug GH-21161 (socket_set_option() crash with array 'addr' entry as null). Fixed possible addr length overflow with socket_connect() and AF_UNIX family sockets. Windows: Fixed compilation with clang (missing intrin.h include). ==== python-gobject ==== Subpackages: python311-gobject python311-gobject-Gdk python311-gobject-cairo python313-gobject python313-gobject-Gdk python313-gobject-cairo - Update URL ==== python-httpx ==== - Add support-chardet6-client-autodetect.patch and support-chardet6-response-autodetect.patch (from gh#encode/httpx!3773) patches to overcome incompatibility with the new python-chardet >= 6.0 ==== python-tornado6 ==== Version update (6.5.4 -> 6.5.5) - Update to 6.5.5 (CVE-2026-31958, bsc#1259553) * ``multipart/form-data`` requests are now limited to 100 parts by default, to prevent a denial-of-service attack via very large requests with many parts. This limit is configurable via `tornado.httputil.ParseMultipartConfig`. Multipart parsing can also be disabled completely if not required for the application. Thanks to 0x-Apollyon and bekkaze for reporting this issue * The ``domain``, ``path``, and ``samesite`` arguments to `.RequestHandler.set_cookie` are now validated for illegal characters, which could be abused to inject other attributes on the cookie. Thanks to Dhiral Vyas (Praetorian) for reporting this issue. * Carriage return characters are no longer accepted in ``multipart/form-data`` headers. Thanks to sergeykochanov for reporting this issue. - add fix-tests-with-curl-8-19.patch to fix tests with curl 8.19 ==== qt6-base ==== Subpackages: libQt6Concurrent6 libQt6Core6 libQt6DBus6 libQt6Gui6 libQt6Network6 libQt6OpenGL6 libQt6OpenGLWidgets6 libQt6PrintSupport6 libQt6Sql6 libQt6Test6 libQt6WaylandClient6 libQt6Widgets6 libQt6WlShellIntegration6 libQt6Xml6 qt6-network-tls qt6-networkinformation-glib qt6-networkinformation-nm qt6-platformtheme-gtk3 qt6-printsupport-cups qt6-sql-mysql qt6-sql-sqlite qt6-wayland - Added patch to fix ignore broken unicode filenames without skipping the rest of the directory (QTBUG-142913) * 0001-Do-not-persist-unicode-error-state-across-dirents.patch - Just build with renderdoc on TW, since Leap 16.1 won't have it neither. - Also build without renderdoc on Leap 16 ==== systemd ==== Version update (259.3 -> 259.5) Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-lang udev - Import commit (merge of v259.5) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e53173d15f11454a5770e7732e3eaed3105c11fc...58a9b1726da0e2c89665897ca7e107315b2389e0 - systemd-container: require libarchive instead of tar, since https://github.com/systemd/systemd/commit/a7c8f92d1f937113a279adbe62399f6f0773473f - systemd-update-helper: fix the clean-state command only removing $STATE_DIR/system instead of $STATE_DIR/. - systemd-update-helper: add --root option for testing convenience It allows the tests to redirect them under a temporary directory via --root instead of patching the script with sed. - Import commit e53173d15f11454a5770e7732e3eaed3105c11fc (merge of v259.4) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1e9dbf558f2578c5f0a38a20cd93950de5d7b648...e53173d15f11454a5770e7732e3eaed3105c11fc - systemd-update-helper: fix incorrect skipping of systemctl disable during package removal (bsc#1245551) This bug was caused by stale dont-disable markers left over from a previous install transaction. Introduce a new command 'clean-state' for systemd-update-helper, which is called once via a %transfiletriggerin in the systemd package at the end of any transaction installing unit files, ensuring markers cannot persist across transactions. - systemd.spec: introduce %bcond_without docs to allow skipping man pages and devel-doc Add a new %bcond_without docs conditional that disables man page and HTML doc generation (-Dman, -Dhtml meson options) when building with --without docs. - systemd-update-helper: fix do_install_units() incorrectly returning 1 when no units need preset.