Packages changed: MicroOS-release (20260429 -> 20260430) distribution-logos-openSUSE editorconfig-core-c (0.12.10 -> 0.12.11) glibc (2.42 -> 2.43) grub2 kernel-source (7.0.1 -> 7.0.2) nghttp2 (1.68.1 -> 1.69.0) python313 python313-core skopeo (1.22.1 -> 1.22.2) srt (1.5.4 -> 1.5.5) sysextmgr (0.2.1+git20260310.385db9a -> 1.0.0+git20260429.bf44eec) === Details === ==== MicroOS-release ==== Version update (20260429 -> 20260430) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== distribution-logos-openSUSE ==== Subpackages: distribution-logos-openSUSE-MicroOS distribution-logos-openSUSE-icons - Fix suse_version condition since the value of suse_version is now 1610 in SLE/Leap 16.1 ==== editorconfig-core-c ==== Version update (0.12.10 -> 0.12.11) - update to 0.12.11: * CVE-2026-40489: l_pattern buffer overflow (boo#1262131) * Fixes for compiler errors/warnings - drop editorconfig-core-c-const-correctness.patch ==== glibc ==== Version update (2.42 -> 2.43) Subpackages: glibc-locale glibc-locale-base - sys-mount-cloexec-flag.patch: include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h - sys-mount-open-tree-macros.patch: Linux: Only define OPEN_TREE_* macros in if undefined (BZ #33921) - resolv-count-resource-records.patch: resolv: Count records correctly (CVE-2026-4437, bsc#1260078, BZ #34014) - resolv-check-hostname.patch: resolv: Check hostname for validity (CVE-2026-4438, bsc#1260082, BZ #34015) - ldbl-128ibm-ceill-floorl-roundl-truncl.patch: Fix ldbl-128ibm ceill, floorl, roundl and truncl zero-sign handling (BZ #33623) - getlogin-utmp-fallback.patch: Linux: In getlogin_r, use utmp fallback only for specific errors - nss-malloc-failure-checks.patch: nss: Missing checks in __nss_configure_lookup, __nss_database_get (BZ #28940) - nss-database-for-fork.patch: nss: Introduce dedicated struct nss_database_for_fork type - malloc-sys-kernel-mm.patch: malloc: Avoid accessing /sys/kernel/mm files - tests-aarch64-makefile-deps-bti.patch: tests: aarch64: fix makefile dependencies for dlopen tests for BTI - aarch64-lock-gcs-startup.patch: aarch64: Lock GCS status at startup - elf-strlen-redir-ifunc.patch: elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen - riscv-redir-memcpy-generic.patch: riscv: Resolve calls to memcpy using memcpy-generic in early startup - tst-rseq-linux-7.patch: tests: fix tst-rseq with Linux 7.0 - remove -fcf-protection from optflags on non-x86_64 cross compilers. - Update to glibc 2.43 * The ISO C23 free_sized, free_aligned_sized, memset_explicit, and memalignment functions have been added * As specified in ISO C23, the assert macro is defined to take variable arguments to support expressions with a comma inside a compound literal initializer not surrounded by parentheses * For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers into their input arrays now have definitions as macros that return a pointer to a const-qualified type when the input argument is a pointer to a const-qualified type * The ISO C23 typedef names long_double_t, _Float32_t, _Float64_t, and (on platforms supporting _Float128) _Float128_t, introduced in TS 18661-3:2015, have been added to * The ISO C23 optional time bases TIME_MONOTONIC, TIME_ACTIVE, and TIME_THREAD_ACTIVE have been added * On Linux, the mseal function has been added * Additional optimized and correctly rounded mathematical functions have been imported from the CORE-MATH project, in particular acosh, asinh, atanh, erf, erfc, lgamma, and tgamma. * Optimized implementations for fma, fmaf, remainder, remaindef, frexpf, frexp, frexpl (binary128), and frexpl (intel96) have been added. * The SVID handling for acosf, acoshf, asinhf, atan2f, atanhf, coshf, fmodf, lgammaf/lgammaf_r, log10f, remainderf, sinhf, sqrtf, tgammaf, y0/j0, y1/j1, and yn/jn was moved to compat symbols, allowing improvements in performance * On Linux, the openat2 function has been added * On AArch64, support for 2MB transparent huge pages has been enabled by default in malloc (similar to setting glibc.malloc.hugetlb=1 tunable) * On AArch64 Linux targets supporting the Scalable Matrix Extension (SME), the clone() system call wrapper will disable the ZA state of the SME * On AArch64 targets supporting the Branch Target Identification (BTI) extension, it is possible to enforce that all binaries in the process support BTI using the glibc.cpu.aarch64_bti tunable * On AArch64 Linux targets supporting at least one of the branch protection extensions (e.g. Branch Target Identification or Guarded Control Stack), it is possible to use LD_DEBUG=security to make the dynamic linker show warning messages about loaded binaries that do not support the corresponding security feature * On AArch64, vector variants of the new C23 exp2m1, exp10m1, log10p1, log2p1, and rsqrt routines have been added * On RISC-V, an RVV-optimized implementation of memset has been added * On x86, support for the Intel Nova Lake and Wildcat Lake processors has been added * Unicode support has been updated to Unicode 17.0.0 * The manual has been updated and modernized, in particular also regarding many of its code examples * Support for dumped heaps has been removed * The aforementioned change in ISO C23 of the declaration of bsearch, memchr, strchr, strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr, wcsstr, and wmemchr as const-preserving macros can lead to compilation issues in code not set up for it * The uimaxabs function has been renamed to umaxabs, following a change to the name of that function in ISO C2Y * The fromfp, fromfpx, ufromfp and ufromfpx functions, and the corresponding functions for other floating-point types, now return their result in the same type as their floating-point argument, rather than intmax_t or uintmax_t, in accordance with a change to the definition of these functions in ISO C23 * The support for TX lock elision of pthread mutexes has been removed on all architectures (powerpc, s390x, x86_64) * The next linux 6.19 release will remove support for compat syscalls on s390x * The LD_PROFILE functionality no longer has a default directory for the profile data it writes * GLIBC-SA-2026-0001: Integer overflow in memalign leads to heap corruption (CVE-2026-0861) * GLIBC-SA-2026-0002: getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler (CVE-2026-0915) * GLIBC-SA-2026-0003: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory (CVE-2025-15281) - inet-fortified-namespace.patch, abort-fork-lock-init.patch, ld.so-load-segment-gaps.patch, cancelable-syscall-return-value.patch, ctype-tls-IE.patch, i386-gnu-tls-abi-tag.patch, x86-64-gnu2-tls-abi-tag.patch, x86-64-dt-x86-64-plt-abi-tag.patch, i386-gnu2-tls-abi-tag.patch, aarch64-sve-powf.patch: Removed ==== grub2 ==== Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Fix incorrect default entry and bump counter for BLS boot counter files (bsc#1262580) * 0001-bls-fix-default-entry-and-bumpcounter-for-BLS-boot-c.patch - VUL-0: grub: potentially problematic utf8 conversion in bli patches (bsc#1262129) * 0001-Fix-problematic-utf8-conversion-in-bli-patches.patch - Fix build for glibc 2.43 by taking upstream changes (bsc#1257256) * 0001-osdep-linux-ofpath-Update-strstr-calls.patch * 0001-util-probe-Save-strrchr-ret-val-to-const-data-ptr.patch * 0002-util-resolve-Save-str-r-chr-ret-val-to-const-data-pt.patch - Fix string to integer conversion for LoaderConfigTimeout * 0004-bli-Add-support-for-LoaderConfigTimeout-and-LoaderCo.patch - grub2.spec: When building the grubbls image, do not hardcode the timeout value in the early config because it is set by bli.mod when it is loaded - grub2.spec: Remove hardcoded terminal and theme settings from the early config as they are now applied at runtime - Fix missing install device check in grub2-install on PowerPC which could lead to bootlist corruption (bsc#1221126) * 0001-Mandatory-install-device-check-for-PowerPC.patch - Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543) * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch * grub2-btrfs-09-get-default-subvolume.patch - Rewrite BLI patches: * 0001-blsuki-Add-support-for-LoaderEntries.patch * 0002-menu-Allow-default-entry-to-have-.conf-suffix.patch * 0003-bli-Add-support-for-LoaderEntryDefault-and-LoaderEnt.patch * 0004-bli-Add-support-for-LoaderConfigTimeout-and-LoaderCo.patch * 0005-bls_bumpcounter-Add-command-to-bump-boot-counter-for.patch * 0006-bli-Add-support-for-LoaderFeatures.patch * 0007-blsuki-Fix-sorting-for-entries-with-boot-counting-en.patch * 0008-blsuki-append-leftover-LoaderEntries.patch * 0009-blsuki-conservative-UTF-8-buffer-size.patch - Remove patches: * 0001-bls-Accept-.conf-suffix-in-setting-default-entry.patch * grub2-bls-boot-counting.patch * grub2-bls-boot-assessment.patch * grub2-blscfg-set-efivars.patch * grub2-bls-loader-entry-oneshot.patch * grub2-blsbumpcounter-menu.patch * grub2-bls-loader-entry-default.patch * grub2-bls-loader-entries-boot-counting.patch * grub2-bls-loader-features.patch * grub2-bls-loader-config-timeout.patch * grub2-bls-loader-config-timeout-fix.patch ==== kernel-source ==== Version update (7.0.1 -> 7.0.2) - Linux 7.0.2 (bsc#1012628). - crypto: authencesn - Fix src offset when decrypting in-place (bsc#1012628). - pwm: th1520: fix `CLIPPY=1` warning (bsc#1012628). - drm/amdgpu: replace PASID IDR with XArray (bsc#1012628). - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch (bsc#1012628). - crypto: krb5enc - fix async decrypt skipping hash verification (bsc#1012628). - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger (bsc#1012628). - ksmbd: validate owner of durable handle on reconnect (bsc#1012628). - scripts: generate_rust_analyzer.py: define scripts (bsc#1012628). - scripts/dtc: Remove unused dts_version in dtc-lexer.l (bsc#1012628). - fs/ntfs3: validate rec->used in journal-replay file record check (bsc#1012628). - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally (bsc#1012628). - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() (bsc#1012628). - f2fs: fix to avoid memory leak in f2fs_rename() (bsc#1012628). - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer (bsc#1012628). - fuse: reject oversized dirents in page cache (bsc#1012628). - fuse: abort on fatal signal during sync init (bsc#1012628). - fuse: Check for large folio with SPLICE_F_MOVE (bsc#1012628). - fuse: quiet down complaints in fuse_conn_limit_write (bsc#1012628). - fuse: fuse_dev_ioctl_clone() should wait for device file to be initialized (bsc#1012628). - ksmbd: require minimum ACE size in smb_check_perm_dacl() (bsc#1012628). - smb: server: fix active_num_conn leak on transport allocation failure (bsc#1012628). - smb: client: fix dir separator in SMB1 UNIX mounts (bsc#1012628). - smb: server: fix max_connections off-by-one in tcp accept path (bsc#1012628). - smb: client: require a full NFS mode SID before reading mode bits (bsc#1012628). - smb: client: validate the whole DACL before rewriting it in cifsacl (bsc#1012628). - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path (bsc#1012628). - ksmbd: validate response sizes in ipc_validate_msg() (bsc#1012628). - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() (bsc#1012628). - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment (bsc#1012628). - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow (bsc#1012628). - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() (bsc#1012628). - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() (bsc#1012628). - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu (bsc#1012628). - ALSA: hda/realtek: Add quirk for Legion S7 15IMH (bsc#1012628). - ALSA: caiaq: take a reference on the USB device in create_card() (bsc#1012628). - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() (bsc#1012628). - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed (bsc#1012628). - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed (bsc#1012628). - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed (bsc#1012628). - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing (bsc#1012628). - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER (bsc#1012628). - Rename to patches.kernel.org/7.0.2-032-writeback-Fix-use-after-free-in-inode_switch_wb.patch. - commit 46da294 - Refresh patches.suse/mfd-bcm2835-pm-Add-BCM2712-PM-device-support.patch. - Refresh patches.suse/mfd-bcm2835-pm-Introduce-SoC-specific-type-identifier.patch. - Refresh patches.suse/writeback-Fix-use-after-free-in-inode_switch_wbs_wor.patch. Update upstream status. - commit 8e3001e ==== nghttp2 ==== Version update (1.68.1 -> 1.69.0) - update to 1.69.0: * nghttpx: Avoid separate allocation for QUIC tx buffer * lib/CMakeLists.txt: Fix NGHTTP2_CONFIG_INSTALL_DIR path * nghttpx: Ensure resetting downstream h2 stream * Fix union usage in nghttp2_data_provider_wrap * nghttpx: Remove stream_closed_ from Http2DownstreamConnection * Introduce nghttp2_strlen_lit * Check nghttp2_is_fatal first * nghttpd, nghttpx: Accept at most 10 connections per loop * nghttpx: Accept pending connections until it returns error * nghttpx: Rework close-wait packet generation for h3 * nghttpx: Add extra validation for non-regular path for * nghttpx: More strict validation for h1 host * nghttpd: Refactor with std::span * nghttp: Refactor with std::span * nghttp: Move span creation out of loop * nghttpx: Use std::span for upstream interface * nghttpx: Modernize downstream connection with std::span * nghttpx: Deal with partial write in API downstream connection * nghttpx: Adopt std::span for LiveCheck read path * Nghttpx connection write span * Nghttpx connection read span * nghttpx: Refactor QUIC utils with std::span * nghttpx: Choose the sensible value for TCP_DEFER_ACCEPT * nghttpx: Simplify HTTP/2 writer * nghttpx: Format doc * nghttpx: Deal with ECONNRESET for IPC socket on worker * nghttpx: Rewrite LOG macros with std::source_location * nghttpx: Amend #2671 to fix double logging * nghttpx: Call Log ctor directly * nghttpx: Rename LOG_ENABLED to log_enabled * src: Add static constexpr to ngtcp2 and nghttp3 callbacks * Nghttpx ech * nghttpx: Log the number of loaded ECH configuration in NOTICE ==== python313 ==== - Add CVE-2026-6019-Morsel-js_output.patch protects against HTML injection by Base64-encoding cookie values embedded in JS (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309). - Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects CR/LF in HTTP tunnel request headers (bsc#1261969, CVE-2026-1502, gh#python/cpython#146211). - Add CVE-2026-4786-webbrowser-open-action.patch, which fixes webbrowser %action substitution bypass of dash-prefix check (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169). - Add CVE-2026-6100-use-after-free-decompression.patch preventing dangling pointer which can end in the use-after-free error (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395). ==== python313-core ==== Subpackages: libpython3_13-1_0 python313-base - Add CVE-2026-6019-Morsel-js_output.patch protects against HTML injection by Base64-encoding cookie values embedded in JS (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309). - Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects CR/LF in HTTP tunnel request headers (bsc#1261969, CVE-2026-1502, gh#python/cpython#146211). - Add CVE-2026-4786-webbrowser-open-action.patch, which fixes webbrowser %action substitution bypass of dash-prefix check (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169). - Add CVE-2026-6100-use-after-free-decompression.patch preventing dangling pointer which can end in the use-after-free error (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395). ==== skopeo ==== Version update (1.22.1 -> 1.22.2) - Update to version 1.22.2: * [release-1.22] Bump Skopeo to 1.22.2 * proxy: Verify *either* toplevel or target * proxy: Move policycontext into global state * Packit: fix downstream post-modifications action ==== srt ==== Version update (1.5.4 -> 1.5.5) - Update to version 1.5.5: + Connection State Accuracy: Fixed an issue where srt_connect reported incorrect error codes when attempted on a socket in a broken state. The function now correctly identifies these sockets as closed rather than reporting connection-specific failures. + Listen Operation Refinement: - Corrected the error code returned when calling srt_listen on a closed or non-existent socket to ensure status reports reflect the socket state accurately. - Backlog updates: Updated the logic for srt_listen to allow updates to the backlog parameter on sockets already in the LISTENING state. In such cases, the function now successfully updates the backlog and returns 0 (success). + Fixed a bug where a blocking srt_close call could be interrupted by a connection attempt. + Resolved Issue #3289 regarding srt_connect in blocking mode. These fixes ensure that interrupting a blocking connection loop or closing the socket from another thread is correctly recognized. Previously, these scenarios could cause the function to incorrectly return success (0) or a misleading SRT_ECONNSOCK error; it now correctly returns SRT_ESCLOSED or SRT_EINVSOCK. + Fixed a potential buffer overflow in handshake processing by ensuring that incoming group data length does not exceed internal buffer capacity. + Fixed and then restored the cookie contest method from version 1.4.5 as a lower-risk stability measure. It also introduces a mechanism to enforce specific cookie values for testing and development purposes. + Fixed reentrancy of srt_strerror() + Fixed crash when adding a string-typed option to a group configuration object + Fixed incorrect number of sockets returned by srt_epoll_uwait + Fixed inconsistent thread-related objects' state after fork() + Fixed issues found by thread and memory sanitizers + Fixed unexpected blocking behavior in sendmsg call + Fixed stalled connection that should break on rogue NAK/ACK reception + Fixed some misleading error messages + Fixed wrong 'connection lost' error when sending to group in non-blocking pending state + Fixed bug where tsbpd might miss m_bClosing flag set in the meantime + Fixed caller-accepting connection without packetfilter while requested by a caller (now: late-rejection) ==== sysextmgr ==== Version update (0.2.1+git20260310.385db9a -> 1.0.0+git20260429.bf44eec) - Update to version 1.0.0+git20260429.bf44eec: * Release version 1.0.0 * libsmartcols-devel added to CI * cleanup not needed functions * fixed extract * using pager * cleanup download * using vasprintf instead of asprintf * fixed ENOENT * cleanup cache * creating a cache for meta data * using posix_spawn * -a option for image-list * checking environment * cleanup error handling * improved logging * Update help message for cleanup options