Packages changed: babl (0.1.124 -> 0.1.126) blog (2.38 -> 2.40) coreutils (9.10 -> 9.11) coreutils-systemd (9.10 -> 9.11) crypto-policies git (2.53.0 -> 2.54.0) highway (1.3.0 -> 1.4.0) ncurses (6.6.20260328 -> 6.6.20260418) ntfs-3g_ntfsprogs openSUSE-release (20260423 -> 20260425) ovmf xdg-user-dirs (0.18 -> 0.20) zlib === Details === ==== babl ==== Version update (0.1.124 -> 0.1.126) Subpackages: libbabl-0_1-0 libbabl-0_1-0-x86-64-v3 typelib-1_0-Babl-0_1 - Update to version 0.1.126: + It is now possible to build with MSVC. ==== blog ==== Version update (2.38 -> 2.40) Subpackages: libblogger2 - Update to version 2.40 * Protect password data stream on 3270 console as well On S390 the 3270 console is also logged and the passwords, even if hidden on the 3270 console, would be logged as well. - Update to version 2.39 * New feature to protect passwords to be logged On S390 now blogd use for 3215 console the command [#]CP SPOOL CONSOLE STOP to stop logging the plain password at prompting for the password. Also a warning is written out to warn the user that the password will be visible. With getting the password the CONSOLE log is enabled again if it was enabled before. ==== coreutils ==== Version update (9.10 -> 9.11) Subpackages: coreutils-lang - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== coreutils-systemd ==== Version update (9.10 -> 9.11) - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== crypto-policies ==== Subpackages: crypto-policies-scripts - Modify the output of fips-mode-setup to hint the user when setting the FIPS mode in transactional systems to use the command 'transactional-update setup-fips'. (bsc#1262315) ==== git ==== Version update (2.53.0 -> 2.54.0) Subpackages: git-core git-email git-gui git-web gitk perl-Git - Update to 2.54.0: - UI, Workflows & Features - "git add -p" and friends note what the current status of the hunk being shown is. - "git history" history rewriting (experimental) command has been added. - "git replay" is taught to drop commits that become empty (not the ones that are empty in the original). - The help text and the documentation for the "--expire" option of "git worktree [list|prune]" have been improved. - When "git show-index" is run outside a repository, it silently defaults to SHA-1; the tool now warns when this happens. - "git merge-file" can be run outside a repository, but it ignored all configuration, even the per-user ones. The command now uses available configuration files to find its customization. - "auto filter" logic for large-object promisor remote. - "git rev-list" and friends learn "--maximal-only" to show only the commits that are not reachable by other commits. - Command line completion (in contrib/) update for "stash import/export". - "git repo info" learns "--keys" action to list known keys. - Extend the alias configuration syntax to allow aliases using characters outside ASCII alphanumeric (plus '-'). - A signature on a commit that was GPG signed a long time ago ought to be still valid after the key that was used to sign it has expired, but we showed them in alarming red. - "git subtree split --prefix=P " now checks the prefix P against the tree of the (potentially quite different from the current working tree) given commit. - "git add -p" learned a new mode that allows the user to revisit a file that was already dealt with. - Allow the directory in which reference backends store their data to be specified. - "gitweb" has been taught to be mobile friendly. - "git apply --directory=./un/../normalized/path" now normalizes the given path before using it. - "git maintenance" starts using the "geometric" strategy by default. - "git config list" is taught to show the values interpreted for specific type with "--type=" option. - "git add " has been taught to honor submodule..ignore that is set to "all" (and requires "git add -f" to override it). - Hook commands are now allowed to be defined (possibly centrally) in the configuration files, and run multiple of them for the same hook event. - The way end-users can add their own "git " subcommand by storing "git-" in a directory on their $PATH has not been documented clearly, which has been corrected. - "git send-email" learns to pass hostname/port to Authen::SASL module. - "git send-email" learns to support use of client-side certificates. - "git send-email" has learned to be a bit more careful when it accepts charset to use from the end-user, to avoid 'y' (mistaken 'yes' when expecting a charset like 'UTF-8') and other nonsense. - "git status" learned to show comparison between the current branch and various other branches listed on status.compareBranches configuration. - "git repo structure" command learns to report maximum values on various aspects of objects it inspects. - "git rebase" learns "--trailer" option to drive the interpret-trailers machinery. - "git fast-import" learned to optionally replace signature on commits whose signatures get invalidated due to replaying by signing afresh. - "git history" learned the "split" subcommand. - The reference-transaction hook was taught to be triggered before taking locks on references in the "preparing" phase. - "git apply" now reports the name of the input file along with the line number when it encounters a corrupt patch, and correctly resets the line counter when processing multiple patch files. - The HTTP transport learned to react to "429 Too Many Requests". - "git repo info -h" and "git repo structure -h" limit their help output to the part that is specific to the subcommand. - "git format-patch --cover-letter" learns to use a simpler format instead of the traditional shortlog format to list its commits with a new --commit-list-format option and format.commitListFormat configuration variable. - `git backfill` learned to accept revision and pathspec arguments. - "git replay" (experimental) learns, in addition to "pick" and "replay", a new operating mode "revert". - "git replay" now supports replaying down to the root commit. - Handling of signed commits and tags in fast-import has been made more configurable. - "git config list" is the official way to spell "git config - l" and "git config --list". Use it to update the documentation. - Performance, Internal Implementation, Development Support etc. - Avoid local submodule repository directory paths overlapping with each other by encoding submodule names before using them as path components. - The string_list API gains a new helper, string_list_sort_u(), ... changelog too long, skipping 303 lines ... jc/ci-github-actions-use-checkout-v5 later to maint). ==== highway ==== Version update (1.3.0 -> 1.4.0) - Update to release 1.4.0 * Added Fast* math functions, sum_array example, HWY_ARCH_MAX_BYTES, HWY_MIN_BYTES, HWY_NATIVE_MASK, HWY_REGISTERS HWY_EXPORT_AND_TEST_BEST_P, InterleaveLower/UpperBlocks, Lookup8, XorAndNot, MinMax algo, AtomicBitSet, RVV and LSX/LASX runtime dispatch. ==== ncurses ==== Version update (6.6.20260328 -> 6.6.20260418) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Disable fix-mouse.patch as it conflicts with current patch level. Mask patch fix-mouse.patch as source to not lose it. - The fix-bsc1259924.patch is NOT required as at this patch level already included. In fact fix-bsc1259924.patch is a backport. - Add ncurses patch 20260418 + note in manpage that wgetch/wget_wch consistently set errno to EBADF for poll/select configurations when the input is closed. + improve check in test/ncurses for errors by limiting it to the latest wgetch/wget_wch (cf: 20260404). > fixes for problems found by Anthropic (report by David Korczynski): + correct a limit-check in _nc_write_object + correct a source-pointer in _nc_trim_sgr0 + add limit-check in read_SGR - Add ncurses patch 20260411 + if POLLNVAL is set in revents, set errno to EBADF to improve handling of closed input for poll() configuration. + cancel bce and rep in some screen.X's -TD - Add ncurses patch 20260404 + use xterm+direct in konsole-direct, add several features to konsole (report by Xu Che) + use dec+sl in mintty (prompted by Thomas Wolff) -TD + add linux-alt1049 (report by Sebastien Hinderer) -TD + add a limit-check in _nc_mouse_parse in case there are no valid events (report by Giorgos Xou, cf: 20260301). + amend recent change to test/ncurses to check errno before deciding to exit. ==== ntfs-3g_ntfsprogs ==== Subpackages: libntfs-3g89 ntfs-3g ntfsprogs - Add ntfs3g-heap-overflow.patch: bsc#1262216 CVE-2026-40706. ==== openSUSE-release ==== Version update (20260423 -> 20260425) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ovmf ==== Subpackages: qemu-ovmf-x86_64 - Update mbedtls to 3.6.6 to fix CVE-2026-25833, CVE-2026-25834, CVE-2026-25835, CVE-2026-34874 (bsc#1261476, bsc#1261477, bsc#1261478, bsc#1261469) - Requires Mbed TLS 3.6.6 or higher to mitigate vulnerability. - Add qcow2 format firmware images for snapshot support (jsc#PED-14634, bsc#1262549) - Convert all -code.bin and -vars.bin to qcow2 format via qemu-img to enable backing file and snapshot support; unified and special-purpose images (e.g., SEV, TDX, Xen) remain in raw format only. ==== xdg-user-dirs ==== Version update (0.18 -> 0.20) Subpackages: xdg-user-dirs-lang - Update to version 0.20: + Features: - user-dirs.defaults: add PROJECTS directory - Replace xdg-user-dir shell script with C implementation - Make printable-char validation for dir names stricter + Bugfixes: - build: Unhardcode bindir in .service file - Fix length accounting in concat_strings - Escape " as well when shell-escaping - Check that user dir name does not contain line breaks - git-tp-sync: prevent handling POT files + Miscellaneous: - Remove Automake support - Clean up user-dir lookup code a bit, split sources and data - Stop mixing tabs & spaces - Changes from version 0.19: + Features: - Add a systemd service to run xdg-user-dirs-update - Add initial Meson buildsystem support + Bugfixes: Fix autopoint invocation + Miscellaneous: - Update automake boilerplate - Update information in README + Updated translations. - Switch to meson buildsystem. - Drop 0001-Add-a-systemd-service-to-run-xdg-user-dirs-update.patch Fixed upstream. ==== zlib ==== Subpackages: libminizip1 libminizip1-x86-64-v3 libz1 libz1-32bit libz1-x86-64-v3 - Fix CVE-2026-27171, infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths (bsc#1258392) * CVE-2026-27171.patch