Packages changed: GraphicsMagick freeipmi (1.6.17 -> 1.6.18) gcc15 (15.2.1+git11263 -> 15.3.0+git11272) gstreamer (1.28.3 -> 1.28.4) gstreamer-devtools (1.28.3 -> 1.28.4) gstreamer-plugins-bad (1.28.3 -> 1.28.4) gstreamer-plugins-base (1.28.3 -> 1.28.4) gstreamer-plugins-good (1.28.3 -> 1.28.4) gstreamer-plugins-libav (1.28.2 -> 1.28.4) gstreamer-plugins-rs (1.28.3 -> 1.28.4) gstreamer-plugins-ugly (1.28.2 -> 1.28.4) libcacard (2.8.1 -> 2.8.2) ncurses openSUSE-release (20260612 -> 20260613) opensc openssl-3 python-tornado6 (6.5.5 -> 6.5.7) qatlib (25.08.0 -> 26.02.0) qatzip (1.3.1 -> 1.3.2) rav1e ruby-common snapper sssd (2.13.0 -> 2.13.1) zypper (1.14.97 -> 1.14.98) === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - fixed off by one [bsc#1265048] - modified patches * GraphicsMagick-CVE-2026-42050.patch ==== freeipmi ==== Version update (1.6.17 -> 1.6.18) - Update to version 1.6.18: * Fix bsc#1267605 - CVE-2026-50031: + ipmi-oem/ipmi-oem-dell.c (ipmi_oem_dell_get_active_directory_config): Fix potential stack corruption. + ipmi-oem/ipmi-oem-fujitsu.c (ipmi_oem_fujitsu_get_sel_entry_long_text): Fix potential buffer overflow. ==== gcc15 ==== Version update (15.2.1+git11263 -> 15.3.0+git11272) - Update to GCC 15.3 release ==== gstreamer ==== Version update (1.28.3 -> 1.28.4) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.28.4: + Highlighted bugfixes: - Various security fixes and playback fixes - audioaggregator: fixes for conversion of in-progress buffers when input caps change - audioresample: more armv7 fixes - camerabin: Fix caps negotiation failure when starting video capture - Debug logging performance improvements - fmp4mux: Fix draining in chunk mode after partial GOPs were drained - gldownload: fix handling of directly imported dmabufs from glupload - matroskamux: Write ReferenceBlock for non-keyframe video in BlockGroups - rtp2: session: add "stats" property - rtspsrc2: handle parse errors with TCP interleaved more gracefully where the server just drops data - rtspsrc2: implement support for SRTP, authentication, HTTP tunnelling, keep alive, stream selection, TLS validation, latency configuration - st2038combiner: only forward video pad segment, fixing issues for cases where the ST2038 segment differs - Wavpack audio: Various channel and channel-mask related fixes - webrtc, sdp: set level in negotiated caps only if level asymmetry not allowed, fixing an H.264 negotiation regression with higher resolutions - androidmedia: add various new codec mime / profile mappings (WMV, VC1, AC3/EAC3/AC4, AAC, H265) and support decoding FLAC - d3d12decoder: Fix decoding on Qualcomm GPUs on ARM64 Windows - wasapi2src: fix hang when using loopback-target-pid (regression from 1.26) - cerbero: update to Rust 1.96, plus glib-networking OpenSSL backend fixes - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - bufferpool: avoid leaking partially preallocated buffers - caps: fix multiple caps leaks - datetime: Improve correctness of ISO-8601 string parsing - info: Don't use fwrite() on Windows for debug logging - info: Use stack allocation for messages smaller than 1kB - task: Fix racy tests by making unref deterministic - value: fix crash when converting NULL G_TYPE_VALUE_ARRAY to G_TYPE_STRING - registry: detect libgstreamer load from Android container and skip canonicalization - tests: Fix build with glib <= 2.67.2 ==== gstreamer-devtools ==== Version update (1.28.3 -> 1.28.4) - Update to version 1.28.4: + Update Rust dependencies ==== gstreamer-plugins-bad ==== Version update (1.28.3 -> 1.28.4) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgsthip-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstsctp-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.28.4: + ahcsrc: Register exposure-mode property for GstPhotography interface + amc: Don't try printing NULL caps + amcvideodec: Don't keep crop-rectangle uninitialized if not specified + androidmedia: Add various new codec mime / profile mappings + androidmedia: Don't print error logs if downstream returns flushing / EOS + androidmedia: Fix typo in error message + androidmedia: support decoding flac + av1parser: Fix bytes/bits confusion when parsing tile data size + camerabin: Fix caps negotiation when starting video capture + d3d12decoder: Fix decoding on Qualcomm GPUs + mpegtspacketizer: Do not seek before the first PCR + mxfdemux: Use unsigned integers in more places and don't truncate 64 bit integers + svtav1enc: Scale MDCV and CLL to SVT-AV1's expected units + va: drm: Fix fd leak and return type in create_va_display + vajpegdecoder: Validate that enough data is available for the current JPEG segment + vulkanupload: Don't reallocate the pool when the framerate changes + wasapi2: Don't reset process loopback capture client + wasapi2src hangs when using loopback-target-pid in GStreamer 1.28 (regression from 1.26) + tests: Fix build with glib <= 2.67.2 + meson: fix building -bad tests with disabled mse ==== gstreamer-plugins-base ==== Version update (1.28.3 -> 1.28.4) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.28.4: + audio-resampler-neon: fix accumulated stride + audio-resampler-neon: re-increment address + audioaggregator: Remove brittle conversion of in-progress buffers + discoverer: Lock the DISCO_LOCK whenever accessing the streams list + gl: egl: Set TRANSFER_NEED_DOWNLOAD flag + gldownload: Can't handle directly imported dmabufs from glupload + glupload: fix memleak on failure path + glwindow: Allow setting a NULL window handle + id3v2: Don't modify const data and check for enough data when reading RVA2 tags + id3v2: Don't unnecessarily assert on size==0 when unsyncing data + pbutils: Add NULL check for tmpcaps parsing + pbutils: Fix possible null dereference when empty string is provided + rtcpbuffer: Add some missing bounds checks when parsing SDES + sdp: keep level-asymmetry-allowed in the caps + subparse: Avoid zero and extreme fps when parsing mdvdsub subtitles + uridecodebin3: Use PLAY_ITEMS_LOCK for URI-related getter + uridecodebin: Protect missing_plugin_errors list from concurrent access + videodmabufpool: Fix debug category + xmptag: Correctly initialize pointer to the end of the input array ==== gstreamer-plugins-good ==== Version update (1.28.3 -> 1.28.4) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.28.4: + matroska-mux: Write ReferenceBlock for non-keyframe video in BlockGroups + osxaudio: Fix stack overflow with >64ch audio devices + qtdemux: parse mastering luminance as u32 instead of u16 + qt6: remove an unneeded QOpenGLContext->makeCurrent() + rtph265depay: fix memory leak + sbcparse: Add bounds checking to header parsing + tests: mpegaudioparse: Fix raciness in the state change handling + v4l2: Fix buffer leak on qbuf failure + wavpack: Various channel / channel-mask related fixes + wavpackdec: Avoid integer overflow when calculating output buffer size and related fixes + wavpackenc fails for channels > 2 ==== gstreamer-plugins-libav ==== Version update (1.28.2 -> 1.28.4) - Update to version 1.28.4: + avdemux: Always free AVIOContext and open failure and don't dereference NULL AVFormatContext + avprotocol: Don't free GstFFMpegPipe when closing the AVIOContext - Update to version 1.28.3: + No changes, stable bump only ==== gstreamer-plugins-rs ==== Version update (1.28.3 -> 1.28.4) - Update to version 1.28.4: + fmp4mux: Fix draining in chunk mode after partial GOPs were drained + Rtp2Session: add ParamSpec for property stats + rtspsrc2: Add support for SET_PARAMETER and GET_PARAMETER using signals + rtspsrc2: Add support for SRTP + rtspsrc2: Add TLS support + rtspsrc2: handle parse errors with tcp interleaved rtsp more gracefully + rtspsrc2: Implement authentication support + rtspsrc2: Implement support for HTTP tunnelling + rtspsrc2: Implement support for keep alive + rtspsrc2: Implement support for streams + rtspsrc2: Include user-agent property in HTTP tunnel requests + rtspsrc2: Support TLS validation flags for server certificate + rtspsrc2: Support latency configuration property + rtspsrc2: Update README with implemented features + st2038combiner: only forward video pad segment + webrtc: set level in negotiated caps only if level asymmetry not allowed + webrtcsink: handle payloader timestamp-offset prop type variants + webrtcsrc, webrtcsink: Fix SDP renegotiation bugs + Added script to convert git sourced dependencies to crates.io packages + gst-plugin-version-helper: Relax version requirements and update to 0.8.4 ==== gstreamer-plugins-ugly ==== Version update (1.28.2 -> 1.28.4) Subpackages: gstreamer-plugins-ugly-lang - Update to version 1.28.4: + realmedia: Fixes for various out-of-bounds reads - Update to version 1.28.3: + No changes, stable version bump only. ==== libcacard ==== Version update (2.8.1 -> 2.8.2) - Update to version 2.8.2 * Sort certificates by underlying objects CKA_ID to provide deterministic object order * Avoid using uninitialized memory * Improve test coverage and build scripts * Improve compatibility with modern compilers (avoid strict warnings) ==== ncurses ==== Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Pre work for ABI 7 ==== openSUSE-release ==== Version update (20260612 -> 20260613) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== opensc ==== Subpackages: opensc-bash-completion - added patches CVE-2026-10275: global buffer overflow during key pair generation tests due to missing input validation [bsc#1267246] * opensc-CVE-2026-10275.patch ==== openssl-3 ==== Subpackages: libopenssl3 libopenssl3-32bit libopenssl3-x86-64-v3 - Security fixes: * CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357) * CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356) * CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353) * CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355) * CVE-2026-42767: NULL Pointer Dereference in CRMF EncryptedValue Decryption (bsc#1266350) * CVE-2026-42768: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (bsc#1266351) * CVE-2026-42769: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (bsc#1266352) * CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349) * CVE-2026-34183: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (bsc#1266345) * CVE-2026-42764: NULL pointer dereference in QUIC server initial packet handling (bsc#1266347) * CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344) * CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341) * CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340) * CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342) * Add patches: openssl-CVE-2026-45447.patch openssl-CVE-2026-45446.patch openssl-CVE-2026-42770.patch openssl-CVE-2026-45445.patch openssl-CVE-2026-42767.patch openssl-CVE-2026-42768.patch openssl-CVE-2026-42769.patch openssl-CVE-2026-42766.patch openssl-CVE-2026-34183.patch openssl-CVE-2026-42764.patch openssl-CVE-2026-34182.patch openssl-CVE-2026-9076.patch openssl-CVE-2026-7383.patch openssl-CVE-2026-34180.patch ==== python-tornado6 ==== Version update (6.5.5 -> 6.5.7) - Update to 6.5.7: [#]# Security fixes * CurlAsyncHTTPClient now fully resets the curl object before reusing it. This prevents incorrectly reusing options from a previous request, specifically including client SSL and credentials used for accessing proxies. * SimpleAsyncHTTPClient now strips the Authorization and Cookie headers from the request when following a redirect to a different origin. This matches the default behavior of CurlAsyncHTTPClient. Applications that need different behavior here can set follow_redirects=False and handle redirects manually. CVE-2026-49853 * SimpleAsyncHTTPClient now enforces max_body_size on the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large compressed response. CVE-2026-49855 * Fixed a bug in the C extension that could have read up to three bytes past the end of an input array. CVE-2026-49854 * OpenIDMixin has improved parsing for the check_authentication response. [#]# Bug fixes * CurlAsyncHTTPClient has been updated to use non-deprecated APIs, avoiding deprecation warnings with recent versions of pycurl. - Refreshed patch ignore-resourcewarning-doctests.patch - Drop patch fix-tests-with-curl-8-19.patch, merged upstream. ==== qatlib ==== Version update (25.08.0 -> 26.02.0) Subpackages: libqat4 libusdm0 - version update to 26.02.0 * Added support to configure EPOLL/POLL mode * Added USDM APIs to enable zero-copy DMA operations using IOVA mapping with user-allocated memory buffers * Simplified file license headers to use SPDX identifiers and only BSD3 * Removed unnecessary Dual GPLv2/BSD3 license headers * Aligned with CPA API v5.08 * Bug Fixes (See Resolved section in README.md) ==== qatzip ==== Version update (1.3.1 -> 1.3.2) - Update to version 1.3.2 * README updates * Add AX_PTHREAD & Refactor * Bug Fixes and Static analysis issue fixes * Use extension_result for Async API * Fix spaces before \n in logs * Update copyright year to 2026 * Fix qzip infiniteloop with large gzip file. * Fix Coverity issues * Fix Openscanhub issues * Fix Spelling & Add missing man/qatzip-test.1 * Update dockerfile to copy source of binaries in the final image * Modify decompression dest len for test mode 4 * Add option to write logs to file * Refactor README - Refresh qatzip-fortify_source=3.patch ==== rav1e ==== - Update cargo dependencies (bsc#1249016 CVE-2025-58160). ==== ruby-common ==== - Fix gem_packages template for the alts case. We were always using spec.name when it should have been the loop variable executable. ==== snapper ==== Subpackages: libsnapper8 snapper-lang snapper-zypp-plugin - add dependencies to dbus in service files (see bsc#1265853) - improved error handling when disconnected by dbus (see gh#openSUSE/snapper#223) - improve error handling if uid of client cannot be detected (see bsc#1265853) - Add snapper-sync to synchronize the highest snapshot number (gh#openSUSE/snapper#1128) ==== sssd ==== Version update (2.13.0 -> 2.13.1) Subpackages: libnfsidmap-sss libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap - Update to release 2.13.1 * Fixed an issue where SSSD fails to start when DNS is unresponsive. * SSSD no longer crashes if ``ldap_read_rootdse=never`` and ``enumerate=true`` is set. - Add jwk.patch ==== zypper ==== Version update (1.14.97 -> 1.14.98) Subpackages: zypper-log zypper-needs-restarting - Transactional systems: Delegate rw-commands to transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607) On a transactional system where the root filesystem is mounted read-only, zypper commands that modify the system cannot be executed directly. If the system provides a transactional-wrapper utility, zypper will automatically attempt to invoke it. The wrapper transparently executes the zypper command within a new, writable snapshot and manages the lifecycle of that snapshot based on the command's exit status. On transactional systems lacking a transactional-wrapper, users must manually invoke specialized tools -such as transactional-update- to install, update, or remove software. - version 1.14.98