Packages changed: apache2-mod_php8 (8.4.8 -> 8.4.10) chrony (4.6.1 -> 4.7) gcc15 git (2.50.0 -> 2.50.1) libcamera libstorage-ng (4.5.260 -> 4.5.261) llvm20 openSUSE-release (20250709 -> 20250710) pcsc-towitoko php8 (8.4.8 -> 8.4.10) python-Pygments python-click python-kiwi (10.2.26 -> 10.2.27) python-notify2 python-typing_extensions (4.13.2 -> 4.14.0) systemd-rpm-macros (24 -> 26) === Details === ==== apache2-mod_php8 ==== Version update (8.4.8 -> 8.4.10) - version update to 8.4.10 [bsc#1246146][bsc#1246148][bsc#1246167] BcMath: Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes). Core: Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout). Fixed GH-18695 (zend_ast_export() - float number is not preserved). Fix handling of references in zval_try_get_long(). Do not delete main chunk in zend_gc. Fix compile issues with zend_alloc and some non-default options. Curl: Fix memory leak when setting a list via curl_setopt fails. Date: Fix leaks with multiple calls to DatePeriod iterator current(). DOM: Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword). FPM: Fixed GH-18662 (fpm_get_status segfault). Hash: Fixed bug GH-14551 (PGO build fails with xxhash). Intl: Fix memory leak in intl_datetime_decompose() on failure. Fix memory leak in locale lookup on failure. Opcache: Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22). ODBC: Fix memory leak on php_odbc_fetch_hash() failure. OpenSSL: Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure. Fixed bug #74796 (Requests through http proxy set peer name). PGSQL: Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735) Fix warning not being emitted when failure to cancel a query with pg_cancel_query(). PDO ODBC: Fix memory leak if WideCharToMultiByte() fails. PDO Sqlite: Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type. Phar: Add missing filter cleanups on phar failure. Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). PHPDBG: Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. Random: Fix reference type confusion and leak in user random engine. Readline: Fix memory leak when calloc() fails in php_readline_completion_cb(). SimpleXML: Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes). SOAP: Fix memory leaks in php_http.c when call_user_function() fails. Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491) Standard: Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220) Tidy: Fix memory leak in tidy output handler on error. Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory. - modified patches % php-build-reproducible-phar.patch (refreshed) ==== chrony ==== Version update (4.6.1 -> 4.7) Subpackages: chrony-pool-openSUSE - Update to version 4.5: * Add opencommands directive to select remote monitoring commands * Add interval option to driftfile directive * Add waitsynced and waitunsynced options to local directive * Add sanity checks for integer values in configuration * Add support for systemd Type=notify service * Add RTC refclock driver * Allow PHC refclock to be specified with network interface name * Don’t require multiple refclock samples per poll to simplify filter configuration * Keep refclock reachable when dropping samples with large delay * Improve quantile-based filtering to adapt faster to larger delay * Improve logging of selection failures * Detect clock interference from other processes * Try to reopen message log (-l option) on cyclelogs command * Fix sourcedir reloading to not multiply sources * Fix tracking offset after failed clock step * Drop support for NTS with Nettle < 3.6 and GnuTLS < 3.6.14 * Drop support for building without POSIX threads - Update clknetsim to snapshot 530d1a5. ==== gcc15 ==== Subpackages: cpp15 gcc15-locale libasan8 libatomic1 libgcc_s1 libgcc_s1-32bit libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libquadmath0 libstdc++6 libstdc++6-32bit libstdc++6-locale libstdc++6-pp libstdc++6-pp-32bit libtsan2 libubsan1 - Prune the use of update-alternatives from openSUSE Factory and SLFO. - Adjust crosses to conflict consistently where they did not already and make them use unsuffixed binaries. ==== git ==== Version update (2.50.0 -> 2.50.1) Subpackages: git-core git-email git-gui git-web gitk perl-Git - refreshed gitk sha256 patches: 0001-gitk-Add-support-of-SHA256-repo.patch 0002-git-gui-Add-support-of-SHA256-repo.patch - update to 2.50.1 (boo#1245938 boo#1245939 boo#1245942 boo#1245943 boo#1245946 boo#1245947) Security fixes for CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386 CVE-2025-27613, Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not. CVE-2025-27614, Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking `gitk filename`, where `filename` has a particular structure. CVE-2025-46334, Git GUI (Windows only): A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu. CVE-2025-46835, Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file. CVE-2025-48384, Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. CVE-2025-48385, Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. CVE-2025-48386, Git: The wincred credential helper uses a static buffer (`target`) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with `wcsncat()`, leading to potential buffer overflows. ==== libcamera ==== Subpackages: libcamera-base0_5 libcamera0_5 - Add reproducible.patch to skip module signing (boo#1217690) ==== libstorage-ng ==== Version update (4.5.260 -> 4.5.261) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1026 - log output of lvmdevices during probing for debugging - 4.5.261 ==== llvm20 ==== - Replace usage of %jobs for reproducible builds (boo#1237231) - Install liborc_rt-*.a on loongarch64 ==== openSUSE-release ==== Version update (20250709 -> 20250710) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pcsc-towitoko ==== Subpackages: libtowitoko2 - Fix build with gcc15: * Remove bool typedef as not needed and not used in the code * Add towitoko-gcc15.patch ==== php8 ==== Version update (8.4.8 -> 8.4.10) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.4.10 [bsc#1246146][bsc#1246148][bsc#1246167] BcMath: Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes). Core: Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout). Fixed GH-18695 (zend_ast_export() - float number is not preserved). Fix handling of references in zval_try_get_long(). Do not delete main chunk in zend_gc. Fix compile issues with zend_alloc and some non-default options. Curl: Fix memory leak when setting a list via curl_setopt fails. Date: Fix leaks with multiple calls to DatePeriod iterator current(). DOM: Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword). FPM: Fixed GH-18662 (fpm_get_status segfault). Hash: Fixed bug GH-14551 (PGO build fails with xxhash). Intl: Fix memory leak in intl_datetime_decompose() on failure. Fix memory leak in locale lookup on failure. Opcache: Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22). ODBC: Fix memory leak on php_odbc_fetch_hash() failure. OpenSSL: Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure. Fixed bug #74796 (Requests through http proxy set peer name). PGSQL: Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735) Fix warning not being emitted when failure to cancel a query with pg_cancel_query(). PDO ODBC: Fix memory leak if WideCharToMultiByte() fails. PDO Sqlite: Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type. Phar: Add missing filter cleanups on phar failure. Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek). PHPDBG: Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0. Random: Fix reference type confusion and leak in user random engine. Readline: Fix memory leak when calloc() fails in php_readline_completion_cb(). SimpleXML: Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes). SOAP: Fix memory leaks in php_http.c when call_user_function() fails. Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491) Standard: Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220) Tidy: Fix memory leak in tidy output handler on error. Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory. - modified patches % php-build-reproducible-phar.patch (refreshed) ==== python-Pygments ==== - Skip testcase that breaks with pytest 8.4. ==== python-click ==== - Add click-8.2.1-clirunner.patch to fix clirunner breaking other modules' tests, cf. github.com/pallets/click/issues/2939 ==== python-kiwi ==== Version update (10.2.26 -> 10.2.27) - Bump version: 10.2.26 → 10.2.27 - Fix regression in get_partition_node_name backwards compat for lsblk before 2.38 if START column not supported, fall back to default sort - Add global option --setenv Allow to set environment variables in the caller environment via the commandline, e.g --setenv SOURCE_DATE_EPOCH=42 - Seed filesystem UUIDs with SOURCE_DATE_EPOCH For reproducible builds the calculation of the filesystem UUID should be persistent with each rebuild of the image. To achieve this the UUID is calculated using the SOURCE_DATE_EPOCH from the environment plus a char-number representation of the filesystem label name as random seed. In kiwi every filesystem is created with a label, thus only in case there is no SOURCE_DATE_EPOCH available we continue to create the UUID as random data. This Fixes #2761 - Add label attribute for section Allow to specify a filesystem label as part of a definition. So far the label was set by the name of the partition. With the new label attribute, a filesystem label different from the partition name can be set. This commit also updates/fixes the documentation in this regard. - Improve log message in SystemIdentifier Add some scope information such that we know from where this log information originates from. - Add rd.kiwi.install.devicepersistency Allow to specify which type of persistent device name should be used to build up the list of installation disk devices. For example rd.kiwi.install.devicepersistency=by-path would use the by-path representations for the available disk devices. The default (by-id) stays untouched. In case an invalid or not present device representation is selected, kiwi falls back to the non persistent unix node names. - Update test-image-disk Add NetworkManager for better remote debugging capabilities - Make mbr-id deterministic Log the value of SDE so it is available to review, even if the build system does not tell about it. Update the tests to cover the new code-path. Co-Authored-By: Marcus Schäfer - Ensure dracut initrd is reproducible This helps a bit with issue #2358 Add reproducible flag for UKI too Update tests accordingly Co-Authored-By: Marcus Schäfer ==== python-notify2 ==== - Switch to pyproject macros. ==== python-typing_extensions ==== Version update (4.13.2 -> 4.14.0) - Update to 4.14.0 * Remove `__or__` and `__ror__` methods from `typing_extensions.Sentinel` on Python versions <3.10. PEP 604 was introduced in Python 3.10, and `typing_extensions` does not generally attempt to backport PEP-604 methods to prior versions. * Further update `typing_extensions.evaluate_forward_ref` with changes in Python 3.14. - from version 4.14.0rc1 * Drop support for Python 3.8 (including PyPy-3.8). Patch by Victorien Plot. * Do not attempt to re-export names that have been removed from `typing`, anticipating the removal of `typing.no_type_check_decorator` in Python 3.15. Patch by Jelle Zijlstra. * Update `typing_extensions.Format`, `typing_extensions.evaluate_forward_ref`, and `typing_extensions.TypedDict` to align with changes in Python 3.14. Patches by Jelle Zijlstra. * Fix tests for Python 3.14 and 3.15. Patches by Jelle Zijlstra. * Add support for inline typed dictionaries (PEP 764). Patch by [Victorien Plot](https://github.com/Viicos). * Add `typing_extensions.Reader` and `typing_extensions.Writer`. Patch by Sebastian Rittau. * Add support for sentinels (PEP 661). Patch by Victorien Plot. - Update BuildRequires from pyproject.toml ==== systemd-rpm-macros ==== Version update (24 -> 26) - Bump version to 26 - Introduce %udev_trigger_with_reload() for packages that need to trigger events in theirs scriplets. The new macro automatically triggers a reload of the udev rule files as this step is often overlooked by packages (bsc#1237143). - Bump to version 25 - Turn %tmpfiles_create/%sysusers_create into NOPs The 2 following macros have also been converted into NOPs since we moved to file triggers. Some packages might have assumed that their effects were effective as soon as the macros return. However such assumption on tmpfiles can't work on transactional systems anyways where changes must take place on reboot. When a system user/group needs to be created in %%pre, so proper ownership are used when package's files are installed, "sysusers_create_package()" should be used.