Packages changed:
MicroOS-release (20250820 -> 20250822)
fuse3 (3.17.3 -> 3.17.4)
gettext-runtime (0.25.1 -> 0.26)
kernel-firmware-amdgpu (20250811 -> 20250815)
kernel-firmware-ath11k (20250808 -> 20250820)
kernel-firmware-bluetooth (20250808 -> 20250820)
kernel-firmware-intel (20250718 -> 20250821)
kernel-firmware-iwlwifi (20250609 -> 20250818)
kernel-firmware-media (20250804 -> 20250820)
kernel-firmware-qcom (20250808 -> 20250820)
kernel-firmware-realtek (20250814 -> 20250820)
kernel-firmware-sound (20250721 -> 20250821)
keylime
kwin6
libnftnl (1.2.9 -> 1.3.0)
nftables (1.1.3 -> 1.1.4)
python-jsonschema (4.25.0 -> 4.25.1)
python-maturin
python313 (3.13.5 -> 3.13.7)
python313-core (3.13.5 -> 3.13.7)
rust-keylime (0.2.7+141 -> 0.2.8+12)
sdbootutil (1+git20250812.13f4562 -> 1+git20250820.077bd8b)
tiff
transactional-update (5.0.7 -> 5.1.0)
=== Details ===
==== MicroOS-release ====
Version update (20250820 -> 20250822)
Subpackages: MicroOS-release-appliance MicroOS-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== fuse3 ====
Version update (3.17.3 -> 3.17.4)
Subpackages: libfuse3-4
- Update to release 3.17.4
* detect mount-utils by checking for /run/mount/utab
==== gettext-runtime ====
Version update (0.25.1 -> 0.26)
Subpackages: envsubst libtextstyle0
- Update to version 0.26:
* C, C++, Python, JavaScript, EmacsLisp, librep, Go, Ruby, awk, D, Tcl,
Perl, PHP:
- xgettext's heuristic recognition of format strings has been improved:
strings like "100% complete" (with a space flag in a format directive)
are no longer flagged as format strings by default, unless they occur
in a context that requires a format string. You can override this
heuristic by using a comment of the form /* xgettext: c-format */.
* Shell:
- The documentation now mentions two other approaches for
internationalizing messages with parameters in shell scripts.
- xgettext now recognizes format strings in the 'printf' command syntax.
They are marked as 'sh-printf-format' in POT and PO files.
- Two new programs 'printf_gettext' and 'printf_ngettext' are provided,
that do formatted output with a localized format string in a more
efficient way (without spawning a subshell).
- xgettext now recognizes the \c, \u, and \U escape sequences in dollar-
single-quoted strings $'...'.
[#] Improvements for maintainers:
* xgettext:
- When extracting a message with plural that is some format string,
xgettext now verifies that the msgid and msgid_plural are compatible
as format strings. For most format string types, this still allows
omitting from msgid a placeholder that is used in msgid_plural. But
when a placeholder is used in both msgid and msgid_plural, its type
must be the same in both.
- xgettext now suggests a refactoring when a translatable string
contains an URL or email address.
[#] Improvements for translators:
* msggrep:
- msggrep accepts two new options -W/--workflow-flags and -S/--sticky-flags
that allow to select only messages that have a specified flag.
- Refresh patches.
==== kernel-firmware-amdgpu ====
Version update (20250811 -> 20250815)
- Update to version 20250815 (git commit 07ed893df57c):
* amdgpu: DMCUB updates for various ASICs
==== kernel-firmware-ath11k ====
Version update (20250808 -> 20250820)
- Update to version 20250820 (git commit 70dda28e5098):
* ath11k: WCN6855 hw2.0@nfa765: add to WLAN.HSP.1.1-04685-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
==== kernel-firmware-bluetooth ====
Version update (20250808 -> 20250820)
- Update to version 20250820 (git commit 70dda28e5098):
* Link rtl8723b_config.bin to rtl8723bs
==== kernel-firmware-intel ====
Version update (20250718 -> 20250821)
- Update to version 20250821 (git commit c88f7d064603):
* intel/ish: Add firmware for LENOVO THINKPAD X1 2-in-1 Gen 10
==== kernel-firmware-iwlwifi ====
Version update (20250609 -> 20250818)
- Update to version 20250818 (git commit 72a326cda491):
* iwlwifi: add Bz/gl FW for core97-84 release
* iwlwifi: update ty/So/Ma firmwares for core97-84 release
* iwlwifi: update cc/Qu/QuZ firmwares for core97-84 release
==== kernel-firmware-media ====
Version update (20250804 -> 20250820)
- Update to version 20250820 (git commit 70dda28e5098):
* qcom: Add firmware binary for SM8650.
==== kernel-firmware-qcom ====
Version update (20250808 -> 20250820)
- Update to version 20250820 (git commit 70dda28e5098):
* qcom: add CDSP firmware for x1e80100 platform
==== kernel-firmware-realtek ====
Version update (20250814 -> 20250820)
- Update to version 20250820 (git commit 70dda28e5098):
* rtw89: 8922a: update fw to v0.35.80.3
* rtw89: 8852c: update fw to v0.27.129.4
* rtw89: 8852c: update fw to v0.27.129.3
==== kernel-firmware-sound ====
Version update (20250721 -> 20250821)
- Update to version 20250821 (git commit c88f7d064603):
* cirrus: cs35l41: Move entries to correct driver section in WHENCE
* cirrus: cs35l56: Update firmware for Cirrus Amps for some Lenovo laptops
- Update to version 20250820 (git commit 70dda28e5098):
* cirrus: cs35l56: Add firmware for Cirrus Amps for some Lenovo laptops
==== keylime ====
Subpackages: keylime-config keylime-firewalld keylime-logrotate keylime-registrar keylime-tenant keylime-tpm_cert_store keylime-verifier python313-keylime
- Convert to libalternatives on SLE-16-based and newer systems
==== kwin6 ====
Subpackages: libkwin6
- Add patch to avoid flicker due to amdgpu driver bug (kde#508350):
* 0001-backends-drm-work-around-amdgpu-applying-GAMMA_LUT-i.patch
==== libnftnl ====
Version update (1.2.9 -> 1.3.0)
- Update to release 1.3.0
* set: dump set backend name (hash, rbtree...) and elem count,
if available
==== nftables ====
Version update (1.1.3 -> 1.1.4)
Subpackages: libnftables1 python313-nftables
- Add json.patch
- Update to release 1.1.4
* Add conntrack information to monitor trace command.
* Add a 'check' fib result to check for routes.
* Better error reporting with re-declarations set/map with
different types.
* Restore meta hour matching on ranges spanning date boundaries,
e.g. `... meta hour "21:00"-"02:00"`
* Display number of set elements in rule listings.
* Allow deleting maps via their handle.
==== python-jsonschema ====
Version update (4.25.0 -> 4.25.1)
- update to 4.25.1:
* Fix Validator protocol init to match runtime by @sirosen in
[#1396]
==== python-maturin ====
- Convert to libalternatives on SLE-16-based and newer systems only
==== python313 ====
Version update (3.13.5 -> 3.13.7)
- Update to 3.13.7:
- gh-137583: Fix a deadlock introduced in 3.13.6 when a call
to ssl.SSLSocket.recv was blocked in one thread, and then
another method on the object (such as ssl.SSLSocket.send) was
subsequently called in another thread.
- gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit().
Accept large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().
- gh-136914: Fix retrieval of doctest.DocTest.lineno
for objects decorated with functools.cache() or
functools.cached_property.
- gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe
- gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().
- Remove upstreamed patch:
- gh137583-only-lock-SSL-context.patch
- Add gh137583-only-lock-SSL-context.patch fixing the
regression in 3.13.6 by breaking non-blocking TLS connections
(gh#python/cpython#137583).
- Update to 3.13.6:
- Security
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- Whitespaces no longer accepted between does not end the script section.
- Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.
- Null character (U+0000) no longer ends the tag name.
- Attributes and slashes after the tag name in end tags
are now ignored, instead of terminating after the first
> in quoted attribute value. E.g. .
- Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start
and end tags. E.g. .
- Multiple = between attribute name and value are no
longer collapsed. E.g. produces attribute
“foo” with value “=bar”.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard. --!> now ends the comment.
- - > no longer ends the comment. Support abnormally ended
empty comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored
(CVE-2025-6069, bsc#1244705).
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- Core and Builtins
- gh-58124: Fix name of the Python encoding in Unicode errors
of the code page codec: use “cp65000” and “cp65001” instead
of “CP_UTF7” and “CP_UTF8” which are not valid Python code
names. Patch by Victor Stinner.
- gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf"{obj:\xFF}" now correctly
produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
- gh-136541: Fix some issues with the perf trampolines
on x86-64 and aarch64. The trampolines were not being
generated correctly for some cases, which could lead to
the perf integration not working correctly. Patch by Pablo
Galindo.
- gh-109700: Fix memory error handling in
PyDict_SetDefault().
- gh-78465: Fix error message for cls.__new__(cls, ...) where
cls is not instantiable builtin or extension type (with
tp_new set to NULL).
- gh-135871: Non-blocking mutex lock attempts now return
immediately when the lock is busy instead of briefly
spinning in the free threading build.
- gh-135607: Fix potential weakref races in an object’s
destructor on the free threaded build.
- gh-135496: Fix typo in the f-string conversion type error
(“exclamanation” -> “exclamation”).
- gh-130077: Properly raise custom syntax errors when
incorrect syntax containing names that are prefixes of soft
keywords is encountered. Patch by Pablo Galindo.
- gh-135148: Fixed a bug where f-string debug expressions
(using =) would incorrectly strip out parts of strings
containing escaped quotes and # characters. Patch by Pablo
Galindo.
- gh-133136: Limit excess memory usage in the free threading
build when a large dictionary or list is resized and
accessed by multiple threads.
- gh-132617: Fix dict.update() modification check that could
incorrectly raise a “dict mutated during update” error when
a different dictionary was modified that happens to share
the same underlying keys object.
- gh-91153: Fix a crash when a bytearray is concurrently
... changelog too long, skipping 131 lines ...
- CVE-2025-6069-quad-complex-HTMLParser.patch
==== python313-core ====
Version update (3.13.5 -> 3.13.7)
Subpackages: libpython3_13-1_0 python313-base
- Update to 3.13.7:
- gh-137583: Fix a deadlock introduced in 3.13.6 when a call
to ssl.SSLSocket.recv was blocked in one thread, and then
another method on the object (such as ssl.SSLSocket.send) was
subsequently called in another thread.
- gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit().
Accept large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().
- gh-136914: Fix retrieval of doctest.DocTest.lineno
for objects decorated with functools.cache() or
functools.cached_property.
- gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe
- gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().
- Remove upstreamed patch:
- gh137583-only-lock-SSL-context.patch
- Add gh137583-only-lock-SSL-context.patch fixing the
regression in 3.13.6 by breaking non-blocking TLS connections
(gh#python/cpython#137583).
- Update to 3.13.6:
- Security
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- Whitespaces no longer accepted between does not end the script section.
- Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.
- Null character (U+0000) no longer ends the tag name.
- Attributes and slashes after the tag name in end tags
are now ignored, instead of terminating after the first
> in quoted attribute value. E.g. .
- Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start
and end tags. E.g. .
- Multiple = between attribute name and value are no
longer collapsed. E.g. produces attribute
“foo” with value “=bar”.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard. --!> now ends the comment.
- - > no longer ends the comment. Support abnormally ended
empty comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored
(CVE-2025-6069, bsc#1244705).
- gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.
- Core and Builtins
- gh-58124: Fix name of the Python encoding in Unicode errors
of the code page codec: use “cp65000” and “cp65001” instead
of “CP_UTF7” and “CP_UTF8” which are not valid Python code
names. Patch by Victor Stinner.
- gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf"{obj:\xFF}" now correctly
produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
- gh-136541: Fix some issues with the perf trampolines
on x86-64 and aarch64. The trampolines were not being
generated correctly for some cases, which could lead to
the perf integration not working correctly. Patch by Pablo
Galindo.
- gh-109700: Fix memory error handling in
PyDict_SetDefault().
- gh-78465: Fix error message for cls.__new__(cls, ...) where
cls is not instantiable builtin or extension type (with
tp_new set to NULL).
- gh-135871: Non-blocking mutex lock attempts now return
immediately when the lock is busy instead of briefly
spinning in the free threading build.
- gh-135607: Fix potential weakref races in an object’s
destructor on the free threaded build.
- gh-135496: Fix typo in the f-string conversion type error
(“exclamanation” -> “exclamation”).
- gh-130077: Properly raise custom syntax errors when
incorrect syntax containing names that are prefixes of soft
keywords is encountered. Patch by Pablo Galindo.
- gh-135148: Fixed a bug where f-string debug expressions
(using =) would incorrectly strip out parts of strings
containing escaped quotes and # characters. Patch by Pablo
Galindo.
- gh-133136: Limit excess memory usage in the free threading
build when a large dictionary or list is resized and
accessed by multiple threads.
- gh-132617: Fix dict.update() modification check that could
incorrectly raise a “dict mutated during update” error when
a different dictionary was modified that happens to share
the same underlying keys object.
- gh-91153: Fix a crash when a bytearray is concurrently
... changelog too long, skipping 131 lines ...
- CVE-2025-6069-quad-complex-HTMLParser.patch
==== rust-keylime ====
Version update (0.2.7+141 -> 0.2.8+12)
- Update vendored crates (bsc#1248006, CVE-2025-55159)
* slab 0.4.11
- Add Cargo_lock.patch patch to update slab and other dependencies
- Update to version 0.2.8+12:
* build(deps): bump actions/checkout from 4 to 5
* build(deps): bump cfg-if from 1.0.0 to 1.0.1
* build(deps): bump openssl from 0.10.72 to 0.10.73
* build(deps): bump clap from 4.5.39 to 4.5.45
* build(deps): bump pest from 2.8.0 to 2.8.1
* Fix clippy warnings
* Use verifier-provided interval for continuous attestation timing
* Add meta object with seconds_to_next_attestation to evidence response
* Fix boot time retrieval
* Fix IMA log format (it must be ['text/plain']) (#1073)
* Remove unnecessary configuration fields
* cargo: Bump retry-policies to version 0.4.0
* Bump version to 0.2.8
==== sdbootutil ====
Version update (1+git20250812.13f4562 -> 1+git20250820.077bd8b)
Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit
- Update to version 1+git20250820.077bd8b:
* Revert "Ignore UPDATE_NVRAM (bsc#1247952)"
* Fix dracut "No '/dev/log' or 'logger'" message
* Don't mount /etc in chroot with btrfs subvolume
* Fix issue template directory name
- Update to version 1+git20250814.85181f6:
* Add issue templates for bugs and feature requests
* Use command line of target snapshot
* Add --no-measure-pcr to opt-out PCR15
* Remove README images
==== tiff ====
- security update:
* CVE-2025-8534 [bsc#1247582]
Fix null pointer dereference in function PS_Lvl2page
+ tiff-CVE-2025-8534.patch
* CVE-2025-9165 [bsc#1248330]
Fix local execution manipulation can lead to memory leak
+ tiff-CVE-2025-9165.patch
* CVE-2024-13978 [bsc#1247581]
Fix null pointer dereference in tiff2pdf
+ tiff-CVE-2024-13978.patch
==== transactional-update ====
Version update (5.0.7 -> 5.1.0)
Subpackages: dracut-transactional-update libtukit4 transactional-update-zypp-config tukit tukit-snapper-plugin tukitd
- Version 5.1.0
- tukit: signalize errors from plugins; transactions will be
aborted by default now
- t-u: Added `--keep` option; please only use this for debugging
or recovery when a tukit plugin is failing
- setup-fips: could be called multiple times now
- setup-fips: call update-crypto-policies in the correct context
[boo#1246013]
- reboot: Print both requested and actual reboot method for
[poo#163352]
- snapper plugin: Don't touch fstab's timestamp on every run
- t-u: Chaining commands will also work on BLS systems now; this
is also necessary for some regular commands (such as setup-fips
or setup-selinux)
- tukit: Only mount journal dir if available
- tukit: Return full, non-truncated error number when calling
external applications
- tests: Adopt tests to obs environment to avoid root perms
- t-u: Simplified various calls when changing files in /etc (made
possible by the new btrfs subvolume based layout), tukit is
called less often now
- t-u: optimized check for BLS systems
- Removed journalmount.patch (part of regular release now)