Packages changed: capstone checkmedia (7.0 -> 7.1) glib2 (2.88.1 -> 2.88.2) gnome-control-center (50.2 -> 50.3) gnome-software (50.2 -> 50.3) gssdp (1.6.5 -> 1.6.6) gvfs (1.60.0 -> 1.60.1) jq (1.8.1 -> 1.8.2) libslirp (4.9.1+1 -> 4.9.3+4) libvirt libzio (1.14 -> 1.15) nftables nvidia-open-driver-G06-signed openSUSE-release (20260625 -> 20260627) patterns-kde tesseract-ocr === Details === ==== capstone ==== - Modernize packaging to use wheel as an intermediate project (`%python_build` is not supported anymore). Make building working with the rewritten python interpretors changes. ==== checkmedia ==== Version update (7.0 -> 7.1) Subpackages: libmediacheck7 - merge gh#openSUSE/checkmedia#25 - fine-tune build requirements - 7.1 ==== glib2 ==== Version update (2.88.1 -> 2.88.2) Subpackages: glib2-lang glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 typelib-1_0-GIRepository-3_0 typelib-1_0-GLib-2_0 typelib-1_0-GLibUnix-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Update to version 2.88.2: + gnulib: Fix unused flags variable warning + CI: set msys2-clang64 as default job for merges + Updated translations. ==== gnome-control-center ==== Version update (50.2 -> 50.3) Subpackages: gnome-control-center-color gnome-control-center-goa gnome-control-center-lang gnome-control-center-user-faces gnome-control-center-users - Update to version 50.3: + Updated translations. ==== gnome-software ==== Version update (50.2 -> 50.3) Subpackages: gnome-software-lang gnome-software-plugin-packagekit - Update to version 50.3: + Fix a memory leak + Updated translations. ==== gssdp ==== Version update (1.6.5 -> 1.6.6) - Update to version 1.6.6: + Fix binding to unicast sockets (Regression introduced by 1.6.5) ==== gvfs ==== Version update (1.60.0 -> 1.60.1) Subpackages: gvfs-backend-afc gvfs-backend-goa gvfs-backend-gphoto gvfs-backend-samba gvfs-backends gvfs-fuse gvfs-lang - Update to version 1.60.1: + smb: Fix authentication fallback broken with Samba 4.24 + dav: Fix redirect handling to prevent HTTPS downgrade and credential leakage + Some other fixes + Updated translations. - Drop gvfs-fix-udisks2-crash.patch: Fixed upstream. ==== jq ==== Version update (1.8.1 -> 1.8.2) Subpackages: libjq1 - Update to version 1.8.2 Security fixes * CVE-2026-32316: Fix heap buffer overflow in jvp_string_append and jvp_string_copy_replace_bad. * CVE-2026-33947: Limit path depth to prevent stack overflow in jv_setpath, jv_getpath, jv_delpaths. * CVE-2026-33948: Fix NUL truncation in the JSON parser. * CVE-2026-39956: Fix _strindices missing runtime type checks. * CVE-2026-39979: Fix out-of-bounds read in jv_parse_sized(). * CVE-2026-40164: Randomize hash seed to mitigate hash collision DoS attacks. * CVE-2026-40612: Limit containment check depth to prevent stack overflow in contains. * CVE-2026-41256: Fix NUL truncation in program files loaded with -f. * CVE-2026-41257: Fix signed-int overflow in stack_reallocate. * CVE-2026-43894: Reject numeric literals longer than DEC_MAX_DIGITS (999999999). * CVE-2026-43895: Reject embedded NUL bytes in module import paths. * CVE-2026-43896: Limit recursive object merge depth to prevent stack overflow. * CVE-2026-44777: Detect circular module imports to prevent stack overflow. * CVE-2026-47770: Guard deep structural equality and comparison recursion. * CVE-2026-49839: Fix heap-buffer-overflow in raw file loading. * CVE-2026-54679: Tighten string length bounds and propagate invalid jv in implode. * GHSA-gf4g-95wj-4q4r: Fix use-after-free in args2obj() array argument path. * GHSA-hj52-j2c9-r8r4: Fix signed-int overflow in tokenadd to prevent buffer overflow. * Limit the number of function parameters and definitions to prevent SEGV. * Pre-allocate tokenbuf for string parser to avoid undefined behavior. * Avoid stack overflow when freeing deeply nested values. * Fix memory leaks and double frees. Releasing * Update GPG signing key. CLI changes * Improve error message truncation with closing delimiters. * Remove extra space from die function output. * Fix raw input flag not to corrupt multi-byte characters. * Fix crash when importing a module with errors twice. * Increase the maximum printing depth from 256 to 10000. Changes to existing functions * Fix rtrimstr("") always outputting "". * Fix infinite loop and undefined behavior in del(.[nan]). * Refactor @uri and @urid to fix multi-byte UTF-8 corruption. * Fix tonumber and toboolean to reject strings with embedded null bytes. * Fix undefined behavior in modulo operator. * Fix reversed pointer subtraction in f_env bounds check. * Fix missing validity check in f_strflocaltime after f_localtime. * Fix year 2038 problem on 32-bit platforms. * Use // instead of //= in from_entries definition. Build and test changes * Drop strptime test using non-portable %F. * Limit oniguruma depth to 1024 in jq_fuzz_execute. * Fix localization test for time formatting functions. * Fix expected value assertion. * Fix typo in tests/jq.test. * Refactor tm2jv to handle fractional seconds. * Fix jq_fuzz_parse_stream: use iterative parser API for streaming mode. * Fix crashes and resource leaks in jq_testsuite. * Support building with --disable-maintainer-mode and source != build dir. * Respect SOURCE_DATE_EPOCH while generating man page. * Fix undefined pointer arithmetic in UTF-8 helpers. * Fix one-byte over-read in BASE64_DECODE_TABLE. - Drop not longer needed patches: * CVE-2026-32316.patch * CVE-2026-33947.patch * CVE-2026-33948.patch * CVE-2026-39956.patch * CVE-2026-39979.patch * CVE-2026-40164.patch * CVE-2026-40612.patch * CVE-2026-41256.patch * CVE-2026-41257.patch * CVE-2026-43894.patch * CVE-2026-43895.patch * CVE-2026-43896.patch * CVE-2026-44777_0.patch * CVE-2026-44777_1.patch ==== libslirp ==== Version update (4.9.1+1 -> 4.9.3+4) - Update to version 4.9.3+4: * Add CVE information * slirp: permit guestfwd to vhost_addr/vnameserver_addr * Test qemu migration support * Release v4.9.3 * slirp: Fix migration break on incorrect vmstate retcode * Add missing diff url * Release v4.9.2 * tcp_sockclosed: Set linger timer on remaining closing states * oob: cap urgent data count to what is actually available * bootp: allow https for UEFI HTTP boot * ncsi: Document the Get Version ID (GVI) packet handler * ncsi: Document why we fix memory alignment by adding 2-byte padding * ncsi: add documentation comments to the packet handler table for improved readability * Fix byte order * SO_ERROR: take the errno as error hint * vmstate: pass on read/write errors for state * cope with SO_ERROR possibly failing * Move the modified 3-Clause BSD text into LICENSE * fix: honor dns server port number on macos - fixes CVE-2026-9539 [bsc#1268903] ==== libvirt ==== Subpackages: libvirt-client libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-qemu libvirt-libs - spec: Strengthen dependency on numa-preplace bsc#1268783 - spec: Don't configure non-existent virt-secret-init-encryption socket units bsc#1268535 ==== libzio ==== Version update (1.14 -> 1.15) - Update to version 1.15 Refactored zio.c as well as optimized - Functional Verification: All compression formats (gzip, bzip2, lzma, xz, zstd) were validated via the test loop. - Static Analysis & Bugfixes: - Fixed a memory leak and uninitialized value in autodetect and fzopen. - Fixed Double-Free vulnerabilities in zio_open_gzip_pipe and zio_open_bzip2_pipe. - Compatibility: Verified the HAS_LZMADEC_H path with the legacy lzmadec.h. - Optimizations: Replaced heap allocation for the check buffer with a stack-based buffer in fzopen and _knowntype_fdzopen to reduce overhead. ==== nftables ==== Subpackages: libnftables1 python313-nftables - add support-reproducible-build.patch: this is a cherry pick of four unreleased upstream commits which are needed to properly backport the reproducible build feature. ==== nvidia-open-driver-G06-signed ==== - linux-7.1.patch * improved patch in order to avoid Use-After-Free (found by AI review; proposal fix by Michal Suchanek) - linux-7.1.patch: * fixes build against kernel 7.1 (currently blocking our kernel 7.1 release for TW); stolen from changes for 580.159.04 release (boo#1268331) ==== openSUSE-release ==== Version update (20260625 -> 20260627) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== patterns-kde ==== Subpackages: patterns-kde-kde patterns-kde-kde_edutainment patterns-kde-kde_games patterns-kde-kde_ide patterns-kde-kde_imaging patterns-kde-kde_internet patterns-kde-kde_multimedia patterns-kde-kde_office patterns-kde-kde_pim patterns-kde-kde_plasma patterns-kde-kde_utilities patterns-kde-kde_utilities_opt patterns-kde-kde_yast - Disambiguate kde_utilities and kde_utilities_opt pattern summaries (bsc#1267854) ==== tesseract-ocr ==== Subpackages: libtesseract5 libtesseract5-x86-64-v3 tesseract-ocr-common - Drop the now-unused OpenCL build dependencies opencl-headers and pkgconfig(OpenCL) (boo#1213370): * OpenCL support is experimental and disabled (the --enable-opencl configure flag was already removed); these requires were left behind and only bloated the build. * With OpenCL off, libtesseract no longer links libOpenCL.so.1, so it no longer fails to start with "libOpenCL.so.1: cannot open shared object file" (boo#1232640).