Packages changed: PackageKit boost-base boost-extra dracut (110+suse.23.g5d9502c7 -> 110+suse.29.g16072cee) dracut-pcr-signature (0.6+4 -> 0.7+0) glibc inkscape (1.4.3+git2.fcd0343856 -> 1.4.4+git0.dcaf3e7d9e) kernel-source (7.0.3 -> 7.0.5) krb5 libsndfile openSUSE-release (20260507 -> 20260509) openjph (0.27.0 -> 0.27.1) sdbootutil (1+git20260421.88e40c4 -> 1+git20260506.25d47bf) sso-mib (0.8.1 -> 0.9.0) unbound (1.24.2 -> 1.25.0) yelp (49.0+22 -> 49.1) === Details === ==== PackageKit ==== Subpackages: PackageKit-backend-zypp PackageKit-gstreamer-plugin PackageKit-gtk3-module PackageKit-lang libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0 - spec: requires_ge takes a package name as parameter, not a full NVR.arch string (that just happens to work sometimes): Fix by passing '--qf "%%{name}' to the rpm call identifying the target package name. ==== boost-base ==== Subpackages: boost-license1_91_0 libboost_filesystem1_91_0 libboost_filesystem1_91_0-x86-64-v3 libboost_iostreams1_91_0 libboost_iostreams1_91_0-x86-64-v3 libboost_locale1_91_0 libboost_locale1_91_0-x86-64-v3 libboost_thread1_91_0 libboost_thread1_91_0-x86-64-v3 - extended baselibs.conf - minor spec file cleanup ==== boost-extra ==== Subpackages: libboost_python-py3-1_91_0 libboost_python-py3-1_91_0-x86-64-v3 - extended baselibs.conf - minor spec file cleanup ==== dracut ==== Version update (110+suse.23.g5d9502c7 -> 110+suse.29.g16072cee) - Update to version 110+suse.29.g16072cee: * fix(dracut-install): remove FTS_NOSTAT in install_modules() fts traversal * fix(systemd-cryptsetup): load libcryptsetup via dlopen * fix(systemd-repart): load libfdisk via dlopen * fix(systemd-sysusers): do not run systemd-sysusers as part of the build process * fix(systemd): revert changes related to deduplication of cryptsetup targets * feat(systemd-coredump): save coredumps to journal ==== dracut-pcr-signature ==== Version update (0.6+4 -> 0.7+0) - Update to version 0.7+0: * Boot the ESP in /sysefi during initrd ==== glibc ==== Subpackages: glibc-32bit glibc-devel glibc-extra glibc-gconv-modules-extra glibc-gconv-modules-extra-32bit glibc-lang glibc-locale glibc-locale-base - ibm139x-pending-char-state.patch: Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046, bsc#1261206, BZ #33980) ==== inkscape ==== Version update (1.4.3+git2.fcd0343856 -> 1.4.4+git0.dcaf3e7d9e) Subpackages: inkscape-extensions-extra inkscape-extensions-gimp inkscape-lang - Update to version INKSCAPE_1_4_4+git0.dcaf3e7d9e: * Documentation update for Inkscape 1.4.4 * Revert "Switch PangoCairo rendering backend to Fontconfig" * Revert "Fix canvas text label Unicode rendering" * update translations * Revert "Show cursor on Text tool constructor" * Revert "Remove cursor show code from _updateCursor" * Speed up drawing cache insert * Prepare 1.4.4-rc * Update man page + tutorials for 1.4.4rc * Show cursor on Text tool constructor * Remove cursor show code from _updateCursor * Fix building with Poppler 26.04.0 * Fix build with poppler-26.03.0. * Switch PangoCairo rendering backend to Fontconfig * Add openmp on LLVM * explicitely make GUI executables on windows * Fix building with Poppler 0.26.02 * Fix warning with poppler 26.x.x * Fix build with poppler 26.01.0 * Make text itemization code clearer * Handle text with different lang across tspans * Fix crash while using maximum scans in trace dialog * Additional patching to make uri test work * Fix crash when opening corrupted Rotate Copies LPE SVGs * Fix crash in connector endpoint handling with null curve * Fix #6040: svg with markers which dont have associated path data now don't cause issues * Fix connector tool crash on overlapping shapes * Add tests for try_attach() from uri-reference.cpp * Fix Suprious Unsupported URI warning for web hyperlinks * Fix mime type of ODF extension * Disconnecting signals in dialog destructors * Use unordered_map where the ordering is not important * Fix crash and disable Corners LPE on groups * Connector Tool: Fix crash when undoing connection * Specify file is relicensed to GPL-2.0-or-later * Add elementary palette * Fix crash on adding knot to invalid gradient * Fix cmdline help showing translation artefacts * Fix clippath item visibility on releasing the clip * Use is_expandable_space for justified text * Fix crash while using tweak tool * Fix canvas text label Unicode rendering * Implement faster and smarter prettify_svgd * Fix gradient tool performance * EnablePages must always select a page if one isn't set. * Fix Layers & Objects dialog slowness * Fix crash on Break Apart with certain paths * Guard against duplicate entries in recently-used.xbel * Make splitPath() match previous behaviour * Fix splitPath() ignoring drive letter on Windows * Include implicit headers for gcc-16 * Avoid unchecked optional access in render_preview * Remove !desktop check in export dialog destruction * Robustify Cairo error handling in Canvas and Export dialog * Fix instructions in the US zine template * Fix crash with pen tablet connected * Fix crash when selecting object with PowerStroke * Fix color entry spamming undo stack * Rename star turn upright for clarity * Fix missing paste on page metadata * Update graphics for 1.4.4 * Revert "Fix Unicode dialog crashing" for alternative fix * Add Level Star action and add it to star toolbar * Stop cursor from blinking when defocused * Fix Opacity is not applied with last style if set with object and dialog * Fix Unicode dialog crashing * update translations * Make expander in L&O dialog clickable in RTL interface * Edit label and tooltip for Preserve Shape setting * Fix Welcome dialog stacking up when run more than once * Fix keyboard navigation in Objects dialog * update translations * Fix missing signal blocking in page toolbar * Convert libuemf to a git submodule * update translations - remove patches, applied upstream * Fix_Poppler_26_01_00_compat.patch * Fix_Poppler_26_02_0_compat.patch * inkscape-gcc16.patch ==== kernel-source ==== Version update (7.0.3 -> 7.0.5) - Linux 7.0.5 (bsc#1012628). - xfrm: esp: avoid in-place decrypt on shared skb frags (bsc#1012628). - commit 77ae3c4 - Linux 7.0.4 (bsc#1012628). - ipmi:ssif: NULL thread on error (bsc#1012628). - ipmi:ssif: Remove unnecessary indention (bsc#1012628). - netfilter: reject zero shift in nft_bitwise (bsc#1012628). - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (bsc#1012628). - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP (bsc#1012628). - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP (bsc#1012628). - vmalloc: fix buffer overflow in vrealloc_node_align() (bsc#1012628). - ALSA: aloop: Fix peer runtime UAF during format-change stop (bsc#1012628). - ALSA: caiaq: fix usb_dev refcount leak on probe failure (bsc#1012628). - drm/imagination: Fix segfault when updating ftrace mask (bsc#1012628). - drm/amdgpu: fix zero-size GDS range init on RDNA4 (bsc#1012628). - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (bsc#1012628). - ALSA: caiaq: Don't abort when no input device is available (bsc#1012628). - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path (bsc#1012628). - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value (bsc#1012628). - crypto: authencesn - reject short ahash digests during instance creation (bsc#1012628). - mei: me: add nova lake point H DID (bsc#1012628). - mei: me: use PCI_DEVICE_DATA macro (bsc#1012628). - mm: avoid deadlock when holding rmap on mmap_prepare error (bsc#1012628). - mm: various small mmap_prepare cleanups (bsc#1012628). - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling (bsc#1012628). - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor (bsc#1012628). - iio: frequency: admv1013: fix NULL pointer dereference on str (bsc#1012628). - iio: frequency: admv1013: add dev variable (bsc#1012628). - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND (bsc#1012628). - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode (bsc#1012628). - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails (bsc#1012628). - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle (bsc#1012628). - rxgk: Fix potential integer overflow in length check (bsc#1012628). - rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1012628). - ntfs3: fix integer overflow in run_unpack() volume boundary check (bsc#1012628). - ntfs3: add buffer boundary checks to run_unpack() (bsc#1012628). - NFSv4.1: Apply session size limits on clone path (bsc#1012628). - ktest: Fix the month in the name of the failure directory (bsc#1012628). - IB/core: Fix zero dmac race in neighbor resolution (bsc#1012628). - gtp: disable BH before calling udp_tunnel_xmit_skb() (bsc#1012628). - ceph: only d_add() negative dentries when they are unhashed (bsc#1012628). - ceph: fix num_ops off-by-one when crypto allocation fails (bsc#1012628). - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() (bsc#1012628). - dm mirror: fix integer overflow in create_dirty_log() (bsc#1012628). - crypto: nx - Fix packed layout in struct nx842_crypto_header (bsc#1012628). - crypto: nx - fix context leak in nx842_crypto_free_ctx (bsc#1012628). - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx (bsc#1012628). - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error (bsc#1012628). - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path (bsc#1012628). - crypto: atmel-sha204a - Fix error codes in OTP reads (bsc#1012628). - crypto: atmel-tdes - fix DMA sync direction (bsc#1012628). - crypto: ccree - fix a memory leak in cc_mac_digest() (bsc#1012628). - crypto: hisilicon - Fix dma_unmap_single() direction (bsc#1012628). - crypto: atmel-ecc - Release client on allocation failure (bsc#1012628). - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup (bsc#1012628). - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit (bsc#1012628). - crypto: acomp - fix wrong pointer stored by acomp_save_req() ... changelog too long, skipping 469 lines ... - commit 2d1ff64 ==== krb5 ==== Subpackages: krb5-32bit krb5-client - Fix Fix two NegoEx parsing vulnerabilities: * CVE-2026-40355, bsc#1263366 * CVE-2026-40356, bsc#1263367 - Add patch 0012-Fix-two-NegoEx-parsing-vulnerabilities.patch ==== libsndfile ==== - Fix IMA-ADPCM integer overflow (bsc#1263695, CVE-2026-37555): libsndfile-CVE-2026-37555.patch - Fix buffer overflow in the ircam_read_header function (bsc#1248458, CVE-2025-52194): libsndfile-CVE-2025-52194.patch ==== openSUSE-release ==== Version update (20260507 -> 20260509) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openjph ==== Version update (0.27.0 -> 0.27.1) - Update to 0.27.1: * Adds a check that we do not use reversible Sqcd/Sqcc with irreversible transform * Detecting illegal precinct width or height #269 ==== sdbootutil ==== Version update (1+git20260421.88e40c4 -> 1+git20260506.25d47bf) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260506.25d47bf: * Drop systemd.machine_id if /etc/machine-id is present * Support XBOOTLDR partition * Add CLAUDE.md file * Use command -v instead of hash * Remove dead code * Fix regular expression non-capturing group * Add comment about default values in config file * Clarify when swap is mounted * Fix typo in comment * Exit early if we are outside the initrd * Fix variable name * Fix typo * When cleaning pcrlock.d remove only the content * Do not check in_buildroot when updating entries * update_kernels: Update entries for the system if no snapshot is provided ==== sso-mib ==== Version update (0.8.1 -> 0.9.0) - Import version 0.9.0 This bugfix release fixes building without libjwt and implements asking for consent if needed when acquiring a token ==== unbound ==== Version update (1.24.2 -> 1.25.0) Subpackages: libunbound8 unbound-anchor - Enable quic support by default on the distros where ngtcp2 supports quic. - complete the buildrequire set for quic support by also requiring the devel files for the openssl backend in ngtcp2: pkgconfig(libngtcp2_crypto_ossl) - Update to 1.25.0: Features: * TTL behavior changes: cached records reaching TTL 0 are expired; TTL 0 upstream answers are no longer cached by cachedb; serve-expired-reply-ttl is now capped by the original TTL value; TTL decoding updated to adhere to RFC 8767 section 4 * Add new statistics: num.queries.replyaddr_limit and requestlist.current.replies * Add 'log-thread-id' configuration option to log the system-wide Linux thread ID for easier debugging * Add ECC-GOST12 support per RFC 9558 (available as contrib/gost12.patch) * Allow synthesized DNAME TTL=0 to be served from cache within a 1-second grace period, reducing recursion for TTL=0 DNAMEs (RFC 2308) * Fix DoT/DoH/DoQ to reload certificates on config reload without requiring a full restart; fast_reload now supports changes to tls-service-key, tls-service-pem and tls-cert-bundle * Allow ip@port notation in control-interface configuration * Add iter-scrub-rrsig option (default: 8) to limit the number of RRSIGs processed by the scrubber * Add 'tls-protocols' configuration option to select which TLS protocol versions are used; TLSv1.2 is re-enabled by default * Add pthread_setname_np support for named threads Bug Fixes: * Fix handle leak in pythonmod on pythonmod_init * Fix crash when mesh_detect_cycle_found() is called with no mesh state * Fix modstack_call_init to use the original string when it has changed * Fix fr_atomic_copy_cfg * Fix auth-zone empty label for $ORIGIN when downloading via HTTP * Fix respip and dns64 to be usable simultaneously; RPZ now works with DNS64 * Fix HTTPS and QUIC not being enabled when port is listed in interface-automatic-ports * Allow wait-limit-cookie: 0 to disable cookie-validated wait limits * Fix FIPS mode in OpenSSL causing unit test failure * Fix discard-timeout to only drop UDP, not stream connections * Reply with SERVFAIL when the wait-limit is exceeded * Add extended DNS error code for invalid query type * Replace deprecated SWIG $function with $action * Log a warning for possible circular dependency when using hostnames in stub/forward zones * Fix infra cache for NAT64 by moving NAT64 synthesis to the delegation point when adding target addresses * Fix discard-timeout packet accounting in the mesh area * Update IANA portlist * Copy DNSTAP configuration from daemon to workers after fast_reload * Fix HTTP/2 stream mesh state removal and drop handling for postpone_drop and send failures * Log THROWAWAY and (DNSSEC) LAME responses with clearer categorization in log output * Fix EDE removal logic consistency between encoding errors and encoding replies * Fix EDNS subnet scope-zero queries not being stored when forward-no-cache or stub-no-cache is set * Do not initialize quic_table unless QUIC is enabled * Fix fast_reload to copy iter_scrub_ns, iter_scrub_cname and max_global_quota options * Fix allow-notify entries with hostnames to be copied after IPv4/IPv6 lookup; fix skipping hostname lookups when only URLs are configured * Fix NAT64 inconsistency with do-not-query-address during retries * Fix cachedb aggressive negative responses not setting the RA flag * Fix root key priming failure after loading RPZ zones containing ZONEMD RRtype * Fix local-zone always_refuse to also block DS queries * Fix cache lookup/store in external cachedb when forwarder/stub uses the no-cache option * Fix cachedb returning expired bogus data as non-bogus * Fix validator unchecked state handling with validation recursion and EDNS subnet * Fix DNAME lookup flag and assertion in expired calculation debug routine * Fix DNS rebinding bypass via SVCB/HTTPS records; private-address now also elides SVCB and HTTPS records matching the filter * Warn for unused 'nodefault' local-zone configuration in unbound-checkconf * Fix lock/unlock for view in memory error handling * Apply cache TTL policy to DNAME and synthesized CNAME on the wire path * Fix detection of HTTP listening port in fast_reload * Fix ignoring out-of-zone DNAME records for CNAME synthesis * Fix invalid HTTP content length/chunk size checks and RR rdata field length validation in zone transfer, preventing heap buffer-overflow read errors * Fix defense in depth for service callback with empty packet * Fix shared memory statistics with threads * Fix EDNS client subnet to not store SERVFAIL in the global cache after a failed lookup; stores a short-lived failure entry in the subnet cache instead * Fix memory corruption related core dumps when alloc_reg_obtain encounters an empty list ... changelog too long, skipping 25 lines ... * Update keyring to new NLnet Labs release signing key ==== yelp ==== Version update (49.0+22 -> 49.1) Subpackages: libyelp-1-0 yelp-lang - Update to version 49.1: + Fixed issue that could allow remote access to local files. + Updated translations.