Packages changed: Mesa (25.3.3 -> 25.3.4) Mesa-drivers (25.3.3 -> 25.3.4) MozillaFirefox (147.0.1 -> 147.0.2) aws-lc (1.66.2 -> 1.67.0) bind cepces (0.3.9 -> 0.3.16) dbus-broker gcc glib2 gnome-mahjongg (49.0.1 -> 49.1.1) gpg2 (2.5.16 -> 2.5.17) groff groff-full inkscape libXmu (1.3.0 -> 1.3.1) libstorage-ng (4.5.286 -> 4.5.287) mdadm (4.4+31.g541b40d3 -> 4.5+39.g1aa6e5de) microos-tools (4.0+git19 -> 4.0+git21) multipath-tools (0.14.0+207+suse.18c17be5 -> 0.14.1+208+suse.d08f5475) open-vm-tools (13.0.5 -> 13.0.10) openSUSE-release (20260128 -> 20260131) osinfo-db patterns-base pulseaudio python-click python-kiwi (10.2.32 -> 10.2.38) sdbootutil (1+git20260115.cd41d07 -> 1+git20260127.6240918) shadow systemd-presets-common-SUSE xen (4.21.0_02 -> 4.21.0_04) yast2-bootloader (5.0.31 -> 5.0.32) yast2-core (5.0.3 -> 5.0.4) yast2-storage-ng (5.0.39 -> 5.0.40) === Details === ==== Mesa ==== Version update (25.3.3 -> 25.3.4) Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Update to Mesa 25.3.4 - -> https://docs.mesa3d.org/relnotes/25.3.4 ==== Mesa-drivers ==== Version update (25.3.3 -> 25.3.4) Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Update to Mesa 25.3.4 - -> https://docs.mesa3d.org/relnotes/25.3.4 ==== MozillaFirefox ==== Version update (147.0.1 -> 147.0.2) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 147.0.2 * Resolved various issues with missing or impaired browser functionality when using XDG Base Directories on Linux. (bmo#2011300) * Fixed an issue causing excess passkey prompts to appear when logging into some sites. (bmo#2010919) * Fixed an issue that could lead to sites being incorrectly flagged as malicious by SafeBrowsing. (bmo#2010956) MFSA 2026-06 (bsc#1257363) * CVE-2026-24868 (bmo#2007302) Mitigation bypass in the Privacy: Anti-Tracking component * CVE-2026-24869 (bmo#2008698) Use-after-free in the Layout: Scrolling and Overflow component ==== aws-lc ==== Version update (1.66.2 -> 1.67.0) Subpackages: libcrypto-awslc0 libssl-awslc0 - Update to version 1.67.0: * Migrate Wycheproof test vectors for ECDSA, RSA PKCS#1, and some more * Rename volatile state/memory to unique state/memory * Service Indicator: Add error call trampoline to avoid delocator issue * Add support for Big Endian in ACVP tool * AES-GCM: Add function pointer trampolines to avoid delocator issue * Use already defined macro for no inline * Remove Kyber completely * Import mldsa-native * Use existing session context if new is actually NULL * Integrate Wycheproof ML-KEM test vectors * Avoid cross-compilation build failure * Cleanup pass on Go code in repository * Update patch for nmap - remove vendor-fix.patch, as upstream finally fixed the issue ==== bind ==== Subpackages: bind-doc bind-utils - Move default config files 127.0.0.zone, localhost.zone and root.hint in /var/lib/named to /usr/share/named with a symlink to /var/lib/named via systemd-tmpfiles to improve immutable os compatibility. ==== cepces ==== Version update (0.3.9 -> 0.3.16) Subpackages: cepces-certmonger cepces-selinux python3-cepces - Update to version 0.3.16: * Bump version to 0.3.16 * feat(cepces-submit): Add an --install mode * Bump version to 0.3.15 * fix(certmonger): Skip authentication for operations that don't need it * Bump version to 0.3.14 * fix(github-ci): Fix branch pattern * fix(certmonger): Handle None result in Submit operation * fix(core): Handle nil policies and CAs in Service properties * feat(scripts): Add a script to verify version numbers are in sync * fix(xml:binding): Handle xsi:nil="true" in XMLElementList ==== dbus-broker ==== Subpackages: dbus-broker-block-restart - dbus-broker should require dbus-1-common (bsc#1255655) ==== gcc ==== - Improve go/gofmt alternative removal upon migration to an alternative-less system. ==== glib2 ==== Subpackages: glib2-lang glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 typelib-1_0-GIRepository-3_0 typelib-1_0-GLib-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Add CVE fixes: + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484 glgo#GNOME/glib!4979). + glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485 glgo#GNOME/glib!4981). + glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489 glgo#GNOME/glib!4984). ==== gnome-mahjongg ==== Version update (49.0.1 -> 49.1.1) Subpackages: gnome-mahjongg-lang - Update to version 49.1.1: + Update outdated screenshot URLs - Changes from version 49.1.0: + Implement pause menu with 'Resume' and 'Quit' buttons + Add Escape keyboard shortcut to pause game + Pause game when main window is obscured + Pause game when dialogs and menus are visible + Don't allow pausing completed games + Don't show confirmation dialog for layout change after completing game + Fix text entry not always receiving focus in Scores dialog + Updated translations. ==== gpg2 ==== Version update (2.5.16 -> 2.5.17) Subpackages: dirmngr gpg2-lang - Update to 2.5.17: * agent: Fix stack buffer overflow when using gpgsm and KEM (CVE-2026-24881, boo#1257358) * tpm: Fix possible buffer overflow in PKDECRYPT (CVE-2026-24882, boo#1257396) * gpg: Fix possible NULL-deref with overlong signature packets (CVE-2026-24883, boo#1257395) * gpg: New export-option "keep-expired-subkeys" * gpgsm: Make multiple search patterns work with keyboxd * agent: Add accelerator keys for "Wrong" and "Correct" * dirmngr: Help detection of bad keyserver configurations ==== groff ==== - Remove update-alternatives usage for roff manpage, mandoc no longer provides it. (bsc#1245900) - Use libalternatives for soelim, fixing conflict with mandoc * Add new soelim-common package which provides soelim symlink to alts ==== groff-full ==== Subpackages: gxditview - Remove update-alternatives usage for roff manpage, mandoc no longer provides it. (bsc#1245900) - Use libalternatives for soelim, fixing conflict with mandoc * Add new soelim-common package which provides soelim symlink to alts ==== inkscape ==== Subpackages: inkscape-extensions-extra inkscape-extensions-gimp inkscape-lang - Fix build with Poppler 26.01.00, add Fix_Poppler_26_01_00_compat.patch ==== libXmu ==== Version update (1.3.0 -> 1.3.1) Subpackages: libXmu6 libXmuu1 - Update to version 1.3.1 * Fix compilation on 32-bit targets - supersedes u_int-to-pointer-cast.patch ==== libstorage-ng ==== Version update (4.5.286 -> 4.5.287) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1051 - removed unneeded includes - 4.5.287 ==== mdadm ==== Version update (4.4+31.g541b40d3 -> 4.5+39.g1aa6e5de) - Update to version 4.5+39.g1aa6e5de: * fix compilation errors with GCC 16 (bsc#1256973) * load md_mod before creating array (bsc#1257330) - Update to version 4.5+33.g9560967f (bsc#1257009): - Upstream feature additions in 4.5: * Support --logical-block-size in --create * Remove --freeze-reshape logic in reshape * Create array with sync del gendisk mode * Re-enable mdadm --monitor ... for /dev/mdX * Don't stop array after creating it during assemble * Allow RAID0 to be created with v0.90 metadata * Optimize DDF header search for widely used RAID controllers Upstream bug fixes from 4.5: * Moves memory management into Assemble to avoid null pointer dereference * Wait a while before removing a member in Incremental * Fix memory leaks * Support non-absolute name during monitor scan * Enable udev block for Incremental/Assemble to avoid race condition * Don't set badblock flag when adding a new disk * Fix metadata corruption when managing new imsm array * Do not start reshape before switchroot ==== microos-tools ==== Version update (4.0+git19 -> 4.0+git21) - Update to version 4.0+git21: * Add zypp-no-multiversion sub-package * Add config snippets for zypp.conf ==== multipath-tools ==== Version update (0.14.0+207+suse.18c17be5 -> 0.14.1+208+suse.d08f5475) Subpackages: kpartx libmpath0 - Update to version 0.14.1+208+suse.d08f5475: * kpartx: fix segfault when operating on regular files (bsc#1257244, bsc#1257153) * multipathd: print path offline message even without a checker (bsc#1254094) * multipathd: make "multipathd show status" busy checker better * multipathd: finish initalization of paths added while offline * multipathd: don't add removed/partial paths to new maps ==== open-vm-tools ==== Version update (13.0.5 -> 13.0.10) Subpackages: libvmtools0 open-vm-tools-desktop - update to 13.0.10 based on build 25056151: (boo#1257357): Please refer to the Release Notes at https://github.com/vmware/open-vm-tools/blob/stable-13.0.10/ReleaseNotes.md. The granular changes that have gone into the open-vm-tools 13.0.10 release are in the ChangeLog at https://github.com/vmware/open-vm-tools/blob/stable-13.0.10/open-vm-tools/ChangeLog. There are no new features in the open-vm-tools 13.0.10 release. This is primarily a maintenance release that addresses a fix. A minor enhancement has been made for Guest OS Customization. The DeployPkg plugin has been updated to handle a new cloud-init error code that signals a recoverable error and allow cloud-init to finish running. For a more complete description of what's new in this release, see the What's New and Resolved Issues sections of the Release Notes. ==== openSUSE-release ==== Version update (20260128 -> 20260131) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== osinfo-db ==== - Add support for SLES-16.1 (jsc#PED-14625) add-sles16.1-support.patch - Add support for openSUSE Leap 16.1 (jsc#PED-14625) add-opensuse-leap-16.1-support.patch ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - rename transactional_base to immutable_base ==== pulseaudio ==== Subpackages: libpulse-mainloop-glib0 libpulse0 pulseaudio-setup pulseaudio-utils system-user-pulse - Remove pulseaudio-rpmlintrc which only had filters for the pulseaudio-gdm-hooks subpackage which was moved to the gdm package. - Added permissions for the ghost dir /var/lib/pulseaudio. ==== python-click ==== - Run tests in a subpackage, this allows to exclude build in different distributions ==== python-kiwi ==== Version update (10.2.32 -> 10.2.38) - Fix booting non-encrypted live images activate_luks returned true if the passed blockdev was not luks. - Fix pytest type hint issue Running on pytest < 7 causes an AttributeError: module 'pytest' has no attribute 'Config'. Quoting the type hint argument to be a string and accessing the elements of pytestconfig via getattr() and a default value workarounds the issue for older pytest versions - Bump version: 10.2.37 → 10.2.38 - Fix platform mock for kis builder unit testing - Fix s390 unit test Forgot to mock the architecture properly. This commit fixes it - Bump version: 10.2.36 → 10.2.37 - Move fedora arm build test to dnf5 - Explicitly list dnf as a package to help OBS If not mentioned explicitly OBS does not place it into the repositories to build the image from - Move fedora container build test to dnf5 - Move remaining fedora build tests to dnf5 - Reapply "Set CentOS 9 integration tests to use dnf4 explicitly" This reverts commit 31a0171bbbc9c8ec8319bff48c7de528082a1486. - Reapply "Set CentOS 10 integration tests to use dnf4 explicitly" This reverts commit 9fe29d9925fd3f0866e7c89c6a9573b1fc310a63. - Identify the correct binary for DNF4 This is pretty much the same solution we used back when we supported YUM and had to deal with yum vs yum-deprecated. - Revert "Set CentOS 9 integration tests to use dnf4 explicitly" This causes the environment to not have /usr/bin/dnf. This reverts commit b2c4760e2f6ae9ac4fa71a622a89445c572217b4. - Revert "Set CentOS 10 integration tests to use dnf4 explicitly" This causes the environment to not have /usr/bin/dnf. This reverts commit df77cba989eb80be66fad5c3ce5630287a72e7ea. - Set CentOS 9 integration tests to use dnf4 explicitly - Set CentOS 10 integration tests to use dnf4 explicitly Also, fix the description of the tests to state it's for CentOS 10. - Revert "Switch centos v10 integration tests to dnf5" DNF5 does not exist in CentOS 10 yet. This reverts commit a722acedc512528c1d73bd5c99d1cd2227c8beab. - Switch centos v10 integration tests to dnf5 - Fix agama integration test Service agama-proxy-setup no longer exists - Fix fedora integration test build Explicitly add shadow package - Fix fedora integration test build Explicitly add shadow package - package/spec: Reorganize supported DNF variants in packaging DNF5 has replaced DNF4 and MicroDNF since Fedora Linux 41, and this replacement will take effect with CentOS Stream/RHEL 11 onward. Furthermore, openSUSE Tumbleweed is switching to DNF5 for its support of DNF, so switch things so that DNF5 is available for openSUSE. - Move OVA support to open-vmdk Finally this commit drops the use of the VMware ovftool and moves to the real opensource alternative open-vmdk This Fixes #2292 - Add staging box build to build_status helper - Allow to setup the environment blob for grub Added new section to the existing section which allows to specify environment variables for setting up an environment blob for the selected loader. With this commit we add support for grub by using grub2-editenv. Other loaders do not yet have an implementation or does not support environment blobs. Settings will be ignored for unsupported loaders. This Fixes #2922 Co-authored-by: Rhys Oxenham - Add missing base class method The BootLoaderInstallBase class was missing the default implementation for the set_disk_password API - Set btrfs_relative_path conditional The early boot script and also the ISO template should only set this option if the conditions to set it are met. Conditions for this option are if btrfs is in use and a default subvolume and/or a snapper based snapshot is requested by the image description. This Fixes #2919 - Fixed ramdisk sysroot generator Do not use a custom _dev name and stick with the UUID representation of the disk image in RAM after deployment. Former versions of udev did not create a by-uuid device representation which now seems to have changed. This then leads to the device name RamDisk_rootfs not being created the and respective .device unit times out. In addition the timer unit for the standard device representation changed to infinity. This fixes bsc#1254116 - Fix integration tests Tests using btrfs snapshots with snapper has to install snapper - Bump version: 10.2.35 → 10.2.36 - Update CA target distribution name Instead of rhel better name it redhat - Bump version: 10.2.34 → 10.2.35 - Add dracut to strip list Make sure legacy image builds which uses kiwi to create an initrd keeps dracut such that the initrd format detection continuous to work with the new dracut --printconfig option - Update Fedora integration test Use custom partition IDs for the Virtual profiles with and without an extra boot partition - Add documentation about new attributes Add information about eficsmpart_id - Add support for eficsmpart_id attribute ... changelog too long, skipping 266 lines ... This Fixes #2873 ==== sdbootutil ==== Version update (1+git20260115.cd41d07 -> 1+git20260127.6240918) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20260127.6240918: * Correctly replace the boot entry with a new name - Update to version 1+git20260122.dd5ba5c: * Fix boot entries detection when boot counting is enabled * [.github]: Improve issue templates ==== shadow ==== Subpackages: libsubid5 login_defs shadow-pw-mgmt - Add shadow-utils Provides for compatibility with RH/Fedora packages - Remove --enable-account-tools-setuid build flag: This was a leftover. The package builds chgpasswd, chpasswd, groupadd, groupdel, groupmod, newusers, useradd, userdel, and usermod as setuid binaries via this flag and then strips the setuid bit again in the install section. See gh/shadow-maint/shadow#1518 - Cleanup PAM config files which are no longer needed: groupadd, groupdel, groupmod, useradd, userdel, usermod ==== systemd-presets-common-SUSE ==== - Enable vpdupdate service for lsvpd (jsc#PED-14567). ==== xen ==== Version update (4.21.0_02 -> 4.21.0_04) - bsc#1257399 - Package xen doesn't build with glibc 2.43 glibc2.43-fixes.patch - bsc#1256745 - VUL-0: CVE-2025-58150: xen: x86: buffer overrun with shadow paging + tracing (XSA-477) xsa477.patch - bsc#1256747 - VUL-0: CVE-2026-23553: xen: x86: incomplete IBPB for vCPU isolation (XSA-479) xsa479.patch - Drop x86-ioapic-ack-default.patch Upstream changes make this patch unnecessary. ==== yast2-bootloader ==== Version update (5.0.31 -> 5.0.32) - Fix typo in error message "Cannot create machine-id" (jsc#PED-10703) - 5.0.32 ==== yast2-core ==== Version update (5.0.3 -> 5.0.4) - Immutable packaging fix: Do not package the log directory under /var (jsc#PED-14910) - 5.0.4 ==== yast2-storage-ng ==== Version update (5.0.39 -> 5.0.40) - Adjusted the criteria to check whether TPM-based full-disk encryption is available at Agama (bsc#1257315). - 5.0.40