Packages changed: 7zip (26.00 -> 26.01) aaa_base (84.87+git20260529.c4391e5 -> 84.87+git20260602.e901e17e) alsa (1.2.15.3 -> 1.2.16) alsa-ucm-conf (1.2.15.3 -> 1.2.16) alsa-utils (1.2.15.2 -> 1.2.16) ceph file hwinfo (25.3 -> 25.4) ipxe libheif (1.22.2 -> 1.23.0) librsvg (2.62.2 -> 2.62.3) libselinux live555 (2026.05.28 -> 2026.06.01) mutter (50.1 -> 50.2) nbd (3.26.1 -> 3.27.1) ncurses (6.6.20260516 -> 6.6.20260530) nfs-utils perl-Cpanel-JSON-XS (4.400.0 -> 4.410.0) polkit-default-privs (1550+20260528.62493d2 -> 1550+20260603.7a43683) samba (4.23.8+git.477.f78166bceed -> 4.24.3+git.475.629de6765b9) sshfs (3.7.5 -> 3.7.6) zbar === Details === ==== 7zip ==== Version update (26.00 -> 26.01) - Update to 26.01: * linux version of 7-Zip can use huge pages (2 MB pages). It can increase compression speed for 10% for 7z/xz/LZMA/LZMA2 compression. * new -spo[d|c|r] switch specifies the path generation mode for the output directory for archive extraction. The output directory path is generated from the path specified in the -o{dir_path} switch and the name of the archive being unpacked. - spod : for Linux/Posix/macOS: -o{dir_path} specifies the direct path to the output directory. The asterisk (*) character in {dir_path} will not be replaced by the archive name. - spoc : 7-Zip will concatenate the path specified in -o{dir_path} with the archive name to form the final path to the output directory. - spor : 7-Zip will replace asterisk (*) character in the path specified in the -o{dir_path} with the archive name. This is the default option. * some bugs were fixed. * CVE-2026-48095 / GHSL-2026-140 : Heap Buffer Write Overflow ==== aaa_base ==== Version update (84.87+git20260529.c4391e5 -> 84.87+git20260602.e901e17e) Subpackages: aaa_base-extras - Update to version 84.87+git20260602.e901e17e: * Fix a typo + follow symlinks in alljava ==== alsa ==== Version update (1.2.15.3 -> 1.2.16) Subpackages: libasound2 libatopology2 - Update to alsa-lib 1.2.16: fixes for PCM, control remap, topology, UCM extensions, etc For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.15.3_v1.2.16#alsa-lib ==== alsa-ucm-conf ==== Version update (1.2.15.3 -> 1.2.16) - Update to alsa-ucm-conf 1.2.16: * fixes for SOF, soundwire, ACP, USB-audio and other various devices For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.15.3_v1.2.16#alsa-ucm-conf ==== alsa-utils ==== Version update (1.2.15.2 -> 1.2.16) - Update to alsa-utils 1.2.16: * fixes and enhancements in speaker-test, alsaloop, amixer and aply For details, see: https://www.alsa-project.org/wiki/Changes_v1.2.15.3_v1.2.16#alsa-utils ==== ceph ==== Subpackages: librados2 librbd1 - Add ceph-gcc16-build-fix.patch to fix build with gcc 16 ==== file ==== Subpackages: file-magic libmagic1 - Add patch file-5.47-stanza.patch (boo#1261558 partly) * Avoid many false positive on windows file test ==== hwinfo ==== Version update (25.3 -> 25.4) Subpackages: libhd25 - merge gh#openSUSE/hwinfo#181 - fix redundant conditions in smbios memory device map - 25.4 - merge gh#openSUSE/hwinfo#182 - fix memory leaks (bsc#1267348) - merge gh#openSUSE/hwinfo#180 - fix(core): free modinfo_ext instead of modinfo in hd_free_hd_data - merge gh#openSUSE/hwinfo#179 - Fix: fix sizeof in joystick allocation to use struct size instead of pointer size (bsc#1267348) ==== ipxe ==== - Restrict the build to x86_64 and aarch64, due to dependencies and to the fact that these arch-es are the only ones where the ROMs are useful. ==== libheif ==== Version update (1.22.2 -> 1.23.0) Subpackages: gdk-pixbuf-loader-libheif libheif-aom libheif-dav1d libheif-ffmpeg libheif-jpeg libheif-openh264 libheif-openjpeg libheif-rav1e libheif-svtenc libheif1 - version update to 1.23.0: * add API functions to read and write metadata: ambient viewing environment nominal diffuse white luminance * adds a output_image_nclx_profile_passthrough option to heif_decoding_options * CVE TBD (GHSA-jvmp-j3cw-84mh) - unbounded heap allocation in HEIF sequence parser (stsz fixed-size mode missing bound check) ==== librsvg ==== Version update (2.62.2 -> 2.62.3) Subpackages: librsvg-2-2 typelib-1_0-Rsvg-2_0 - Update to version 2.62.3: + librsvg crate version 2.62.3 + librsvg-rebind crate version 0.3.0 + Remove loading limits from image-rs. This means that raster images, when embedded in SVG documents, have no limits for their size or memory consumption. The idea, for now, is that security-sensitive applications that use librsvg should do their own sandboxing if they want to impose memory limits. + Fix the logic for whether gdk-pixbuf-query-loaders should be run during cross-compilation. Native builds can of course use it; cross builds can use it if they can run host binaries *and* an executable wrapper has been set *and* the target sysroot contains the corresponding gdk-pixbuf-query-loaders executable ==== libselinux ==== Subpackages: libselinux1 libselinux1-32bit selinux-tools - Add patch for restorecon to log error on readonly fs (bsc#1232226) - Patch: restorecon-Only-log-error-on-readonly-fs-bsc-1232226.patch - Can be dropped with the next toolchain release: https://github.com/SELinuxProject/selinux/commit/fd411d50ba1cb3e8ad5f8ce4e3c9bc7fcbe4340c ==== live555 ==== Version update (2026.05.28 -> 2026.06.01) Subpackages: libBasicUsageEnvironment2 libUsageEnvironment3 libgroupsock33 - Update to version 2026.06.01: + Updated the "RTSPServer" implementation of the "SETUP" command to make it more robust if subclassed code reimplements "lookupServerMediaSession()" as an asynchronous operation. - update to 2026.05.30: * Updated the "RTSPServer" implementation some more to make it more robust if subclassed code reimplements "lookpServerMediaSession()" as an asynchronous operation. * Added an (integer) index to identify each server's 'client connection', and changed the "fClientConnections" table to be indexed by this id. * In the "RTSPServer" implementation, removed the "fOurClientConnection" member variable. This had been left over from when the RTSP "SETUP" command had been implemented as a single, synchronous function. Now that "SETUP" is implemented using multiple functions, possibly asynchronously (depending upon how "lookpServerMediaSession()" is implemented), this member variable was potentially dangerous if more than one "SETUP" is performed concurrently on the same client connection, or on separate client connections. ==== mutter ==== Version update (50.1 -> 50.2) Subpackages: mutter-lang - Update to version 50.2: + Fix size increases when quickly unmaximizing window by drag + Fix cursor position hint for Xwayland if scaling is used + Fix fullscreening of edge tiled windows + Scale the hotspot location for tablet tool cursors + Fix moving maximized windows to another monitor via keyboard + Fix alt-tab with sloppy/mouse focus + Implement support for version 2 of text_input_v3 protocol + Ignore repeated events for double click counting + Fix DND data offers on touch + Make DND with tablets work across surfaces + Do not unfullscreen fullscreened window on unmaximize + Fix broken switch-monitor mapping on stylus buttons + Fixed crashes + Misc. bug fixes and cleanups + Updated translations. - Add 5096.patch: Stop mutter spamming logs. - Rebase patches with quilt. ==== nbd ==== Version update (3.26.1 -> 3.27.1) - Update to version 3.27.1: * Enable TLS 1.3 by default (while still disallowing TLS 1.1 and below) * Set a sensible default port again: an nbdtab entry without a port specification is read as the default 10809 instead of 0 * nbd-client: find the index when the device name is given without the /dev/ prefix * nbd-client now depends on the nbd kernel module being loaded * Refactor nbd-client argument parsing into a separate file * Fix configure --disable-manpages * Fix build on musl + gcc14 (incompatible-pointer-types) * Several clang-warning, formatting and cleanup fixes - Drop nbd-forgotten-sh.tmpl.patch: upstream moved the shell template to systemd/sh.tmpl and ships it in the tree - Build from the upstream git archive and regenerate the build system with autogen.sh; add autoconf, autoconf-archive, automake, flex and libtool BuildRequires ==== ncurses ==== Version update (6.6.20260516 -> 6.6.20260530) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20260530 + minor renaming, formatting to align with Juergen Pfeifer's fork. + add configure script check for --enable-ext-mouse2, to support ABI 7. + improve special case in tic for %{code} to allow any non-zero byte as the result %'char' - Add ncurses patch 20260523 + modify _nc_wacs[] to make it per-screen (from Juergen Pfeifer's fork) + eliminate a special case in tic when translating %{code} to %'char', since %{92} mapping to %'\' works with tparm and infocmp. ==== nfs-utils ==== Subpackages: libnfsidmap1 nfs-client nfs-kernel-server - Update to 2.9.1: https://lore.kernel.org/linux-nfs/955a922e-c12d-435b-a698-caf73312f01d@redhat.com/ https://www.kernel.org/pub/linux/utils/nfs-utils/2.9.1/2.9.1-Changelog * Minor version being disabled (which is why the minor release was bumped) * New features bug fixes: * V4.0 is turned off on the servery by default * netlink is now used for upcalls in exportfs, exportd, mountd * signed filehandle support was added. * nfsdctl now checks for listeners before starting. - Update to 2.8.7: https://lore.kernel.org/linux-nfs/4d11b9d7-7b49-4a1e-8c26-29ecb2fefe2f@redhat.com/ * nfsrahead: quieten misleading error for non-NFS block devices * nfsrahead: zero-initialise device_info struct - No functional change (all commits from this release had already been backported) - Removed patches from 2.8.7: * nfsrahead-quieten-misleading-error-for-non-NFS-block-devic.patch * nfsrahead-zero-initialise-device_info-struct.patch ==== perl-Cpanel-JSON-XS ==== Version update (4.400.0 -> 4.410.0) - updated to 4.410.0 (4.41) see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes 4.41 2026-05-27 (rurban) - Fix BOM-shift PV-corruption SIGABRT (CVE-2026-9516) (patch by Paul Johnson) - Fix dupkeys_as_arrayref type confusion (CVE-2026-9334) (patch by Paul Johnson) - Fix incr_parse single-quote string delimiter (GH #245, reported by Paul Johnson) - Fix a one-byte out-of-bounds heap read reachable via allow_barekey on truncated input (GH #244, reported by Paul Johnson) ==== polkit-default-privs ==== Version update (1550+20260528.62493d2 -> 1550+20260603.7a43683) - Update to version 1550+20260603.7a43683: * profiles: added new systemd actions (bsc#1266944) - Update to version 1550+20260602.64ede59: * profiles: fwupd new actions in 2.1.4 (bsc#1267014) ==== samba ==== Version update (4.23.8+git.477.f78166bceed -> 4.24.3+git.475.629de6765b9) Subpackages: libldb2 libldb2-32bit python3-ldb samba-ad-dc-libs samba-ad-dc-libs-32bit samba-client samba-client-32bit samba-client-lang samba-client-libs samba-client-libs-32bit samba-dcerpc samba-gpupdate samba-ldb-ldap samba-libs samba-libs-32bit samba-libs-python3 samba-python3 samba-winbind samba-winbind-libs samba-winbind-libs-32bit samba-winbind-libs-lang - Update to 4.24.3 * CVE-2026-4480: Fix Unauthenticated Remote Code Execution; (bso#16033); (bsc#1261161). * CVE-2026-4408: Fix Remote Code Execution in SAMR;(bso#16034); (bsc#1261163). * CVE-2026-3238: Fix unauthenticated udp packet crashes AD DC nbt server; (bso#16012); (bsc#1261160). * CVE-2026-3012: Fix CVE-2026-3012 group policy certificate enrollment using http:// without validation;(bso#16003); (bsc#1261159). * CVE-2026-1933: Fix missing access check on reparse point operations; (bso#15992); (bsc#1261188). * CVE-2026-2340: vfs_worm does not block directory modification; (bso#15997); (bsc#1261158). * CVE-2026-40170: thirdparty ngtcp2 needs to be updated; (bso#16059). - Update to 4.24.2 * Samba 4.24 with cups can't get queue and shows errors about fetch_share_cache_time; (bso#16038). * Fix a directory file descriptor leak in vfs_glusterfs that caused unbounded memory growth on the GlusterFS brick with persistent SMB2 connections; (bso#16043). * Windows Offline Files fails with permission error when directory has the read‑only attribute set; (bso#16030). * samba not triggering mount of zfs snapshot in dataset .zfs/snapshots/ directory; (bso#15991). * net ads join still fails with multiple DCs; (bso#15999). * samba-tool shows wrong format specifiers for timestamp attributes; (bso#16076). * restrict anonymous = 2 breaks RODC functionality; (bso#14638). * smbpasswd can crash winbindd on an AD DC; (bso#15973). * smbd does not cleanup on disconnect of the transport connection on lease break errors; (bso#15995). * CVE-2026-40170: thirdparty ngtcp2 needs to be updated; (bso#16059); (bsc#1262273); (bsc#1262337). * Require NTLMv2 session security on Windows makes trusts to Samba unusable; (bso#16067). * Winbind can change Ownership Of / To A User Who has Homedir / In passwd; (bso#16073). * Winbind lsa_OpenPolicy() fails on lsa connection setup with: NT_STATUS_RPC_CANNOT_SUPPORT; (bso#15987). * CTDB read-only record handling contains use after free and resource leak bugs; (bso#16068). - Update to 4.24.1 * autobuild fails if /proc/version contains trailing space; (bso#16057). * use after free in streams_xattr_connect(); (bso#16035). * rpc workers with long living clients grow server memory keytab; (bso#16042); (bsc#1257200). * vfs_snapper failing to access or enumerate files in subfolders; (bso#16058); (bsc#1259667). * Samba is not build with FORTIFY_SOURCE; (bso#16040). * Fix tests with MIT Kerberos 1.22.x; (bso#16055). - Update to 4.24.0 * incorrect behavior on rpcclient enumport with rpcd_spoolss; (bso#16019). * altSecurityIdentities X509 issuer DN order is reversed; (bso#16001). * vfs_aio_ratelimit: introduce burst-aware and persistent state model; (bso#16000). * No function _python_sysroot defined; (bso#15990). * leases torture test flappy; (bso#15978). * smbd: in contend_dirleases() don't bother checking when not enabled; (bso#15984). * 'net ads kerberos kinit' should use also default ccache name from krb5.conf; (bso#15993). * "use-kerberos=desired" broken; (bso#15789). * source3/libads/kerberos.c sets wrong failure for negative connection cache; (bso#15975); (bso#1255755). * CTDB's statd_callout fails on sm-notify; (bso#15938). * CTDB statd_callout_notify notifies unnecessary clients and loses their state; (bso#15939). * Backport domain default AES encryption types to 4.24; (bso#15998). * possible memory leak on rpc_spoolss; (bso#15979); (bsc#1257200). * Winbind group resolution failure; (bso#15972). * ctdbd socket documentation is wrong; (bso#15977). * time_t related build failure on 32bit arch in 4.24.0rc1; (bso#15976). ==== sshfs ==== Version update (3.7.5 -> 3.7.6) - Update to 3.7.6: - Added new maintainer: abhinavagarwal07 Abhinav Agarwal - CVE-2026-47187: Fixed critical vulnerability - Symlink Escape: Rogue SFTP Server to Local File Read/Write), credit to abhinavagarwal07 (bsc#1267017) - New -o contain_symlinks and -o no_contain_symlinks to control symlink containment behavior - CVE-2026-48711: Fixed high severity vulnerability - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'), credit to abhinavagarwal07 (bsc#1267016) - Fixed null-deref warning in tokenize_on_space, promote strict-warnings to required - Added a number of tests in CI, including rename, chmod, fsync, statvfs values, error paths, option coverage - Fixed malformed SFTP reply handling ==== zbar ==== - Correct the License tag to LGPL-2.1-or-later (the sources are LGPL 2.1 or later, not 2.0) - Minor spec cleanup