Packages changed: apparmor (4.1.1 -> 4.1.2) aws-lc (1.61.2 -> 1.61.4) freerdp (3.17.0 -> 3.17.2) gimp gnome-shell (49.0+9 -> 49.0+17) libapparmor (4.1.1 -> 4.1.2) libdbusmenu-gtk2 libdbusmenu-gtk3 mpg123 (1.33.2 -> 1.33.3) mutter (49.0+43 -> 49.0+68) nvidia-open-driver-G06-signed (580.95.05_k6.17.0_1 -> 580.95.05_k6.17.0_2) openSUSE-release (20251005 -> 20251007) openjpeg2 (2.5.3 -> 2.5.4) opensuse-welcome-launcher pam_mount (2.20 -> 2.21) salt selinux-policy (20250926 -> 20251006) yast2-trans (84.87.20250928.a1cf0a56ce -> 84.87.20251004.03a20734b6) === Details === ==== apparmor ==== Version update (4.1.1 -> 4.1.2) Subpackages: apparmor-abstractions apparmor-docs apparmor-parser apparmor-profiles apparmor-utils python3-apparmor - update to AppArmor 4.1.2 - several fixes (including boo#1246743) - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.2 for the detailed upstream changelog - remove upstream(ed) patches: - dovecot24.diff - xkeyboard.diff - add dovecot24-part2.diff: more dovecot 2.4 permissions (boo#1247470) ==== aws-lc ==== Version update (1.61.2 -> 1.61.4) Subpackages: libcrypto-awslc0 libssl-awslc0 - update to version 1.61.4: * Pin PyCA version in python integration tests * Check compiler for 'linux/random.h' - update to version 1.61.3: * Remove jitter entropy tests folder ==== freerdp ==== Version update (3.17.0 -> 3.17.2) Subpackages: libfreerdp3-3 librdtk0-0 libwinpr3-3 - Update to version 3.17.2: + Minor improvements and bugfix release. + Most notably resource usage (file handles) has been greatly reduced and static build pkg-config have been fixed. For users of xfreerdp RAILS/RemoteApp mode the switch to DesktopSession mode has been fixed (working UAC screen) - Changes from version 3.17.1 + Minor improvements and bugfix release. * most notably a memory leak was addressed * fixed header files missing C++ guards * xfreerdp as well as the SDL clients now support a system wide configuration file * Heimdal kerberos support was improved * builds with [MS-RDPEAR] now properly abort at configure if Heimdal is used (this configuration was never supported, so ensure nobody compiles it that way) - Add 11876.patch: properly set requires fields for pkgconfig and cmake files ==== gimp ==== Subpackages: gimp-plugin-aa gimp-plugin-python3 libgimp-3_0-0 libgimpui-3_0-0 - Add gimp-CVE-2025-10925.patch: Fix GIMP ILBM file parsing stack-based buffer overflow remote code execution vulnerability. (CVE-2025-10925, ZDI-25-914, ZDI-CAN-27793, bsc#1250501) - Add gimp-CVE-2025-10922.patch: Fix GIMP DCM file parsing heap-based buffer overflow remote code execution vulnerability. (CVE-2025-10922, ZDI-25-911, ZDI-CAN-27863, bsc#1250497) - Add gimp-CVE-2025-10920.patch: Prevent overflow attack by checking if output >= max, not just output > max. (CVE-2025-10920, ZDI-25-909, ZDI-CAN-27684, bsc#1250495) ==== gnome-shell ==== Version update (49.0+9 -> 49.0+17) Subpackages: gnome-extensions gnome-shell-calendar - Add gnome-shell-no-gnome-tour.patch: Do not ask to launch gnome-tour; openSUSE handles the logic in opensuse-welcome-launcher - Update to version 49.0+17: * st/theme-context: Warn instead of crashing on unsupported accent colors * panelMenu: Remove invalid last argument to PopupMenu constructor * notificationDamon: Always send the activation token * data: Do not bundle org.freedesktop.Application interface * data: Remove unused D-Bus interface * overviewControls: Ensure ws thumbnails are expanded before fading in * gdm/authPrompt: Fix key focus handling on choice list * Updated translations. ==== libapparmor ==== Version update (4.1.1 -> 4.1.2) - update to AppArmor 4.1.2 - several fixes (including boo#1246743) - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.2 for the detailed upstream changelog - remove upstream(ed) patches: - dovecot24.diff - xkeyboard.diff - add dovecot24-part2.diff: more dovecot 2.4 permissions (boo#1247470) ==== libdbusmenu-gtk2 ==== - Enable valgrind on riscv64 ==== libdbusmenu-gtk3 ==== - Enable valgrind on riscv64 ==== mpg123 ==== Version update (1.33.2 -> 1.33.3) Subpackages: libmpg123-0 mpg123-openal - Update to version 1.33.3 libmpg123: * Consolidate and more consistently use .rodata switch in macro. ==== mutter ==== Version update (49.0+43 -> 49.0+68) - Update to version 49.0+68: * window/wayland: Use constrained rect when deciding configuration * wayland/xdg-shell: - Create window after setting resources - Ensure applied window geometry is always non-empty - Make invalid geometry warning more descriptive * tests/wayland: - Add test for invalid geometry with subsurface - Add test case for client with invalid geometry * wayland/shell-surface: Assume geometry empty if no buffer attached * wayland/surface: Make state-applied logs more informative * tests: - Add test checking maximized window position on workspace changes - Add some tests for wl_keyboard behavior * core: Let key presses of special modifiers through * clutter/frame-clock: - Allow scheduling a clock tick despite a pending later tick - For FRR schedule_later update, use next_update_time_us * window: Fixup flagging META_MOVE_RESIZE_RECT_INVALID only when invalid * seat/native: Steal another error before returning in task * wayland: - Check modifier state from event prior to event delivery - Always send configure event after xdg_popup::reposition - Require pointer interaction prior to allowing pointer warp - Add helper to check the order of two serials - Check event type, use CLUTTER_KEY_STATE for modifiers during DnD * udev: Don't leak parent * prefs: Fallback cursor size to 24 when invalid value in settings * cursor-renderer/native: Sanity check texture size before allocating * clutter/gesture: Do not crash on unknown events * Updated translations. - Drop mutter-fix-modifiers.patch: Fixed upstream. ==== nvidia-open-driver-G06-signed ==== Version update (580.95.05_k6.17.0_1 -> 580.95.05_k6.17.0_2) - update non-CUDA variant to 580.95.05 ==== openSUSE-release ==== Version update (20251005 -> 20251007) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openjpeg2 ==== Version update (2.5.3 -> 2.5.4) - Update to 2.5.4: * No API/ABI break compared to v2.5.3 Bug fixes: * opj_jp2_read_header: Check for error after parsing header. #1573 * pkgconfig: drop unused libraries from Libs.private #1591 * Fix CMake warning: Compatibility with CMake < 3.10 will be removed #1580 * Fixed ICC profile copy failure on write #1574 ==== opensuse-welcome-launcher ==== - Be less hacky about the fallback, but rather explicitly assign opensuse-welcome to KDE for now and switch GNOME to gnome-tour. - Require gnome-tour when gnome-session is installed. ==== pam_mount ==== Version update (2.20 -> 2.21) Subpackages: libcryptmount0 - Update to release 2.21 * Support for building with libHX 5.0 ==== salt ==== Subpackages: python311-salt salt-master salt-minion - Use versioned python interpreter for salt-ssh - Added: * use-versioned-python-interpreter-for-salt-ssh.patch - Fix known_hosts error on gitfs (bsc#1250520) (bsc#1227207) - Added: * allow-libgit2-to-guess-sysdir-homedir-successfully-b.patch ==== selinux-policy ==== Version update (20250926 -> 20251006) Subpackages: selinux-policy-targeted - Update to version 20251006: * Allow sshd_session_t write to wtmpdb * Support /usr/libexec/ssh as well as openssh folder * Set xenstored_use_store_type_domain boolean true(bsc#1247875) * Adjust guest and xguest users policy for sshd-session * Allow valkey-server create and use netlink_rdma_socket * Allow blueman get attributes of filesystems with extended attributes * Update files_search_base_file_types() * Allow geoclue get attributes of the /dev/shm filesystem * Allow apcupsd get attributes of the /dev/shm filesystem * Allow sshd-session read cockpit pid files * Allow nfs generator create and use netlink sockets * Conditionally allow virt guests to read certificates in user home directories * xenstored_t needs CAP_SYS_ADMIN for XENSTORETYPE=domain (bsc#1247875) * Allow nfs-generator create and use udp sockets * Allow kdump search kdumpctl_tmp_t directories * Allow init open and read user tmp files * Fix the systemd_logind_stream_connect() interface * Allow staff and sysadm execute iotop using sudo * Allow sudodomains connect to systemd-logind over a unix socket * /boot/efi is dosfs_t and kdump needs to access it (bsc#1249370) * Add default contexts for sshd-seesion * Define types for new openssh executables * Fix systemd_manage_unit_symlinks() interface definition * Support coreos installation methods * Add a new type for systemd-ssh-issue PID files * Allow gnome-remote-desktop connect to unreserved ports * Allow mdadm the CAP_SYS_PTRACE capability * Allow iptables manage its private fifo_files in /tmp * Allow auditd manage its private run dirs * Revert "Allow virt_domain write to virt_image_t files" - Syncing with upstream rawhide selinux-policy up to: * 415b33792f9ea17d816a9e2602cddf21c16e7255 - Update embedded container-selinux version to commit: * edfbda465d37deb2a831330a2c3c65b557e6dff5 (version 2.242.0) ==== yast2-trans ==== Version update (84.87.20250928.a1cf0a56ce -> 84.87.20251004.03a20734b6) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20251004.03a20734b6: * Translated using Weblate (Indonesian) * Translated using Weblate (Indonesian) * Translated using Weblate (Indonesian) * Translated using Weblate (German) * Translated using Weblate (Portuguese (Brazil)) * Translated using Weblate (Slovak) * Translated using Weblate (Catalan) * Translated using Weblate (Japanese) * Translated using Weblate (Catalan) * Update translation files * New POT for text domain 'bootloader'.