Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20250620 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: adwaita-icon-theme (48.0 -> 48.1) clamav (1.4.2 -> 1.4.3) gdm grilo-plugins (0.3.16+45 -> 0.3.17) jq (1.7.1 -> 1.8.0) libsoup libsoup2 libyui (4.7.3 -> 4.7.4) libyui-ncurses (4.7.3 -> 4.7.4) libyui-ncurses-pkg (4.7.3 -> 4.7.4) libyui-qt (4.7.3 -> 4.7.4) libyui-qt-graph (4.7.3 -> 4.7.4) libyui-qt-pkg (4.7.3 -> 4.7.4) ncurses (6.5.20250531 -> 6.5.20250614) openSUSE-release (20250618 -> 20250620) pam (1.7.0 -> 1.7.1) pam-full-src (1.7.0 -> 1.7.1) pam_pkcs11 python-certifi (2025.1.31 -> 2025.6.15) selinux-policy (20250616 -> 20250618) systemd === Details === ==== adwaita-icon-theme ==== Version update (48.0 -> 48.1) - Update to version 48.1: + cursors: semantic cleanup of DND cursors. ==== clamav ==== Version update (1.4.2 -> 1.4.3) Subpackages: libclamav12 libclammspack0 libfreshclam3 - New version 1.4.3: ClamAV 1.4.3 is a patch release with the following fixes: * CVE-2025-20260, bsc#1245054: Fixed a possible buffer overflow write bug in the PDF file parser that could cause a denial-of-service (DoS) condition or enable remote code execution. This issue only affects configurations where both: - The max file-size scan limit is set greater than or equal to 1024MB. - The max scan-size scan limit is set greater than or equal to 1025MB. The code flaw was present prior to version 1.0.0, but a change in version 1.0.0 that enables larger allocations based on untrusted data made it possible to trigger this bug. This issue affects all currently supported versions. * CVE-2025-20234, bsc#1245055: Fixed a possible buffer overflow read bug in the UDF file parser that may write to a temp file and thus disclose information, or it may crash and cause a denial-of-service (DoS) condition. This issue was introduced in version 1.2.0. * Fixed a possible use-after-free bug in the Xz decompression module in the bundled lzma-sdk library. This issue was fixed in the lzma-sdk version 18.03. ClamAV bundles a copy of the lzma-sdk with some performance changes specific to libclamav, plus select bug fixes like this one in lieu of a full upgrade to newer lzma-sdk. This issue affects all ClamAV versions at least as far back as 0.99.4. * Windows: Fixed a build install issue when a DLL dependency such as libcrypto has the exact same name as one provided by the Windows operating system. - Renew clamav.keyring ==== gdm ==== Subpackages: gdm-schema gdm-xdm-integration gdmflexiserver libgdm1 typelib-1_0-Gdm-1_0 - pam.d: removes pam_env from auth stack for security reason [bsc#1243226, CVE-2025-6018] ==== grilo-plugins ==== Version update (0.3.16+45 -> 0.3.17) Subpackages: grilo-plugin-tracker - Update to version 0.3.17: + filesystem: - Fix is-hidden warning browsing filesystem entries - Add ability to split sources + Fix build with libxml 2.12 + Replace defunct mailing list URLs with GNOME Discourse + dleyna: - Quiet error when dleyna is not installed - Fix "Quiet error when dleyna is not installed" + tests: - Adapt to tracker-test-sandbox utility changes - Fix tracker3 test duration range + Remove non-working plugins (appletrailers, raitv) + euronews: Remove source + plugins: add IPTV source + iptv: - improve iptv source - fix typo in the path of the icon + plugins: Add OpenSubtitles in Lua + Updated translations. - Add pkgconfig(rest-1.0) BuildRequires, new dependency. ==== jq ==== Version update (1.7.1 -> 1.8.0) Subpackages: libjq1 - Update to version 1.8.0 Security fixes * CVE-2024-23337: Fix signed integer overflow in jvp_array_write and jvp_object_rehash. * CVE-2024-53427: Reject NaN with payload while parsing JSON. * CVE-2025-48060: Fix heap buffer overflow in jv_string_vfmt. * Fix use of uninitialized value in check_literal. * Fix segmentation fault on strftime/1, strflocaltime/1. * Fix unhandled overflow in @base64d. CLI changes * Fix --indent 0 implicitly enabling --compact-output. * Improve error messages to show problematic position in the filter. * Include column number in parser and compiler error messages. * Fix error message for string literal beginning with single quote. * Improve JQ_COLORS environment variable to support larger escapes like truecolor. * Add --library-path long option for -L. * Fix --slurp --stream when input has no trailing newline character. * Fix --indent option to error for malformed values. * Fix option parsing of --binary on non-Windows platforms. * Fix issue with ~/.jq on Windows where $HOME is not set. * Increase the maximum parsing depth for JSON to 10000. * Parse short options in order given. * Consistently reset color formatting. New functions * Add trim/0, ltrim/0 and rtrim/0 to trim leading and trailing white spaces. * Add trimstr/1 to trim string from both ends. * Add add/1. Generator variant of add/0. * Add skip/2 as the counterpart to limit/2. * Add toboolean/0 to convert strings to booleans. * Add @urid format. Reverse of @uri. Changes to existing functions * Use code point index for indices/1, index/1 and rindex/1. * Improve tonumber/0 performance and rejects numbers with leading or trailing white spaces. * Populate timezone data when formatting time. * Preserve numerical precision on unary negation, abs/0, length/0 * Make last(empty) yield no output values like first(empty). * Make ltrimstr/1 and rtrimstr/1 error for non-string inputs. * Make limit/2 error for negative count. * Fix mktime/0 overflow and allow fewer elements in date-time representation array. * Fix non-matched optional capture group. * Provide strptime/1 on all systems. * Improve bsearch/1 performance by implementing in C. * Improve unique/0 and unique_by/1 performance. * Fix error messages including long string literal not to break Unicode characters. * Remove pow10/0 as it has been deprecated in glibc 2.27. Use exp10/0 instead. * Remove private (and undocumented) _nwise filter. Language changes * Fix precedence of binding syntax against unary and binary operators. * Support Tcl-style multiline comments. * Fix foreach not to break init backtracking with DUPN. * Fix reduce/foreach state variable should not be reset each iteration. * Support CRLF line breaks in filters. * Improve performance of repeating strings. - Drop not longer needed patches (fixed by upstream): * CVE-2024-23337.patch * CVE-2024-53427.patch - Remove not longer needed hardcoded compiler option "-std-gnu17" gh#3206 ==== libsoup ==== Subpackages: libsoup-3_0-0 typelib-1_0-Soup-3_0 - Add libsoup-CVE-2025-4945.patch: add value checks for date/time parsing (boo#1243314 CVE-2025-4945). ==== libsoup2 ==== - Add libsoup-CVE-2025-4945.patch: add value checks for date/time parsing (boo#1243314 CVE-2025-4945). ==== libyui ==== Version update (4.7.3 -> 4.7.4) - Integrated the graphviz API fix upstream (gh#libyui/libyui#120) (Let CMake detect graphviz version) - 4.7.4 D graphviz_unsigned_fix.patch ==== libyui-ncurses ==== Version update (4.7.3 -> 4.7.4) - Integrated the graphviz API fix upstream (gh#libyui/libyui#120) (Let CMake detect graphviz version) - 4.7.4 D graphviz_unsigned_fix.patch ==== libyui-ncurses-pkg ==== Version update (4.7.3 -> 4.7.4) - Integrated the graphviz API fix upstream (gh#libyui/libyui#120) (Let CMake detect graphviz version) - 4.7.4 D graphviz_unsigned_fix.patch ==== libyui-qt ==== Version update (4.7.3 -> 4.7.4) - Integrated the graphviz API fix upstream (gh#libyui/libyui#120) (Let CMake detect graphviz version) - 4.7.4 D graphviz_unsigned_fix.patch ==== libyui-qt-graph ==== Version update (4.7.3 -> 4.7.4) - Integrated the graphviz API fix upstream (gh#libyui/libyui#120) (Let CMake detect graphviz version) - 4.7.4 D graphviz_unsigned_fix.patch ==== libyui-qt-pkg ==== Version update (4.7.3 -> 4.7.4) - Integrated the graphviz API fix upstream (gh#libyui/libyui#120) (Let CMake detect graphviz version) - 4.7.4 D graphviz_unsigned_fix.patch ==== ncurses ==== Version update (6.5.20250531 -> 6.5.20250614) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20250614 + reduce lintian warnings for test-packages. + clean up some shellcheck warnings + improve test/configure checks for X libraries, reducing duplicates + fix some typos/errata in license text, to help with scripted checks ==== openSUSE-release ==== Version update (20250618 -> 20250620) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== pam ==== Version update (1.7.0 -> 1.7.1) - hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted ==== pam-full-src ==== Version update (1.7.0 -> 1.7.1) Subpackages: pam-extra pam-manpages - hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted ==== pam_pkcs11 ==== - Removes pam_env from auth stack for security reason [bsc#1243226, CVE-2025-6018] ==== python-certifi ==== Version update (2025.1.31 -> 2025.6.15) Subpackages: python311-certifi python313-certifi - Update to 2024.6.15 * Declare setuptools as the build backend in pyproject.toml * remove code that's no longer required that 3.7 is our minimum - Rebase python-certifi-shipped-requests-cabundle.patch ==== selinux-policy ==== Version update (20250616 -> 20250618) Subpackages: selinux-policy-targeted - Update to version 20250618: * Set /srv/www = /var/www as equivalent file context (bsc#1239177) ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-boot systemd-container systemd-experimental udev - Import commit 1e42ecf5a145589954df77da05937ee69619f3e5 1e42ecf5a1 firstboot: make sure labelling is enabled 3bdb2efbe0 tmpfiles: fix symlink creation when replacing 61c228d2cc firstboot: use WRITE_STRING_FILE_LABEL more f5148acf37 env-file: port write_env_file() to label_ops_pre() bbff8b5523 fs-util: replace symlink_atomic_full_label() by a flag to symlinkat_atomic_full() (bsc#1244237) 2b39393efa env-file: rework write_env_file() to make use of O_TMPFILE
