Please note that this mail was generated by a script. The described changes are computed based on the aarch64 DVD. The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading: https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=3&version=Tumbleweed&build=20250805 Please do not reply to this email to report issues, rather file a bug on bugzilla.opensuse.org. For more information on filing bugs please see https://en.opensuse.org/openSUSE:Submitting_bug_reports Packages changed: gnutls (3.8.9 -> 3.8.10) ncurses (6.5.20250720 -> 6.5.20250726) nghttp2 nghttp3 (1.10.1 -> 1.11.0) tpm2-0-tss (4.1.0 -> 4.1.3) === Details === ==== gnutls ==== Version update (3.8.9 -> 3.8.10) Subpackages: libgnutls-dane0 libgnutls30 - Build with leancrypto. The liboqs support for post-quantum cryptography (PQC) has been removed and is only provided through leancrypto. - Update to 3.8.10: * libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [bsc#1246299, CVE-2025-6395] * libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [bsc#1246233, CVE-2025-32989] * libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [bsc#1246232, CVE-2025-32988] * certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [bsc#1246267, CVE-2025-32990] * libgnutls: PKCS#11 modules can now be used to override the default cryptographic backend. Use the [provider] section in the system-wide config to specify path and pin to the module (see system-wide config Documentation). * libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update support. The library running on the aforementioned version now utilizes the kernelâs key update mechanism when kTLS is enabled, allowing uninterrupted TLS session. The --enable-ktls configure option as well as the system-wide kTLS configuration(see GnuTLS Documentation) are still required to enable this feature. * libgnutls: liboqs support for PQC has been removed For maintenance purposes, support for post-quantum cryptography (PQC) is now only provided through leancrypto. The experimental key exchange algorithm, X25519Kyber768Draft00, which is based on the round 3 candidate of Kyber and only supported through liboqs has also been removed altogether. * libgnutls: TLS certificate compression methods can now be set with cert-compression-alg configuration option in the gnutls priority file. * libgnutls: All variants of ML-DSA private key formats are supported While the previous implementation of ML-DSA was based on draft-ietf-lamps-dilithium-certificates-04, this updates it to draft-ietf-lamps-dilithium-certificates-12 with support for all 3 variants of private key formats: "seed", "expandedKey", and "both". * libgnutls: ML-DSA signatures can now be used in TLS The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and ML-DSA-87, can now be used to digitally sign TLS handshake messages. * API and ABI modifications: - GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t - GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t - Add patch gnutls-3.8.10-disable-ktls_test.patch - Rebased patches: * gnutls-FIPS-140-3-references.patch * gnutls-FIPS-disable-mac-sha1.patch * gnutls-disable-flaky-test-dtls-resume.patch * gnutls-skip-pqx-test.patch - enable ktls support - enable brotli and zstd compression support ==== ncurses ==== Version update (6.5.20250720 -> 6.5.20250726) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20250726 + modify configure script cases for $host_os, to accommodate 64-bit big-endian POWER linux with glibc (patch by Cosima Neidahl). + add warning to configure script to address conflict between the - -enable-lp64 option and the options for overriding the types used for chtype and mmask_t. - Port patch ncurses-6.4.dif ==== nghttp2 ==== - Account for the libngtcp2 devel split for openssl and gnutls. ==== nghttp3 ==== Version update (1.10.1 -> 1.11.0) - Update to 1.11.0: * Revert "Tighten up :path validation" * Implement RFC 9412 ORIGIN frame * Clarify the life time of the object pointed * Update doc * Port ngtcp2 map changes * Treat malformed HTTP message as a connection error * Map seed * Add nghttp3_qpack_encoder_new2 * Make nghttp3_rand accept uint8_t buffer * Origin changes * No need to zero-clear frent * Use compound literals instead of filling with zeros * Make macros static inline functions * Remove length from nghttp3_frame ==== tpm2-0-tss ==== Version update (4.1.0 -> 4.1.3) Subpackages: libtss2-esys0 libtss2-fapi-common libtss2-fapi1 libtss2-mu0 libtss2-rc0 libtss2-sys1 libtss2-tcti-device0 libtss2-tctildr0 - Update to 4.1.3: * Fix name collisions during dlopen() on some linkers - Update to 4.1.2: * configure.ac: Fix test of == to = to be POSIX comliant * Remove use of which in favor of command -v - Update to 4.1.1: * Fixed inclusion of .map and .def files in release tar balls
