Packages changed: cfitsio (4.6.3 -> 4.6.4) crypto-policies evince (48.1+6 -> 48.2) freerdp (3.24.2 -> 3.26.0) gedit (49.0 -> 50.0) git libcaca (0.99.beta20 -> 0.99.beta20+git.1776622070.7c8e333) libgedit-amtk (5.9.2 -> 5.10.0) libgedit-gfls (0.3.1 -> 0.4.1) libgedit-gtksourceview (299.6.0 -> 299.7.0) libstorage-ng (4.5.320 -> 4.5.326) openSUSE-release (20260520 -> 20260521) openssh postfix (3.11.2 -> 3.11.3) python-certifi (2026.2.25 -> 2026.4.22) python-requests (2.33.1 -> 2.34.2) ruby4.0 (4.0.4 -> 4.0.5) systemd texlive xdp-tools xfce4-screenshooter yast2-security (5.0.5 -> 5.0.6) === Details === ==== cfitsio ==== Version update (4.6.3 -> 4.6.4) - Update to version 4.6.4: * This release includes patches to security vulnerabilities. * Input files iter_image.fits and vari.fits added for use in iter_image and iter_var example programs. * New configure/build options --enable-iterprogs for 'configure' and -DITERPROGS=ON for CMAKE. * Absolute paths for installation directories now supported in CMAKE builds. * Bug fixes for edge cases involving lossless compression of int-type images, and for float-types that cannot undergo lossy compression. * Bug fix for case of switching between HDUs of lossless and quantized compression. * Bug fix for applying histogram binning to image extensions. ==== crypto-policies ==== Subpackages: crypto-policies-scripts - Remove crypto-policies-Allow-sshd-in-FIPS-mode-using-DEFAULT.patch to allow X25519 as required for sntrup761x25519-sha512@openssh.com and sntrup761x25519-sha512 in the DEFAULT policy. (bsc#1259825) Rebase crypto-policies-Allow-openssl-other-policies-in-FIPS-mode.patch - Add PQC support for OpenSSH (bsc#1258311, bsc#1259825) * Enable sntrup761x25519-sha512 for OpenSSH by default * Add crypto-policies-OpenSSH-PQC.patch ==== evince ==== Version update (48.1+6 -> 48.2) Subpackages: evince-lang evince-plugin-pdfdocument libevdocument3-4 libevview3-3 typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0 - Update to version 48.2: + shell: Quote strings in arguments used when calling ev_spawn ==== freerdp ==== Version update (3.24.2 -> 3.26.0) Subpackages: libfreerdp3-3 librdtk0-0 libwinpr3-3 - Update to version 3.26.0: + CVE fixes: * 3 High ranking (no numbers assigned yet) + Bug and security fixes release + Changes: * cmake: Findyuv: Use correct pkgconfig name (#12666) * Remove deallocator attribute from rfx_message_free (#12681) * [winpr,utils] improve winpr/ntlm.h (#12677) * rdpecam-v4l: stop the capture thread when streaming is cleared (#12690) * fix(winpr,ncrypt): support PIV retired key slots for smartcard logon (#12684) * [core,instance] fix deprecation guards (#12691) * [ci,alt-arch] enable internal MD4, MD5 and RC4 (#12692) * Add VideoToolbox H.264 support for ffmpeg (#12694) * [client,common] add /args-from:file: syntax (#12697) * [ci,freebsd] update freebsd builds (#12698, #12700, #12701, #12702) * [client, android] UI modernization, SQLCipher and more (#12685, #12686, #12687, #12730, * #12731, #12736, #12737, #12688) * [cmake,deps] use alias target for sso-mib (#12706) * [core,settings] add auto reconnect triggered flag (#12709) * Force YUV420P when videotoolbox is used (#12711) * Release cleanups (#12712) * [gdi,gfx] fix bounds checks and proxy unit tests (#12713) * Improved input checks (#12714) * [winpr,utils] add unit tests for command line parser (#12716) * Cmdline fixes (#12717) * [codec,planar] fix bounds checks (#12718) * [client,common] add freerdp_client_settings_parse_command_line_argumeā€¦ (#12724) * [winpr,sspi] clean up ntlm code (#12732) - Update to version 3.25.0: + CVE fixes: * CVE-2026-40254 + Bug and security fixes release: * Experimental AV1 support has been added. This currently works only with FreeRDP based servers. * Most notably there is now support for [MS-RDPEWA] (FIDO2 redirection) * Android client received a (small) facelift * Improved SDL3 client drawing performance * Console output support for SDL3 (windows) and windows native client * RDP proxy now supports NSCodec and RFX modes. * RDP PRoxy now has smartcard emulation and SAM file support (via config file) * Smartcard KSP support for NLA authentication + Changes: * [winpr,wlog] add WLog_SetGlobalPrefix (#12497) * [channels,video] fix wrong cast (#12511) * [codec,openh264] reject encoder ABI mismatch on runtime-loaded library (#12510) * [client,sdl] create a copy of rdpPointer (#12512) * [codec,video] properly pass intermediate format (#12518) * [utils, signal] lazily initialize Windows CRITICAL_SECTION to match POSIX static mutex behavior (#12520) * winpr: improve libunwind backtraces (#12530) * [server,shadow] remember selected caps (#12528) * Zero credential data before free in NLA and NTLM context (#12532) * [server,proxy] ignore missing client in input channel (#12536) * [server,proxy] ignore rdpdr messages (#12537) * [winpr,sspi] improve kerberos logging (#12538) * Codec fixes (#12542) * [winpr,sspi] Fix context nullptr handling (#12543) * Dev 3.24.3 dev0 (#12545) * Fix memory leak in gdi_create_bitmap() on gdi_CreateBitmap failure (libfreerdp/gdi/graphics.c) (#12547) * Fix memory leak in vgids_read_do_fkt() on Stream_New failure (libfreerdp/emu/scard/smartcard_virtual_gids.c) (#12548) * Proxy config improve (#12549) * Proxy config improve (#12550) * [client,sdl] clamp cursor hotspot (#12553) * RFC: Research/av1 codec extension (#12527) * [winpr,kerberos] fix krb_log_context_encryption (#12555) * [client,sdl] fix global init return check (#12558) * Fix remote credential with windows11h2 (#12560) * Proxy scard auth improvements (#12561) * [winpr,sspi] guard krb5_get_etype_info (#12562) * [utils,smartcard] fix STATUS_BUFFER_TOO_SMALL (#12564) * [client,common] do not manipulate security settings for smartcard-logon (#12567) * [channels,audin] fix regression for microphone (#12570) * [client,sdl] add SDL_KMOD_MODE and SDL_KMOD_LEVEL5 (#12569) * Fix unbound strlen on slotDescription (#12571) * build: Update FindFFmpeg.cmake to support Apple frameworks with 'lib' prefix (#12565) * [channels,rdpewa] add WebAuthn virtual channel support (#12572) * [core] fix freerdp_get_nla_sspi_error always returning 0 on client (#12574) * [ci] enable rdpewa channel (#12576) * small refactoring (#12578) * Rdpewa unify notifications (#12581) * [client,sdl] fix crash when clicking 'cancel' on PIN popup (#12580) * [channels,drive] refine bounds checks (#12584) * fix: smartcard logon with ECC keys and minidriver-assigned container names (#12585) * Various papercuts (#12583) * fix: console output on Windows client (#12573) * [winpr,crt] dump stack on aligned memory errors (#12588) * [client,x11] keep scancode input for Ctrl/Alt/Super combinations in /kbd:unicode mode (#12590) * [codec,progressive] fix underflow guard in progressive_rfx_quant_sub (#12592) * fix: wfreerdp floatbar visibility (#12594) * [winpr,json] return a copy from WINPR_JSON_Print* (#12595) * [client,sdl] drop WITH_DEBUG_SDL_EVENTS (#12599) * Ncrypt and asn1 cleanup (#12604) * Video channel fix (#12593) * [codec,h264] fix media foundation backend (#12606) * fix(sdl): detect Hyprland and river in tryFallback() (#12608) * Proxy stress fixes (#12597) * Add new fuzzer tests (#12613) * fix(sdl): use SDL_Renderer instead of software surfaces (#12607) * fix(sdl): BFS neighbor walk pop/begin mismatch in addOrUpdateDisplay (#12614) * fix(sdl): promote first monitor as primary when subset excludes primary (#12618) * [ci,android] default to only aarch64 (#12622) ... changelog too long, skipping 19 lines ... * [codec,dsp] fix fencepost error in dsp_ima_clamp_step (#12655) ==== gedit ==== Version update (49.0 -> 50.0) Subpackages: gedit-lang - Update to version 50.0: + Copy the plugins from the gedit-plugins repository: Word Completion, Smart Spaces, Draw Spaces and Bookmarks. The gedit-plugins repository will be archived. + Guidelines: no LLM AI tools. + macOS: small build simplification. + Updated translations. ==== git ==== Subpackages: git-core git-email git-gui git-web gitk perl-Git - Add requires for awk as it is used by /usr/share/bash-completion/completions/git ==== libcaca ==== Version update (0.99.beta20 -> 0.99.beta20+git.1776622070.7c8e333) - Updated to version 0.99.beta20+git.1776622070.7c8e333: * Switched to typed Ruby wrapping. * Simplified caca_create_display call. * Do not used _caca_alloc2d in the Ruby extension. * Prevented Init_caca from being hidden. * Reverted 156781dd67d024dc067010ef8640d0b91c5c3356. * Switched from MiniTest to Minitest. * Prevented undefined behaviour in overflow check (CVE-2026-42046 bsc1264984). * Fixed a crash on 0 sized font in img2txt. * Fixed an error message in img2txt. * Fixed handling of zero sized image in img2txt. - Rewrited the SPEC file to correctly generate Python packages in all available versions. ==== libgedit-amtk ==== Version update (5.9.2 -> 5.10.0) Subpackages: libgedit-amtk-5-0 libgedit-amtk-5-lang typelib-1_0-Amtk-5 - Update to version 5.10.0: + Change the definition of Amtk to "The Good Morning Toolkit". libgedit-amtk contains extra features for GTK 3, not only limited to the "Actions, Menus and Toolbars Kit". + Add AmtkTreeViewScrolledWindowSizing, an improved version imported from libgedit-gtksourceview. ==== libgedit-gfls ==== Version update (0.3.1 -> 0.4.1) Subpackages: libgedit-gfls-1-0 libgedit-gfls-lang - Update to version 0.4.1: + Fix a unit test on big-endian architectures. + Updated translations. - Changes from version 0.4.0: + New features: GflsBytesRegion, GflsBytesRegionBuilder and GflsEncodingConvert. + New features imported from libgedit-gtksourceview: GflsIconv. + GflsInputStream: import improved version from libgedit-gtksourceview. + Updated translations. ==== libgedit-gtksourceview ==== Version update (299.6.0 -> 299.7.0) Subpackages: libgedit-gtksourceview-lang typelib-1_0-GtkSource-300 - Update to version 299.7.0: + Completion framework: - Cherry-pick a few commits from GtkSourceView 4 to no longer use deprecated API and use gdk_window_move_to_rect(). - Move GtkSourceCompletionContainer to libgedit-amtk as AmtkTreeViewScrolledWindowSizing. - Some code refactorings. + File loading and saving: - Move some code to libgedit-gfls and depend on it: . GtkSourceIconv -> GflsIconv . GtkSourceInputStream -> GflsInputStream . Use gfls_encoding_try_convert() + Syntax highlightging: Improvements to the syntax highlighting of: markdown and yaml. + Other: - A new public function in GtkSourceBuffer. - Avoid some code duplication. + Updated translations. - Bump soname define. - Add pkgconfig(libgedit-amtk-5) and pkgconfig(libgedit-gfls-1) BuildRequires: New dependencies. ==== libstorage-ng ==== Version update (4.5.320 -> 4.5.326) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1076 - added checks - 4.5.326 - merge gh#openSUSE/libstorage-ng#1075 - added check - added test case - 4.5.325 - merge gh#openSUSE/libstorage-ng#1074 - make parted parser more robust - added test cases - 4.5.324 - Translated using Weblate (German) (bsc#1149754) - 4.5.323 - Translated using Weblate (Italian) (bsc#1149754) - Translated using Weblate (French) (bsc#1149754) - 4.5.322 - Translated using Weblate (Portuguese (Brazil)) (bsc#1149754) - 4.5.321 ==== openSUSE-release ==== Version update (20260520 -> 20260521) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Improve %prep LDAP regex to preserve subdirectories (e.g., ope- nbsd-compat/) and handle optional [ab]/ prefixes. ==== postfix ==== Version update (3.11.2 -> 3.11.3) - update to 3.11.3 * Bitrot: builds with musl libc broke, because they were using an obsolete NO_SNPRINTF code path that had not been updated for Claude Code findings. * Two fixes for a signed integer overshift condition (a left shift into the sign bit). This "works" on contemporary CPUs, but may break in the future. One reported by Kamil Frankowicz, and one by Robert Sayre. * Viktor Dukhovni fixed an 'uninitialized value' error in the 'collate.pl' script. * Test code fixes by Viktor Dukhovni for a deprecation warning with OpenSSL 4.0, and for a race condition that caused a test script to fail. ==== python-certifi ==== Version update (2026.2.25 -> 2026.4.22) Subpackages: python311-certifi python313-certifi - Add missing BR openssl for `/etc/ssl/ca-bundle.pem`. ==== python-requests ==== Version update (2.33.1 -> 2.34.2) Subpackages: python311-requests python313-requests - update to 2.34.2: * Moved `headers` input type back to `Mapping` to avoid invariance issues with `MutableMapping` and inferred dict types. Users calling `Request.headers.update()` may need to narrow typing in their code. * Widened `json` input type from `dict` and `list` to `Mapping` * and `Sequence`. * Changed `headers` input type to MutableMapping and removed `None` from `Request.headers` typing to improve handling for users. * `Response.reason` moved from `str | None` to `str` to improve handling for users. * Fixed a bug where some bodies with custom `__getattr__` implementations weren't being properly detected as Iterables. * Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue. * Digest Auth hashing algorithms have added `usedforsecurity=False` to clarify security considerations. * Requests added support for Python 3.15 based on beta1. * Requests added support for Python 3.14t. * ``Response.history`` no longer contains a reference to itself, preventing accidental looping when traversing the history list. * Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. * Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. ==== ruby4.0 ==== Version update (4.0.4 -> 4.0.5) Subpackages: libruby4_0-4_0 - Update to 4.0.5 (boo#1265890 boo#1265891) - CVE-2026-46727: Use-after-free in pthread-based getaddrinfo timeout handler - Bug #22065: make rdoc fails with invalid byte sequence in US-ASCII on Ruby 4.0.4 under C locale - Ruby - Ruby Issue Tracking System ==== systemd ==== Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-lang udev - Add a weak runtime dependency on libtss2-tcti-device0 to udev (bsc#1260357 bsc#1264224) - systemd.spec: drop deprecated meson options 'libidn' and 'libiptc' Remove -Dlibidn and -Dlibiptc from meson options as both have been fully deprecated by upstream and will be removed in a future release. The libidn library support was completely dropped in commit 429cbac508 and has been replaced by libidn2. OTOH, systemd-networkd and systemd-nspawn no longer support creating NAT rules via iptables/libiptc APIs; only nftables is now supported (see commit c3c42b30dd). - Import commit 1e45daa2fb423eb95ad00dcc389e03cfea8f86dc 1e45daa2fb vconsole-setup: skip setfont(8) when the console driver lacks font support (bsc#1212970) - Import commit 571d61da82f2654afacf52c620ceec3fbf220f6b 571d61da82 cryptsetup: avoid a segfault when a keyfile is passed along with a TPM device (bsc#1263117) 4e16626c0e mkosi: user and group bin needed for a test e5f2b85204 TEST-24-CRYPTSETUP: Use virtio-blk-pci 9bac241fc1 TEST-64-UDEV-STORAGE: Add missing scsi controllers 8581b451ed Revert "mkosi: Mark minimal images as Incremental=relaxed" 5a53f0c965 mkosi-tool/opensuse: add libtss2-tcti-device0 package - systemd.spec: drop ancient Obsoletes for pm-utils, suspend and systemd-analyze that predate 2020. ==== texlive ==== - Add perl(Parse::RecDescent) to perl-biber requirements (boo#1265577) ==== xdp-tools ==== - Remove redundant build environment * Since 1.5.4, upstream builds BPF objects directly with clang instead of LLC * Drop LLC from the xdp-tools build environment ==== xfce4-screenshooter ==== Subpackages: xfce4-screenshooter-lang xfce4-screenshooter-plugin - Rewrite wayland conditionals as bcond_with/bcond_without - Properly disable Wayland support in SLE15 ==== yast2-security ==== Version update (5.0.5 -> 5.0.6) - Change minimum UID from 500 to 1000 (bsc#1262458).