Packages changed: apache2-mod_php8 (8.4.17 -> 8.4.18) gnome-connections (49.0 -> 49.0+22) libssh (0.11.3 -> 0.11.4) libstorage-ng (4.5.287 -> 4.5.295) libzio (1.09 -> 1.10) libzypp (17.37.18 -> 17.38.2) openSUSE-release (20260213 -> 20260214) php8 (8.4.17 -> 8.4.18) plymouth python-cryptography (46.0.2 -> 46.0.5) sendmail (8.18.1 -> 8.18.2) systemd (258.3 -> 258.4) tigervnc (1.15.0 -> 1.16.0) udisks2 (2.10.91 -> 2.11.0) util-linux util-linux-systemd virtualbox virtualbox-kmp === Details === ==== apache2-mod_php8 ==== Version update (8.4.17 -> 8.4.18) - version update to 8.4.18 Core: Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error()). Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). Fixed bug GH-GH-20914 (Internal enums can be cloned and compared). Fix OSS-Fuzz #474613951 (Leaked parent property default value). Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked backing value). Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may uaf). Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). Fixed bug GH-20479 (Hooked object properties overflow). Date: Update timelib to 2022.16. DOM: Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts). MbString: Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). Fixed bug GH-20836 (Stack overflow in mb_convert_variables with recursive array references). Opcache: Fixed bug GH-20818 (Segfault in Tracing JIT with object reference). OpenSSL: Fix memory leaks when sk_X509_new_null() fails. Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. Phar: Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). PGSQL: Fixed INSERT/UPDATE queries building with PQescapeIdentifier() and possible UB. Readline: Fixed bug GH-18139 (Memory leak when overriding some settings via readline_info()). SPL: Fixed bug GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration). Standard: Fixed bug #74357 (lchown fails to change ownership of symlink with ZTS) Fixed bug GH-20843 (var_dump() crash with nested objects) ==== gnome-connections ==== Version update (49.0 -> 49.0+22) Subpackages: gnome-connections-lang - Update to version 49.0+22: + Updated translations. ==== libssh ==== Version update (0.11.3 -> 0.11.4) Subpackages: libssh-config libssh4 - Update to 0.11.4: * Security fixes: - CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049) - CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files (bsc#1258045) - CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054) - CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081) - CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080) - libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP extensions * Other fixes: - Stability and compatibility improvements of ProxyJump * Remove patch upstream: libssh-cmake-Add-option-WITH_HERMETIC_USR.patch ==== libstorage-ng ==== Version update (4.5.287 -> 4.5.295) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - Translated using Weblate (Indonesian) (bsc#1149754) - 4.5.295 - merge gh#openSUSE/libstorage-ng#1055 - added test cases - 4.5.294 - merge gh#openSUSE/libstorage-ng#1054 - fixed use of suse_version macro - 4.5.293 - merge gh#openSUSE/libstorage-ng#1053 - added test case - 4.5.292 - Translated using Weblate (Catalan) (bsc#1149754) - 4.5.291 - Translated using Weblate (Dutch) (bsc#1149754) - Translated using Weblate (Slovak) (bsc#1149754) - 4.5.290 - Translated using Weblate (Slovenian) (bsc#1149754) - 4.5.289 - merge gh#openSUSE/libstorage-ng#1052 - updated pot and po files - 4.5.288 ==== libzio ==== Version update (1.09 -> 1.10) - Version 1.10: Allow fdzopen() to detect magic bytes as well in the stream of the file descriptor. Note that this does not work if reading from a pipe or socketpair as it is not possible to reset the reposition of the file descriptor. Today it is impossible to use fdzopen in a pipe. ==== libzypp ==== Version update (17.37.18 -> 17.38.2) - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ==== openSUSE-release ==== Version update (20260213 -> 20260214) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== php8 ==== Version update (8.4.17 -> 8.4.18) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.4.18 Core: Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error()). Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). Fixed bug GH-GH-20914 (Internal enums can be cloned and compared). Fix OSS-Fuzz #474613951 (Leaked parent property default value). Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked backing value). Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may uaf). Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). Fixed bug GH-20479 (Hooked object properties overflow). Date: Update timelib to 2022.16. DOM: Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts). MbString: Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). Fixed bug GH-20836 (Stack overflow in mb_convert_variables with recursive array references). Opcache: Fixed bug GH-20818 (Segfault in Tracing JIT with object reference). OpenSSL: Fix memory leaks when sk_X509_new_null() fails. Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. Phar: Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). PGSQL: Fixed INSERT/UPDATE queries building with PQescapeIdentifier() and possible UB. Readline: Fixed bug GH-18139 (Memory leak when overriding some settings via readline_info()). SPL: Fixed bug GH-20856 (heap-use-after-free in SplDoublyLinkedList iterator when modifying during iteration). Standard: Fixed bug #74357 (lchown fails to change ownership of symlink with ZTS) Fixed bug GH-20843 (var_dump() crash with nested objects) ==== plymouth ==== Subpackages: libply-splash-core5 libply-splash-graphics5 libply5 plymouth-dracut plymouth-lang plymouth-plugin-label plymouth-plugin-two-step plymouth-scripts plymouth-theme-bgrt plymouth-theme-spinner - Update plymouth.spec: Fix packages for Immutable Mode - plymouth: The introduction of Immutable Mode in SLES 16.1 has the effect of 'raising the bar' of what is acceptable in our RPM spec files. This is because the Immutable Mode is not just integrating Micro into the SLES product, but also needs to support use cases and usage patterns which were considered secondary or unsupported in Micro. Immutable Mode is also forming the base of our Unified Core offerings. Therefore the goal is to minimise any manipulation of user-owned portions of the filesystem from all RPM spec files to an absolute minimum. As Immutable Mode is considered a mandatory feature for SLES 16.1, any package that fails to support it fully may struggle to be shipped as part of that release. (PED-14817) - Add conditions to initrd update action to avoid OBS install test failure. ==== python-cryptography ==== Version update (46.0.2 -> 46.0.5) Subpackages: python311-cryptography python313-cryptography - Update to 46.0.5 (fixes CVE-2026-26007, bsc#1258074) * An attacker could create a malicious public key that reveals portions of your private key when using certain uncommon elliptic curves (binary curves). This version now includes additional security checks to prevent this attack. This issue only affects binary elliptic curves, which are rarely used in real-world applications. Credit to XlabAI Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine for reporting the issue. CVE-2026-26007 * Support for SECT* binary elliptic curves is deprecated and will be removed in the next release. - Update to 46.0.4 * Dropped support for win_arm64 wheels. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5. - Update to 46.0.3 * Fixed compilation when using LibreSSL 4.2.0. ==== sendmail ==== Version update (8.18.1 -> 8.18.2) Subpackages: libmilter1_0 - update to 8.12.2: * Avoid adding a second To: header to DSNs, instead any additional addresses are appended to an existing To: header (this also applies to Cc: and Bcc:). * Fix matching of wildcard SANs in the experimental support for SMTP MTA Strict Transport Security (MTA-STS). Problem reported by Dilyan Palauzo. * The experimental support for SMTP MTA Strict Transport Security has been significantly rewritten to handle the problems caused by it being tied to the domain of a RCPT address (instead to an SMTP server for all the domains it handles - compare DANE). The most visible change is that an SMTP transaction where the first RCPT has an STS policy will have only RCPTs with the same domain instead of all RCPTs going to the same servers (MX). Accordingly, MTA-STS can be disabled per RCPT domain by adding access map entries of the form STS:domain NO Successful deliveries to RCPTs which have an STS policy show STS=OK in the to=... stat=Sent log entry. If an STS policy for a RCPT could not be fulfilled then the RCPT is not being sent and an error containing the string "STS" is logged. * MaxQueueAge is now observed for all types of QueueSortOrder even those which internally skip some code (including the MaxQueueAge check). * On some systems the rejection of a RCPT by a milter could silently be ignored. * Increase size for an internal buffer which can contain AUTH data because XOAUTH2 could use very long tokens. ==== systemd ==== Version update (258.3 -> 258.4) Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-lang udev - Import commit 8838beb6f391a98ba74c4b4ab2880271af443c54 8838beb6f3 units: restore runlevel[0-6].target aliases 2b9447c81d getty: remove --issue-file parameter (bsc#1257587) - Restore the runlevel[0-6].target aliases in the systemd-sysvcompat sub-package. These targets will remain supported until the SysV init script support is officially removed. - Avoid shipping (empty) directories and ghost files in /var (jsc#PED-14853) This was originally intended to ensure these paths had a designated package owner. However the existing list was neither exhaustive nor up to date. To better support immutable images, we are removing these entries and will now keep only /var/lib/systemd as owned by the systemd package. Maintaining the broader list provided little value due to its ongoing inconsistency anyways. - Move systemd-bless-boot from systemd-boot to udev subpackage, as it is used by grub2-bls as well - Import commit 3f291a53256445d192243b71332c3602ef6ee93a (merge of v258.4) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/2ffdb7879d1913b91d75fb7638023689ad49d6ff...3f291a53256445d192243b71332c3602ef6ee93a ==== tigervnc ==== Version update (1.15.0 -> 1.16.0) Subpackages: libXvnc1 tigervnc-selinux xorg-x11-Xvnc xorg-x11-Xvnc-module - enabled build of w0vncserver by enabling wayland support ("-DENABLE_WAYLAND=ON") requiring now glib-2.0, libpipewire-0.3, wayland-client and xkbcommon libs - Update to version 1.16.0 * The native viewer has a new keyboard shortcut system to control the viewer, replacing the F8 shortcut and allowing easier access to toggle full-screen mode and redirecting system keys * The native viewer now supports sending system keys even in windowed mode * Added a new server called w0vncserver for sharing Wayland desktops * The Java viewer has more fine-grained control of scaling the session * The native viewer uses a different method to intercept system keys on macOS, which will require explicit user approval * The native viewer has an improved server field, with searchable history * The native viewer now intercepts and forwards allĀ¹ system keys on Windows * The native viewer is now more responsive when resizing the remote session * Red Hat Enterprise Linux 10 packages have been added, although without libvnc.so * Ubuntu 20.04 and Red Hat Enterprise Linux 7 packages have been removed - adjusted the following patches * n_tigervnc-Correct-path-in-desktop-file.patch * n_tigervnc-Date-time.patch * n_tigervnc-Dont-sign-java-client.patch * n_tigervnc-Vncserver.patch * u_tigervnc-Build-libXvnc-as-separate-library.patch * u_tigervnc-Ignore-epipe-on-write.patch * n_tigervnc-reproducible-jar-mtime.patch ==== udisks2 ==== Version update (2.10.91 -> 2.11.0) Subpackages: libudisks2-0 libudisks2-0_btrfs udisks2-bash-completion udisks2-lang - Update to version 2.11.0: + ATA SMART handling has been ported over to libblockdev which now offers two plugins, based on libatasmart (default, recommended) and smartmontools (experimental). There is an additional attribute validation layer in place in libblockdev, some attributes may now be reported as 'unknown' or 'untrusted'. Drive temperature reporting has been reworked as well. + ATA SMART functionality has been made optional through the --disable-smart configure switch (default: Enabled). + ATA SMART can be also selectively turned off for some drives by setting ID_ATA_SMART_ACCESS udev property to none. In such a case, the Drive.Ata.SmartUpdated property will remain set to zero to indicate it was never updated for a particular drive. + ATA feature flags are now mostly retrieved from udev, skipping additional probing done by UDisks in case of udev >= 257. ==== util-linux ==== Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 util-linux-lang - Fix bsc#1222465. - Add patch: * util-linux-bsc-1222465.patch - Patch has already been merged upstream, and may be deleted during the next release. ==== util-linux-systemd ==== Subpackages: lastlog2 liblastlog2-2 - Fix bsc#1222465. - Add patch: * util-linux-bsc-1222465.patch - Patch has already been merged upstream, and may be deleted during the next release. ==== virtualbox ==== - Update license tag to GPL-3.0-only * Requested by SUSE legal via legaldb ==== virtualbox-kmp ==== - Update license tag to GPL-3.0-only * Requested by SUSE legal via legaldb