Packages changed: emacs-compat (30.1.0.1 -> 31.0.0.1) emacs-jinx (2.6 -> 2.8) grub2 hwinfo (25.2 -> 25.3) javapackages-tools jq libxmlb (0.3.25 -> 0.3.27) perl-XML-LibXML (2.0210 -> 2.0212) perl-XML-Parser (2.580.0 -> 2.590.0) python-psutil rsync (3.4.1 -> 3.4.3) selinux-policy (20260508 -> 20260522) thin-provisioning-tools (1.2.1 -> 1.3.2) === Details === ==== emacs-compat ==== Version update (30.1.0.1 -> 31.0.0.1) - Rebase 0001-Add-install-target.patch against new upstream version - Update to version 31.0.0.1: * compat-31: Improve with-work-buffer implementation - Changes from version 31.0.0.0 * compat-28: New pcase pattern =cl-type=. * compat-29: Add =string-glyph-compose= and =string-glyph-decompose=. (gh#emacs-compat/compat#76) * compat-31: New macros =static-when= and =static-unless=. * compat-31: New functions =oddp= and =evenp=. * compat-31: New functions =minusp= and =plusp=. * compat-31: New macros =incf= and =decf=. * compat-31: New function =color-blend=. * compat-31: New function =completion-table-with-metadata=. * compat-31: New function =completion-list-candidate-at-point=. * compat-31: New macro =with-work-buffer=. * compat-31: New function =unbuttonize-region=. * compat-31: New extended function =seconds-to-string=. * compat-31: New function =hash-table-contains-p=. * compat-31: New function =remove-display-text-property=. * compat-31: New functions =drop-while=, =take-while=, =member-if=, =any=, =all=. * compat-31: New function =set-local=. * compat-31: New function =ensure-proper-list=. * compat-31: New error API functions =error-type-p=, =error-has-type-p=, =error-type= and =error-slot-value=. * Drop support for Emacs 24.x. Emacs 25.1 is required now. In case Emacs 24.x support is still needed, Compat 30 can be used. ==== emacs-jinx ==== Version update (2.6 -> 2.8) - Update to version 2.8: * Require Compat 31 * Exclude the appropriate faces/properties in git-commit-mode * Add support for minor modes to jinx-include-* and jinx-exclude-* variables. - Changes from version 2.7: * Improve mouse menu. ==== grub2 ==== Subpackages: grub2-common grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Add python-base BR ==== hwinfo ==== Version update (25.2 -> 25.3) Subpackages: libhd25 - merge gh#openSUSE/hwinfo#178 - fix memory leaks in pci and pppoe modules (bsc#1265908) - avoid NULL pointer in ADD2LOG() call - 25.3 ==== javapackages-tools ==== Subpackages: javapackages-filesystem - Add missing python3-base requirements. - 'python-javapackages' subpackage for the primary Python interpreter should also provide 'python3-javapackages' symbol. ==== jq ==== Subpackages: libjq1 - Add patch CVE-2026-33948.patch (CVE-2026-33948, bsc#1262043) - Add patch CVE-2026-32316.patch (CVE-2026-32316, bsc#1262044) - Add patch CVE-2026-33947.patch (CVE-2026-33947, bsc#1262069) - Add patch CVE-2026-39956.patch (CVE-2026-39956, bsc#1262070) - Add patch CVE-2026-39979.patch (CVE-2026-39979, bsc#1262071) - Add patch CVE-2026-40164.patch (CVE-2026-40164, bsc#1262072) - Add patch CVE-2026-40612.patch (CVE-2026-40612, bsc#1265060) - Add patch CVE-2026-41256.patch (CVE-2026-41256, bsc#1265061) - Add patch CVE-2026-41257.patch (CVE-2026-41257, bsc#1265062) - Add patch CVE-2026-43894.patch (CVE-2026-43894, bsc#1265070) - Add patch CVE-2026-43895.patch (CVE-2026-43895, bsc#1265071) - Add patch CVE-2026-43896.patch (CVE-2026-43896, bsc#1265075) - Add patches CVE-2026-44777_0.patch and CVE-2026-44777_1.patch (CVE-2026-44777, bsc#1265076) ==== libxmlb ==== Version update (0.3.25 -> 0.3.27) Subpackages: libxmlb2 libxmlb2-x86-64-v3 - Update to version 0.3.27: + New Features: Bump the required version of GLib to 2.68 + Bugfixes: - Do not construct an invalid silo when processing more than 30 attrs - Fix NULL pointer dereference when searching with NULL needle - Fix potential use-after-free when building the in() haystack - Fix stem() type-checking the wrong stack position - Handle NULL string opcodes in more functions - Limit operator recursion depth in xb_machine_parse_section - Limit the number of predicates and OR branches in each section - Prevent an infinite loop when parsing a corrupt silo - Reject XML with more than 65535 unique element names - Changes from version 0.3.26: + New Features: Parse CDATA as text + Bugfixes: - Add bounds check to prevent OOB read in token index lookup - Do not write an invalid silo when more than 63 attrs on one node - No inotify for illumos and Solaris - Prevent stack overflow from unbounded recursion in export ==== perl-XML-LibXML ==== Version update (2.0210 -> 2.0212) - Remove perl-XML-LibXML-fix-testsuite-with-libxml2-2.14.patch (fixed upstream) - updated to 2.0212 see /usr/share/doc/packages/perl-XML-LibXML/Changes 2.0212 2026-05-19 [BUG FIXES] - Ship POD files in the CPAN tarball. The per-class .pod files generated from docs/libxml.dbk were gitignored, and nothing in the dist chain was producing them, so recent tarballs shipped without POD. The .pod files are now tracked in git (bison-style), so `make dist` includes them via MANIFEST and the documentation reaches CPAN consumers again. Also eliminates the bootstrap problem of needing XML::LibXML installed to build XML::LibXML's docs, and silences the "kit incomplete" warning from `perl Makefile.PL` on a fresh checkout. [MAINTENANCE] - Add a `pod-drift` CI job that runs `make pod_docs` and fails on any diff, catching forgotten POD regenerations after edits to docs/libxml.dbk. - Move xmllibxmldocs.pl from example/ to scripts/. It is a maintenance tool that emits source files (POD), not a usage example of XML::LibXML; scripts/ already houses similar build/dev tooling. - Skip t/release-kwalitee.t outside a dist tarball. The Test::Kwalitee `has_meta_yml` check was failing under `make test` in author mode because META.yml is only generated by `make dist`. The test now skips cleanly when META.yml is absent and still runs the full 18-check suite under `make disttest` against the unpacked tarball. 2.0211 2026-05-19 [SECURITY / BUG FIXES] - Prevent out-of-bounds UTF-8 read in domParseChar by replacing it with libxml2's xmlValidateName. Truncated multi-byte sequences could cause heap reads past the NUL terminator across five DOM entry points (createElement, createAttribute, setNodeName, etc.). - GH #146, PR #149 CVE-2026-8177 bsc#1264715 - Enforce no_network even when a global externalEntityLoader is set. Previously XML_PARSE_NONET was silently ignored once a global callback was installed, enabling SSRF in multi-module applications that combine a third-party entity loader with no_network parsers. - GH #133, PR #143 - Prevent integer overflow in SAX CBuffer length tracking. Total character data exceeding INT_MAX (~2GB) overflowed the accumulator causing xmlMalloc to under-allocate and the subsequent memcpy to write past the buffer. - GH #135, PR #142 - Proper lifecycle management for externalEntityLoader: the global loader can now be cleared or replaced safely, the previous handler SV is no longer leaked, the returned value is a safe copy rather than the internal global SV, and per-parser ext_ent_handler state is separated from the global slot. - PR #138 - Add NULL checks after xmlMalloc returns in SAX CBuffer operations, converting OOM segfaults into catchable Perl exceptions. - GH #136, PR #140 - Add NULL check after xmlCopyNamespace in _domReconcileNs, matching the existing guard in _domReconcileNsAttr. - GH #137, PR #139 - Plug 11 memory leaks across XS/C code, including setBaseURI, URI/documentURI accessors, load_catalog, PSaxCharactersFlush, createAttributeNS, XPathContext::_find, _newForIO, _toStringC14N, lookupNamespacePrefix, _setNamespace, and the generic XPath extension function dispatcher. - GH #131, PR #132 - Handle Apple's local libxml2 patch where xmlSAX2ResolveEntity throws on a NULL URI, so t/13dtd.t no longer dies on macOS. - RT #2021, PR #102 - Skip t/50devel.t when mem_used() reports 0 bytes, which happens on Apple's libxml2 (system malloc bypasses the tracking wrappers). - RT #165193, PR #94 [IMPROVEMENTS] - Resolve Windows CI test failures and compiler warnings: use the file size (-s) for the byteConsumed test instead of a hardcoded 488 (CRLF inflates the file to 507 bytes), use Perl UV/PTR2UV in PmmRegistryName to avoid pointer truncation under Win64 LLP64, and use const xmlError* for xmlCtxtGetLastError to match the libxml2 2.12+ API. - PR #122 - Silence macOS build warnings cleanly by gating the libxml2 memory tracking API behind a HAVE_LIBXML_MEMORY_DEBUG feature macro. The deprecated calls are no longer compiled on systems where the API is gone (Apple SDK, libxml2 >= 2.14), mem_used is only exported when actually defined, and t/50devel.t skips with a clear reason. Also strip the bogus "-L/lib" entries Alien::Base::Wrapper injects into LDFLAGS on macOS. - PR #127 - Add a minimal hello-world HTML example (example/hello-world.pl) and add createInternalSubset("html", ...) to both HTML examples so they emit a proper declaration. - GH #66, PR #121 - Standardize XPath parameter naming to $xpath_expression throughout the DocBook source, matching the XML::LibXML::XPathExpression class name. - GH #64, PR #125 - Update outdated and dead references in README.md: point repository URLs at the canonical cpan-authors/XML-LibXML home, drop the defunct ActiveState mailing list, replace the long Windows nmake recipe with a Strawberry Perl note, refresh the macOS section, and bring the Package History up to date. ... changelog too long, skipping 54 lines ... references. ==== perl-XML-Parser ==== Version update (2.580.0 -> 2.590.0) - updated to 2.590.0 (2.59) see /usr/share/doc/packages/perl-XML-Parser/Changes 2.59 2026-05-20 (by Todd Rinaldo) Fixes: - PR #269 GH #268 Recognize blessed glob handles (e.g. IO::String) in Expat::parse. The input-detection logic already handled IO::Handle subclasses, unblessed GLOB refs, bare globs, and bareword filehandle names but missed blessed globs that don't inherit from IO::Handle (such as IO::String), silently stringifying them and feeding the stringification to ParseString. Add a Scalar::Util::reftype check so blessed GLOB references are treated like any other glob handle Maintenance: - Add IO::String to the cpanfile so CI exercises the blessed-glob-handle code path covered by PR #269 ==== python-psutil ==== Subpackages: python311-psutil python313-psutil - %check phase should run aside from %builddir to use extension from the main binary package (don't build during the %check phase). ==== rsync ==== Version update (3.4.1 -> 3.4.3) - Fixed some warnings while building the rpm. - Added patches: - rsync-python-3.6-tests.patch: Small patch to support running tests on python 3.6+: - rsync-openat2-glibc-missing.patch: Small patch to build on kernels >= 5.6+ where openat2 is not defined in glibc. - Removed patches already upstream: - rsync-no-libattr.patch - rsync-CVE-2025-10158.patch - rsync-CVE-2026-41035.patch - rsync341-gcc15-bool.patch - Removed support for the unmaintained rsync-patches archive, which in turn removes support for SLP. These patches are not being shipped anymore. - Update to 3.4.3: - SECURITY FIXES: Six CVEs are fixed in this release. Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default daemon configuration to reach: the first and third need use chroot = no for a module, the second needs daemon chroot = ... set in rsyncd.conf. Two (CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a normal authenticated daemon connection. The sixth (CVE-2026-45232) is reachable only when RSYNC_PROXY is set and the proxy (or a MITM) returns a pathological response. Complete list of changes: https://download.samba.org/pub/rsync/NEWS#3.4.3 - CVE-2026-29518, bsc#1264511: Symlink-Race TOCTOU in Daemon (use chroot = no) TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. An rsync daemon configured with "use chroot = no" was exposed to a time-of-check / time-of-use race on parent path components. - CVE-2026-43617, bsc#1264515: Authorization Bypass via Hostname Resolution Hostname/ACL bypass on an rsync daemon configured with daemon chroot = /X in rsyncd.conf when the chroot tree lacks DNS resolution support. The reverse-DNS lookup of the connecting client was performed after the daemon chroot had been entered; if /X did not contain the libc resolver fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules) the lookup failed and the connecting hostname was set to "UNKNOWN", causing hostname-based deny rules to silently fail open. IP-based ACLs are unaffected. The per-module use chroot setting is unrelated to this issue. The fix performs the lookup before entering the daemon chroot. - CVE-2026-43618, bsc#1264512: Integer Overflow Information Disclosure Integer overflow in the compressed-token decoder enabling remote memory disclosure to an authenticated daemon peer. Workaround for older releases: refuse options = compress in rsyncd.conf. - CVE-2026-43619, bsc#1264514: Symlink Race Condition via Path-Based Syscalls Symlink races on path-based system calls in "use chroot=no" daemon mode (generalisation of CVE-2026-29518). Earlier fixes for symlink races on the receiver's open() call missed the same race class on every other path-based system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir and lstat. Default "use chroot = yes" is not exposed. - CVE-2026-43620, bsc#1264513: Out-of-Bounds Array Read via recv_files() Out-of-bounds read in the receiver's recv_files() enabling remote denial-of-service of any client pulling from a malicious server (incomplete fix of commit 797e17f). Workaround for older releases: --no-inc-recursive on the client. - CVE-2026-45232, bsc#1265296: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing Off-by-one out-of-bounds stack write in the rsync client's HTTP CONNECT proxy handler (establish_proxy_connection() in socket.c). The fix detects the "buffer filled without finding \n" case explicitly by position and refuses the response with "proxy response line too long". - In addition to the six CVE fixes, this release adds defence-in-depth hardening on several adjacent paths. - BUG FIXES: - Fixed a regression introduced by the 3.4.0 secure_relative_open(). - Complete list of fixes in version 3.4.2: - https://download.samba.org/pub/rsync/NEWS#3.4.2 ==== selinux-policy ==== Version update (20260508 -> 20260522) Subpackages: selinux-policy-targeted - Update to version 20260522: * Fix build by switching to corecmd_exec_bin_noattr() * Split using dirsrv_ and dirsrvadmin_ interfaces into separate blocks * Allow virtqemud execute kmod in the kmod domain * Allow qatlib map kernel modules * Allow sys_resource on execution of generic executables conditionally * Label bootloader-migrate-generator with coreos_bootloader_migrate_generator_exec_t * Label /run/coreos with coreos_installer_var_run_t * Add systemd_create_generator_unit_file() and systemd_write_generator_unit_file() * Allow virtnwfilterd_t r/w on packet_socket (bsc#1264273) * Update fstools swap interfaces with dir search * Allow go-fdo-server to read system information * Change README to openSUSE specific README * Add missing fc rule for org.gnome.DisplayManager (bsc#1264182) * config: make /etc/systemd/user same as /usr/lib/systemd/user * Do not audit iptables attempts to read other process state * Policy for go-fdo-server * Allow setroubleshoot_fixit_t to touch /.autorelabel and reboot * Allow init nnp domain transition do dirsrv_t and dirsrv_snmp_t * Allow NetworkManager_dispatcher_nvme_t check status of systemd services * Allow iptables_t read state of some processes * Label /dev/HID-SENSOR-.* with hid_sensor_device_t - Syncing with upstream rawhide selinux-policy up to: * 190ed3591e0004c395409dd62acea41c8a684fc1 - Update embedded container-selinux version to commit: * e659fc8858d2e34781cc1640ac1658ba484cb3f5 (v2.248.0) ==== thin-provisioning-tools ==== Version update (1.2.1 -> 1.3.2) - Update to version 1.3.2: * Bump version to 1.3.2 * [doc] Update CHANGES * [thin_repair] Prevent out-of-bounds access from corrupted btree pointers * [thin_repair] Use saturating arithmetic to avoid integer overflow * [build] Update ratatui to address RUSTSEC-2026-0002 * [build] Bump rand to address RUSTSEC-2026-0097 * Bump version to 1.3.1 * [doc] Update CHANGES * [build] Update dependencies to latest patch releases * [space_map] Optimize zero-filling loops in Aggregator region lookup * [tests] Fix device name in the preparation script * [tests] Add tests for thin_ls mapped block counts * [tests] Update documentation for test files * [thin_ls] Optimize second pass by skipping unnecessary key parsing * [thin_ls] Read exclusive leaves multithreaded * [thin_ls] Read leaf nodes multithreaded * [thin_ls] Read internal nodes multithreaded * [thin_ls] Switch to Aggregator for upcoming parallelization * [utils] Add mutable accessor to HashVec * [space_map] Add specialized Aggregator that counts up to two * [space_map] Make Region type configurable via generics * [space_map] Relocate misplaced code documentation * [thin_ls] Print memory usage for performance analysis * [utils] Factor out memory profiling functions * [space_map] Factor out repair_space_map * Bump version to 1.3.0 * [doc] Update CHANGES * [build] Update dependencies to latest patch releases * [pdata] Avoid unnecessary error object construction * [btree] Factor out get_depth method * [btree_walker] Remove multithreaded read_nodes and use references * [thin_check] Handle data mappings outside the space map boundary * [btree_walker] Handle metadata blocks outside the space map boundary * [thin_check] Remove unused error logging * [space_map] Add comments to space_map/aggregator_load.rs * [space_map] Prevent panics from out-of-bounds access in Aggregator * [thin_check] Display number of free blocks using saturating arithmetic * [thin_check] Handle incomplete metadata dump * [thin_check] Do not read space maps while checking the metadata snap * [thin_check] Refactor space map comparison * [thin_explore] Migrate from tui to ratatui * [thin_check] Improve error messages by visiting the mapping tree first * Bump version to 1.3.0-rc.1 * [io_engine] Improve partial read handling in VectoredBlockIo * [io_engine] Pass down the error from IoEngine to the handler * [thin_check] Fix error when no devices are present * [all] Avoid manual implementation of .is_multiple_of() on unsigned types * [io_engine] Handle out of bounds reads in VectoredBlockIo * [space_map] Handle errors in reading bitmap blocks * [thin_check] Handle errors in reading mapping tree leaves * [thin_check] Replace Arc::try_unwrap() by into_inner() * [thin_check] Log additional memory usage info * [space_map] Implement get_nr_allocated() for Aggregator * [io_engine] Implement read_blocks for SyncIoEngine * [utils] Add AdjacentChunks to produce fixed-length consecutive runs * [aggregator] Avoid copying block numbers and cloning iterator items * [thin_check] Re-enable NEEDS_CHECK flag clearing * [thin_check] Repair space map leaks * [thin_check] Enable metadata space map checking in terms of Aggregator * [btree_walker] Introduce layer-based btree walker * [btree_walker] Expose the ValueCollector for building maps from Handlers * [btree] Decouple node check and unpack functions from the io Block * [space_map] Batch update the aggregator while loading the ref counts * [thin_check] Read and compare space maps * [utils] Add spawn_future() for concurrent execution * [space_map] Support loading data/metadata space maps into Aggregators * [btree] Derive Copy trait for NodeError * [thin_check] Use threads to speed up read_internal_nodes() * [thin_check] Rewrite read_internal_nodes() to use streaming read * [thin_check] Speed up summarize_tree * [thin_check] Improve performance of reading leaf nodes * [utils] Introduce RangedBitsetIter to iterate a specific range of bits * [space_map] Introduce Aggregator type * [space_map] Split SpaceMap trait into RefCount and SpaceMap * [io_engine] Implement AsyncIoEngine::read_blocks() for streaming read * [io_engine] Add BufferPool * [io_engine] Rewrite AsyncIoEngine to use tokio IoUring * [io_engine] Introduce io_engine/ring_pool.rs * [io_engine] Add documentation to io_engine/gaps.rs * [io_engine] Add some documentation to io_engine/utils.rs * [io_engine] Remove suggest_nr_threads() from IoEngine * [thin_check] Add get_memory_usage() * [pdata] A couple of trivial performance tweaks to unpacking a btree node * Bump version to 1.2.2 * [doc] Update CHANGES * [build] Update dependencies to latest patch releases * [build] Update dependencies' major/minor versions without code changes * [tests] Add era_invalidate --metadata-snapshot tests * [era_invalidate] Fix missing flag setting for --metadata-snapshot