Packages changed: MicroOS-release (20260204 -> 20260205) ca-certificates (2+git20251006.0b604c2 -> 2+git20260203.5937e9f) distrobox (1.8.2.3 -> 1.8.2.4) gcc15 (15.2.1+git10392 -> 15.2.1+git10776) gdk-pixbuf (2.44.5 -> 2.44.4) libzio oath-toolkit (2.6.11.12 -> 2.6.14) python313-packaging (25.0 -> 26.0) python313-setuptools sdl2-compat (2.32.62 -> 2.32.64) systemd (257.9 -> 258.3) === Details === ==== MicroOS-release ==== Version update (20260204 -> 20260205) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ca-certificates ==== Version update (2+git20251006.0b604c2 -> 2+git20260203.5937e9f) - Update to version 2+git20260203.5937e9f: * Remove files in /etc and /var from spec file [jsc#PED-14792] ==== distrobox ==== Version update (1.8.2.3 -> 1.8.2.4) Subpackages: distrobox-bash-completion - Drop 0001-fix-add-newline-when-manually-adding-user.patch since it was merged upstream - Update to 1.8.2.4: * Add missing dependencies for fedora and wolfi. by @Kamorst in https://github.com/89luca89/distrobox/pull/1931 * docs: update Alpine Linux images to latest versions by @dottorblaster in https://github.com/89luca89/distrobox/pull/1977 * distrobox-init: add newline when appending user via printf by @tblume in https://github.com/89luca89/distrobox/pull/1988 * init: refactor user setup to modify attributes individually by @89luca89 in https://github.com/89luca89/distrobox/pull/1994 * chore(version): bump to v1.8.2.4 by @dottorblaster in https://github.com/89luca89/distrobox/pull/1995 ==== gcc15 ==== Version update (15.2.1+git10392 -> 15.2.1+git10776) Subpackages: cpp15 libgcc_s1 libgomp1 libstdc++6 - Update to GCC 15 branch head, 15.2.1+git10776 * includes fix for bogus expression simplification [bsc#1257463] - Add gcc15-bsc1253043.patch to enable the use of _dl_find_object even when not available at build time. [bsc#1253043] ==== gdk-pixbuf ==== Version update (2.44.5 -> 2.44.4) Subpackages: gdk-pixbuf-query-loaders libgdk_pixbuf-2_0-0 typelib-1_0-GdkPixbuf-2_0 ==== libzio ==== - Move from sourceforge to gitlab ==== oath-toolkit ==== Version update (2.6.11.12 -> 2.6.14) Subpackages: liboath0 libpskc0 oath-toolkit-xml pam_oath - Update to version 2.6.14 * pam_oath: Support null_usersfile_okay parameter. The argument no_usersfile_okay forces the module to act as if the user is not present in the config, if the config file does not exist. This has security implications only use if you know what you are doing. E.g. if the file is in a mount like home and that fails to be mounted, then this will succeed even if the OTP if configured for that user. Patch by Luna, Jan Zerebecki, and Miika Alikirri; see https://codeberg.org/oath-toolkit/oath-toolkit/pulls/94. * pam_oath README: Suggest KbdInteractiveAuthentication. Instead of deprecated ChallengeResponseAuthentication. see https://codeberg.org/oath-toolkit/oath-toolkit/pulls/112. * Various build fixes including updated gnulib files. Fixes building with glibc 2.43. - Update to version 2.6.13 * liboath/libpskc: Fix _FORTIFY_SOURCE build problem and allow configuration. * liboath: Fix --with-openssl builds * Git hosting moved from gitlab.com to codeberg.org. The new URL is https://codeberg.org/oath-toolkit/oath-toolkit although the old GitLab project will continue to be used for pipelines. https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines * Various build fixes including updated gnulib files. Gnulib files are no longer stored in git version control. As a consequence, gnulib is a required build dependency when building from git, see CONTRIBUTING.md. - Update to version 2.6.12 * Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191. See https://codeberg.org/oath-toolkit/oath-toolkit/issues/43. Security bug triggered by new feature in pam_oath v2.6.7 released on 2021-05-01 with the USER/HOME placeholder strings, https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12. Quoting a writeup in an alternate patch by Matthias Gerstner (SUSE): With the addition of the possibility to place a usersfile also into a the usersfile= path specification, security issues sneaked in. The PAM process usually runs with root privileges. The file operations in an unprivileged user’s home directory follow symlinks both when reading and creating files, allowing for a potential local root exploit, because of the fchown() performed on the newly created usersfile. * We drop privileges to the user that is being logged into, assuming it has the necessary permissions for the usersfile belonging in their home directory. This restricts the ability for non-root users to affect files beyond their control via liboath. * liboath: Don’t follow symbolic links for usersfile updates. Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191. See https://codeberg.org/oath-toolkit/oath-toolkit/issues/43. Security bug triggered by new feature in pam_oath v2.6.7 released on 2021-05-01 with the USER/HOME placeholder strings, see https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12. The fix is to open files for writing in exclusive mode (i.e., fail if the file exists including if it is a symbolic link). * oathtool: Fix test suite on 32-bit big-endian platforms. * libpskc: Don’t call deprecated xmlMemoryDump. * Various build fixes including updated gnulib files. - Drop not longer needed patches (fixed upstream): * 0001-usersfile-fix-potential-security-issues-in-PAM-modul.patch * 42-null_usersfile_okay.patch - Use %ldconfig_scriptlets macro. ==== python313-packaging ==== Version update (25.0 -> 26.0) - update to 26.0: * Features: - PEP 751: support pylock (PR #900) - PEP 794: import name metadata (PR #948) - Support for writing metadata to a file (PR #846) - Support __replace__ on Version (PR #1003) - Support positional pattern matching for Version and SpecifierSet (PR #1004) * Behavior adaptations: - PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter (PR #897) - Handle PEP 440 edge case in SpecifierSet.filter (PR #942) - Adjust arbitrary equality intersection preservation in SpecifierSet (PR #951) - Return False instead of raising for .contains with invalid version (PR #932) - Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet’s filter and contains method. (PR #954) - Only try to parse as Version on certain marker keys, return False on unequal ordered comparisons (PR #939) * Fixes: - Update _hash when unpickling Tag() (PR #860) - Correct comment and simplify implicit prerelease handling in Specifier.prereleases (PR #896) - Use explicit _GLibCVersion NamedTuple in _manylinux (PR #868) - Detect invalid license expressions containing () (PR #879) - Correct regex for metadata 'name' format (PR #925) - Improve the message around expecting a semicolon (PR #833) - Support nested parens in license expressions (PR #931) - Add space before at symbol in Requirements string (PR #953) - A root logger use found, use a packaging logger instead (PR #965) - Better support for subclassing Marker and Requirement (PR #1022) - Normalize all extras, not just if it comes first (PR #1024) - Don’t produce a broken repr if Marker fails to construct (PR #1033) * Performance: - Avoid recompiling regexes in the tokenizer for a 3x speedup (PR #1019) - Improve performance in _manylinux.py (PR #869) - Minor cleanups to Version (PR #913) - Skip redundant creation of Version’s in specifier comparison (PR #986) - Cache the Specifier’s Version (PR #985) - Make Version a little faster (PR #987) - Minor Version regex cleanup (PR #990) - Faster regex on Python 3.11.5+ for Version (PR #988, PR #1055) - Lazily calculate _key in Version (PR #989, PR #1048) - Faster canonicalize_version (PR #993) - Use re.fullmatch in a couple more places (PR #992, PR #1029) - Use map instead of generator (PR #996) - Deprecate ._version (_Version, a NamedTuple) (PR #995, PR #1062) - Avoid duplicate Version creation in canonicalize_version (PR #994) - Add __slots__ to core classes (PR #1001, PR #1002, PR #1032) - Use Version.__replace__ in specifier comparison (PR #999) - Use _get_spec_version in more places in Specifier (PR #1005) - Pull set construction out of function (PR #1012) - Letter normalization dict for prereleases and the like (PR #1014) - Use str.partition in _parse_project_urls (PR #1013) - Avoid normalizing extras again when comparing (PR #1028) - Speed up Version.__str__ by about 10% (PR #997) - Much faster canonicalize_name by avoiding a regex (PR #1030, PR #1047, PR #1064) - Faster zero stripping (PR #1058) * Type annotations: - Fix a type annotation (PR #907) - Fix type hint of function used with contextlib.contextmanager (PR #1046) - Fix tags return type in parse_wheel_filename docs (PR #973) - Add type hint for _version in .version.Version (PR #927) - Changed static type annotations in prereleases setter method in specifier.py (PR #930) - Statically type our test suite (PR #982) * Internal: - Test and declare support for Python 3.14 (PR #901) - Change our license metadata to use an SPDX license expression (PR #881, PR #924) - Expand the Ruff checks run on our codebase (PR #835, PR #957, PR #959, PR #963, PR #956, PR #961, PR #964, PR #958, PR #960, PR #968, PR #967, PR #966, PR #969, PR #980, PR #979, PR #962, PR #984, PR #972) - Add spell checking (PR #904, PR #910, PR #1015) - Improve links back to source in the documentation (PR #991) - Add case insensitivity tests for arbitrary equality (PR #975) - Fix incorrectly implicitly concatenated string in specifiers test (PR #946) - Simpler else instead of assert in a check (PR #1027, PR #1031) - Synchronize documentation and code for markers (PR #1008) - Use the GitHub Actions slim runner for the all pass check (PR #1021) - Use actionlint to check CI workflows (PR #1052) - Use Trusted Publishing (PR #893, PR #1043, PR #1045, PR #1051) - Use zizmor to check CI (PR #1035) - Test on first public release of CPython 3.11 and newer (PR #1056) Since the final release candidate: Faster canonicalize_name, especially on Python 3.12 and 3.13, where performance regressed previously (PR #1064), and reintroduce (deprecated) support for Version._.version (PR #1062). - Move %sle15_python_module_pythons macro just above the Name, outside of all the if-else logic ==== python313-setuptools ==== - Fix suse_version check to make sure that primary builds for SLE-16 series - Add pythons_for_pypi macro. This macro will help to build the python minimal stack for different python versions. ==== sdl2-compat ==== Version update (2.32.62 -> 2.32.64) - Update to relesae 2.32.64 * Fixed surface memory leak in some circumstances * Fixed mouse grab not persisting past window recreation * Fixed picking the correct fullscreen resolution ==== systemd ==== Version update (257.9 -> 258.3) Subpackages: libsystemd0 libudev1 systemd-boot udev - Import commit 2ffdb7879d1913b91d75fb7638023689ad49d6ff 2ffdb7879d pam_systemd: fix regression introduced in v258 by preserving the FIFO fd (bsc#1255658) ab7770cb7e repart: support "nodatacow" in btrfs subvolumes 245645f444 basic: Use xopenat_full() in mkdir_p_root_full() d197900c28 ssh-generator: suppress error message for vsock EADDRNOTAVAIL (bsc#1255656) 7dcca22a3a ssh-generator: split out one more helper function 1fb6114132 ssh-generator: split out common helper function 2f836405c4 core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs 9480762ccd core/transaction: when isolating, keep triggered units only if their triggers are actually active - Drop 0003-pam_systemd-fix-regression-introduced-in-v258-by-pre.patch and 5003-core-when-isolating-keep-triggered-units-only-if-the.patch as they have been merged by upstream and is part of the last batch of backported commits (see above). - Add 0003-pam_systemd-fix-regression-introduced-in-v258-by-pre.patch (bsc#1255658) This patch will be removed once either logind supports restarts or a sufficient amount of time has passed to ensure that systems have transitioned to a version of logind greater than 257. - Drop most of the workarounds contained in the fixlets These workarounds were hold to address old issues that no longer exist in recent versions of systemd. For systems upgrading to this version, we assume these issues have already been fixed by the fixlet scripts in the previous distribution. Only the logig warning users about the deprecated usage of the main configuration files (favoring drop-in files) is preserved. - systemd-update-helper: clean up the flags immediately after they have been consumed (no functional changes). - systemd.spec: don't reexecute PID1 on transactional updates. - Drop %filetriggers build flag. It was introduced to ease backport of Base:System to SLE distros where file-triggers were unreliable but that is no longer the case on the latest SLE distros. - Import commit 25181d4e4c8307a3621d115f99279c4d3c28a9fa (merge of v258.3) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e103ce013ed270c0a43318743ab822cac9325f00...25181d4e4c8307a3621d115f99279c4d3c28a9fa - Add 5003-core-when-isolating-keep-triggered-units-only-if-the.patch until https://github.com/systemd/systemd/pull/39925 is merged. - Import commit e103ce013ed270c0a43318743ab822cac9325f00 e103ce013e pam_systemd: fix OSC write failure message appearing in error logs c81c546411 pam-util: fix pam_syslog_errno() ignoring the level parameter - Drop 1001-Temporarily-remove-mountfsd-nsresourced-new-Polkit-a.patch The relevant polkit actions have been reviewed by the security team. - Import commit 71c9223a1df429ae23bf113dc9eeb49154d8b734 (merge of v258.2) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1898fac58dd5170dbe85f4c3d01e564889dba0de...71c9223a1df429ae23bf113dc9eeb49154d8b734 - Drop 1002-core-unit-fail-earlier-before-spawning-executor-when.patch as it's part of v258.2. - Import commit 1898fac58dd5170dbe85f4c3d01e564889dba0de 1898fac58d main: switch explicitly to tty1 on soft-reboot (bsc#1231986) 5fdd32dbe1 units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356) - Temporarily add 1002-core-unit-fail-earlier-before-spawning-executor-when.patch until v258.2 is released. - pam.systemd-user: skip common-account to avoid issues with pam_sss and other network user directories (bsc#1250691) - systemd.spec: drop the %{release} number from the SBAT version (1251948) - Add 0001-Drop-or-soften-some-upstream-warnings.patch (bsc#1228728) (bsc#1251981) For now it just drops the 'unmerged-bin' taint flag. - Upgrade to v258.1 (commit 67a1069b7269cc23c3d04a2fb0cf110abe7abf31) See https://github.com/openSUSE/systemd/blob/SUSE/v258/NEWS for details. This upgrade includes the following fix: c058ff41cb timer: don't run service immediately after restart of a timer (bsc#1254563) 3e14d02500 detect-virt: bare-metal GCE only for x86 and i386 (bsc#1254293) - Drop 0001-Drop-support-for-efivar-SystemdOptions.patch, upstream removed support for SystemdOptions efi var, see 14871a652925d08926c2d2d7cf2a95cd. - Drop 0009-pid1-handle-console-specificities-weirdness-for-s390.patch, upstream gained a new auto-detection logic to setup $TERM on various systems including s390x (bsc#1238117) - Support for System V style system state control has been removed: drop initctl, runlevel, runlevel*.target, etc.. from the sysvcompat sub-package - Add 1001-Temporarily-remove-mountfsd-nsresourced-new-Polkit-a.patch. This temporary patch disables the new polkit actions introduced by mountfsd and nsresourced until these actions are validated by the Security team. - Our testsuite sub-package is functional again and has been updated to work with the meson + mkosi infra.