Packages changed: Mesa Mesa-drivers MicroOS-release (20260420 -> 20260422) ca-certificates (2+git20260203.5937e9f -> 2+git20260420.2a8e251) cups (2.4.16 -> 2.4.17) libkdcraw libxml2 (2.15.2 -> 2.15.3) tar xterm (406 -> 407) === Details === ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Disable vulkan and panfrost on armv6 as it fails to build ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-vulkan-device-select libvulkan_lvp - Disable vulkan and panfrost on armv6 as it fails to build ==== MicroOS-release ==== Version update (20260420 -> 20260422) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== ca-certificates ==== Version update (2+git20260203.5937e9f -> 2+git20260420.2a8e251) - Update to version 2+git20260420.2a8e251: * update-ca-certificates requires mv and ln from coreutils ==== cups ==== Version update (2.4.16 -> 2.4.17) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.17: See https://github.com/openprinting/cups/releases The new release 2.4.17 contains the following security fixes: * CVE-2026-27447: The scheduler treated local user and group names as case-insensitive (bsc#1261572) * CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS directory (bsc#1261571) * CVE-2026-34980: The scheduler did not filter control characters from option values (bsc#1261569) * CVE-2026-34979: The scheduler did not always allocate enough memory for a job's options string (bsc#1261570) * CVE-2026-34990: The scheduler incorrectly allowed local certificates over the loopback interface (bsc#1261568) * CVE-2026-39314: Fixed the range check for job password strings (bsc#1261743) * CVE-2026-39316: Fixed a printer subscription bug in the scheduler (bsc#1261742) * CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends. The last CVE number is requested from Github for several days now, the number will be corrected once we have one, but we decided to make a release to share the other fixes ("we" means the CUPS upstream maintainers). - The release includes other fixes as well, listed in CHANGES.md. Issues are those at https://github.com/OpenPrinting/cups/issues Detailed list (from CHANGES.md): * The scheduler followed symbolic links when cleaning out its temporary directory (Issue #1448) * Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters. * Updated man page `cancel` (Issue #984) * Updated `cupsRasterReadHeader` to validate more of the page header values (Issue #1501) * Fixed an issue with the class/printer CGI name checking. * Fixed infinite loop in `http_write()` on busy print servers (Issue #827) * Fixed potential TLS blocking issues (Issue #1128) * Fixed a job history bug in the scheduler (Issue #1440) * Fixed notifier logging bug that would result in nul bytes getting into the log (Issue #1450) * Fixed possible use-after-free in `cupsdReadClient()` (Issue #1454) * Fixed a document format bug in the IPP backend (Issue #1457) * Fixed DRAIN_OUTPUT race condition (Issue #1461) * Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions were mixed. * Fixed the mapping of supply type keywords to SNMP names. * Fixed a bug in the IPP backend when SNMP was disabled. * Fixed a crash bug in the rastertoepson filter. * Fixed a bug in cgiCheckVariables. * Fixed handling read/write errors with OpenSSL (Issue #1506) * Fixed handling rehandshake error in `_httpTLSRead` (Issue #1508) * Fixed a debug printf bug on Windows (Issue #1529) * Fixed a recursion issue with encoding of nested collections (Issue #1539) * Fixed parsing of the `LimitRequestBody`, `MaxLogSize`, and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540) * Fixed a parsing bug in `ipptool` (Issue #1542) * Fixed blank line detection in the `rastertolabel` filter (Issue #1545) * Fixed `httpPeek` edge case on compressed streams Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17 ==== libkdcraw ==== Subpackages: libKDcrawQt6-5 libkdcraw-qt6 - Restore a Qt 5 based libkcdraw package until krita is ported to Qt 6 ==== libxml2 ==== Version update (2.15.2 -> 2.15.3) Subpackages: libxml2-16 libxml2-tools - Update to version 2.15.3: * Security: - parser: Pass userData to SAX text callbacks in xmlParseReference (type-confusion) - entities: copy children in xmlCopyEntity - c14n: Fix Type confusion in xmlC14NProcessAttrsAxis - python: Do not decref string after adding to the list (double-free / use-after-free) - c14n: Reuse tmp_str, xmlStrcat reallocates *cur (double-free) * Improvements: - schemas: Fix relative schemaLocation resolution in XSI assembly in streaming mode - xmlreader: propagate reader resource loaders to validator parsers - python: Make python bindings python2 compatible - xmlregexp: Fix escape-sequence character range matching - xmlreader: Free input in xmlReaderForFd (memory-leak) - xmlstring: Free cur on every error for xmlStrncat (memory-leak) - catalog: Free xmlCatalogResolveCache on cleanup (memory leak) - Fix nanohttp.c build when --without-output - test: fix mismatched signed/unsigned comparison ==== tar ==== - Ensure the date in .info files is reproducible (boo#1047218) ==== xterm ==== Version update (406 -> 407) Subpackages: xterm-bin xterm-resize - update to 407: * add private modes 1020 to 1023 for reporting whether xterm uses UTF-8, whether CJK-width is set, whether Emoji-width is set, and whether private-width is set. * add resource privateWidth to control whether PUA (private use area) codes are neutral width or single-width. * improve fix for Debian #738794, to show boxes for codes which are neither combining characters or valid Unicode characters * improve switching to/from UTF-8 mode by saving, restoring and resetting the G0-G3 array (Debian #1124802). * use ST consistently in terminfo rather than legacy BEL minor updates to configure script and terminfo * add option --enable-resize-adjust for saving and repainting parts of the window which are lost when the user resizes the window