Packages changed:
SDL3
apache2-mod_php8 (8.3.17 -> 8.3.19)
cryptsetup
exempi
ffmpeg-7
glibc
glslang (15.1.0 -> 15.2.0)
grub2
gstreamer-plugins-bad
kernel-firmware-realtek (20250224 -> 20250313)
kmod
libqt5-qtwebengine
libxslt (1.1.42 -> 1.1.43)
openblas_openmp
openblas_pthreads
php8 (8.3.17 -> 8.3.19)
re2c (4.0.2 -> 4.1)
shaderc
spirv-tools
systemd (257.3 -> 257.4)
vulkan-loader (1.4.304 -> 1.4.309)
vulkan-tools (1.4.304 -> 1.4.309)
webkit2gtk3
zypper (1.14.87 -> 1.14.88)
=== Details ===
==== SDL3 ====
- Trim extraneous X11 dependencies from SDL3-devel [boo#1239635]
==== apache2-mod_php8 ====
Version update (8.3.17 -> 8.3.19)
- version update to 8.3.19
BCMath:
Fixed bug GH-17398 (bcmul memory leak).
Core:
Fixed bug GH-17623 (Broken stack overflow detection for variable compilation).
Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account).
Fix fallback paths in fast_long_{add,sub}_function.
Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed).
Fixed bug GH-17797 (zend_test_compile_string crash on invalid script path).
Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235)
DOM:
Fixed bug GH-17847 (xinclude destroys live node).
FFI:
Fix FFI Parsing of Pointer Declaration Lists.
FPM:
Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env).
GD:
Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
LDAP:
Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys).
LibXML:
Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219)
MBString:
Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables).
Opcache:
Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash).
Fixed bug GH-17577 (JIT packed type guard crash).
Fixed bug GH-17899 (zend_test_compile_string with invalid path when opcache is enabled).
Fixed bug GH-17868 (Cannot allocate memory with tracing JIT).
PDO_SQLite:
Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults).
Fix cycle leak in sqlite3 setAuthorizer().
Phar:
Fixed bug GH-17808: PharFileInfo refcount bug.
PHPDBG:
Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer).
Fix memory leak in phpdbg calling registered function.
Reflection:
Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c).
Standard:
Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths).
Streams:
Fixed bug GH-17650 (realloc with size 0 in user_filters.c).
Fix memory leak on overflow in _php_stream_scandir().
Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217)
Windows:
Fixed phpize for Windows 11 (24H2).
Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib).
Zlib:
Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
Fix memory leak when encoding check fails.
Fix zlib support for large files.
==== cryptsetup ====
Subpackages: cryptsetup-doc cryptsetup-lang libcryptsetup12
- Set pbkdf2 as the default PBKDF algorithm in LUKS2 format.
[bsc#1236375, bsc#1236164]
* The default PBKDF algorithm in the LUKS2 format is now Argon2id
but its not FIPS compliant. A system would be unbootable if using
Argon2id or Argon2i for disk encryption and then switching to
kernel FIPS mode. This can be avoided by setting pbkdf2 as default.
* Build using the configure option --with-luks2-pbkdf=pbkdf2.
* Remove the dependency on libargon2 as is now provided by openssl.
==== exempi ====
- Ignore testcore test failure on s390x. It is known to fail on
big endian architectures.
==== ffmpeg-7 ====
Subpackages: libavcodec61 libavfilter10 libavformat61 libavutil59 libpostproc58 libswresample5 libswscale8
- Add 0001-avcodec-libsvtav1-unbreak-build-with-latest-svtav1.patch
to build with SVT-AV1 3.0.0.
==== glibc ====
Subpackages: glibc-32bit glibc-devel glibc-extra glibc-gconv-modules-extra glibc-gconv-modules-extra-32bit glibc-lang glibc-locale glibc-locale-base
- Do not build libnsl1 (bsc#1239459)
==== glslang ====
Version update (15.1.0 -> 15.2.0)
- Update to release 15.2
* Emit error if using in/out with struct pointer
* Emit SPV_EXT_opacity_micromap if GL extension is present
* Support GL_NV_linear_swept_spheres, GLSL_EXT_nontemporal_keyword,
GL_NV_cluster_acceleration_structure, GL_NV_cooperative_vector,
GL_EXT_texture_offset_non_const, EXT_integer_dot_product
* Check SparseTextureOffset non-const parameters
* Revert cross-stage check for missing outputs
* Add support for OpTypeRayQueryKHR and
OpTypeAccelerationStructureKHR to SPVRemapper
- Make build recipe POSIX sh compatible
- Switch Leap compiler to gcc 13 following the rest of the
Vulkan stack
==== grub2 ====
Subpackages: grub2-common grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-efi-bls grub2-x86_64-xen
- Update the patch to fix "SRK not matched" errors when unsealing
the key (bsc#1232411)
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
==== gstreamer-plugins-bad ====
Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0
- Disable nvcodec/cuda on aarch64 and %arm as it fails to build
==== kernel-firmware-realtek ====
Version update (20250224 -> 20250313)
- Update to version 20250313 (git commit 1d4c88ee96ec):
* rtw88: Add firmware v33.6.0 for RTL8814AE/RTL8814AU
* rtw89: 8922a: update fw to v0.35.64.0
* rtw89: 8922a: update fw to v0.35.63.0
* rtw89: 8852c: update fw to v0.27.125.0
==== kmod ====
Subpackages: libkmod2
- tests: drop ppc64 workaround, print failed test results if any
==== libqt5-qtwebengine ====
- Add patch to fix the sandbox on 32-bit x86:
* sandbox_recvmsg.patch
==== libxslt ====
Version update (1.1.42 -> 1.1.43)
Subpackages: libexslt0 libxslt-tools libxslt1
- Update to 1.1.43:
* Major changes:
- The non-standard EXSLT crypto extensions and support for dynamically
loaded plugins are now disabled by default. These features can be
enabled by passing --with-crypto or --with-plugins to configure.
In a future release, these features will be removed.
- Debug output and the debugger are disabled by default and can be
enabled by passing --with-debug or --with-debugger.
* Security:
- [bsc#1239625, CVE-2025-24855] Fix use-after-free of XPath context node
- [bsc#1239637, CVE-2024-55549] Fix UAF related to excluded namespaces
* Bug fixes:
- variables: Fix non-deterministic generated IDs
* libxml2 related cleanup:
- python: Don't use removed libxml2 macro
- tests: Skip test_bad.xsl with libxml2 before 2.13
- python: Don't include nanoftp.h and nanohttp.h
- tests: Avoid namespace warning on Windows
- numbers: Stop using libxml2 XPath axis API
- numbers: Use private copy of xmlCopyCharMultiByte
- documents: Use xmlCtxtParseDocument if available
- tests: Make runtest compile with older libxml2 versions
- utils: Account for libxml2 change
- tests: Make bug-219.xsl compatible with older libxml2
- extensions: always include stdlib.h (Hugo Beauzée-Luyssen)
- extensions: Don't use libxml2's "modules" feature
* Code cleanup:
- numbers: Make static variables const
- variables: Remove debug code
* Portability:
- python: Declare init func with PyMODINIT_FUNC
- exslt: Use C99 NAN macro
* Build:
- cmake: Always build Python module as shared library
- cmake: Fix compatibility in package version file
- configure.ac: Find libgcrypt via pkg-config (Alessandro Astone)
* Remove patches fixed in the update:
- libxslt-reproducible.patch
- libxslt-test-compile-with-older-libxml2-versions.patch
==== openblas_openmp ====
- Use upstream patch for bsc#1239134 which is more friendly to the
non-affected power9 and power10 sub-architectures:
Replace:
Revert-ba47c7f4f301aad100ed166de338b86e01da8465.patch
by:
Restore-the-non-vectorized-code-from-before-PR4880-for-POWER8.patch
==== openblas_pthreads ====
- Use upstream patch for bsc#1239134 which is more friendly to the
non-affected power9 and power10 sub-architectures:
Replace:
Revert-ba47c7f4f301aad100ed166de338b86e01da8465.patch
by:
Restore-the-non-vectorized-code-from-before-PR4880-for-POWER8.patch
==== php8 ====
Version update (8.3.17 -> 8.3.19)
Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter
- version update to 8.3.19
BCMath:
Fixed bug GH-17398 (bcmul memory leak).
Core:
Fixed bug GH-17623 (Broken stack overflow detection for variable compilation).
Fixed bug GH-17618 (UnhandledMatchError does not take zend.exception_ignore_args=1 into account).
Fix fallback paths in fast_long_{add,sub}_function.
Fixed bug GH-17718 (Calling static methods on an interface that has `__callStatic` is allowed).
Fixed bug GH-17797 (zend_test_compile_string crash on invalid script path).
Fixed GHSA-rwp7-7vc6-8477 (Reference counting in php_request_shutdown causes Use-After-Free). (CVE-2024-11235)
DOM:
Fixed bug GH-17847 (xinclude destroys live node).
FFI:
Fix FFI Parsing of Pointer Declaration Lists.
FPM:
Fixed bug GH-17643 (FPM with httpd ProxyPass encoded PATH_INFO env).
GD:
Fixed bug GH-17772 (imagepalettetotruecolor crash with memory_limit=2M).
LDAP:
Fixed bug GH-17704 (ldap_search fails when $attributes contains a non-packed array with numerical keys).
LibXML:
Fixed GHSA-wg4p-4hqh-c3g9 (Reocurrence of #72714).
Fixed GHSA-p3x9-6h7p-cgfc (libxml streams use wrong `content-type` header when requesting a redirected resource). (CVE-2025-1219)
MBString:
Fixed bug GH-17503 (Undefined float conversion in mb_convert_variables).
Opcache:
Fixed bug GH-17654 (Multiple classes using same trait causes function JIT crash).
Fixed bug GH-17577 (JIT packed type guard crash).
Fixed bug GH-17899 (zend_test_compile_string with invalid path when opcache is enabled).
Fixed bug GH-17868 (Cannot allocate memory with tracing JIT).
PDO_SQLite:
Fixed GH-17837 ()::getColumnMeta() on unexecuted statement segfaults).
Fix cycle leak in sqlite3 setAuthorizer().
Phar:
Fixed bug GH-17808: PharFileInfo refcount bug.
PHPDBG:
Partially fixed bug GH-17387 (Trivial crash in phpdbg lexer).
Fix memory leak in phpdbg calling registered function.
Reflection:
Fixed bug GH-15902 (Core dumped in ext/reflection/php_reflection.c).
Standard:
Fixed bug #72666 (stat cache clearing inconsistent between file:// paths and plain paths).
Streams:
Fixed bug GH-17650 (realloc with size 0 in user_filters.c).
Fix memory leak on overflow in _php_stream_scandir().
Fixed GHSA-hgf5-96fm-v528 (Stream HTTP wrapper header check might omit basic auth header). (CVE-2025-1736)
Fixed GHSA-52jp-hrpf-2jff (Stream HTTP wrapper truncate redirect location to 1024 bytes). (CVE-2025-1861)
Fixed GHSA-pcmh-g36c-qc44 (Streams HTTP wrapper does not fail for headers without colon). (CVE-2025-1734)
Fixed GHSA-v8xr-gpvj-cx9g (Header parser of `http` stream wrapper does not handle folded headers). (CVE-2025-1217)
Windows:
Fixed phpize for Windows 11 (24H2).
Fixed GH-17855 (CURL_STATICLIB flag set even if linked with shared lib).
Zlib:
Fixed bug GH-17745 (zlib extension incorrectly handles object arguments).
Fix memory leak when encoding check fails.
Fix zlib support for large files.
==== re2c ====
Version update (4.0.2 -> 4.1)
- Update to version 4.1:
* This release adds actions, a few backend-specific improvements
in code generation and a bunch of bug fixes.
* Benchmark code has been reworked in preparation to add
multi-language benchmarks in the future.
==== shaderc ====
- Switch Leap build to newer gcc 13
==== spirv-tools ====
- Bump BuildRequires to match spirv-headers
==== systemd ====
Version update (257.3 -> 257.4)
Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-experimental systemd-lang udev
- triggers.systemd: more posix.fork() conversion (bsc#1238566)
- Import commit f133e5974e69708d7491d4823780690c913f7bda (merge v257.4)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/e03ffd74c4a30c1c75e05874ce18d31e503437b7...f133e5974e69708d7491d4823780690c913f7bda
==== vulkan-loader ====
Version update (1.4.304 -> 1.4.309)
- Update to tag SDK-1.4.309.0
* Make Xrandr not implicitly required when x11 is used
* Make emulate_VK_EXT_surface_maintenance1 comply better with
Vulkan spec
* Support VK_GOOGLE_surfaceless_query
==== vulkan-tools ====
Version update (1.4.304 -> 1.4.309)
- Update to tag SDK-1.4.309.0
* vulkaninfo: Add video profiles support
* cube: Correctly apply sRGB OETF/EOTF
* icd: Add VkPhysicalDeviceMaintenance3Properties
==== webkit2gtk3 ====
Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles
- Add 7d784721.patch: WebGL context primitive restart can be
toggled from WebContent process (boo#1239547 CVE-2025-24201).
==== zypper ====
Version update (1.14.87 -> 1.14.88)
Subpackages: zypper-log zypper-needs-restarting
- Do not double encode URL strings passed on the commandline
(bsc#1237587)
URLs passed on the commandline must have their special chars
encoded already. We just want to check and encode forgotten
unsafe chars like a blank. A '%' however must not be encoded
again.
- version 1.14.88