Packages changed: MicroOS-release (20260426 -> 20260428) PackageKit (1.3.4 -> 1.3.5) distrobox (1.8.2.4 -> 1.8.2.5) gpg2 (2.5.18 -> 2.5.19) kernel-source (6.19.12 -> 7.0.1) lcms2 (2.18 -> 2.19) leancrypto libupnp (1.18.4 -> 1.18.5) libzypp (17.38.5 -> 17.38.7) mpg123 (1.33.4 -> 1.33.5) open-vm-tools python-cryptography (46.0.7 -> 47.0.0) python-idna (3.11 -> 3.13) sed (4.9 -> 4.10) tiff timezone (2026a -> 2026b) vim (9.2.0219 -> 9.2.0398) vlc xbitmaps (1.1.3 -> 1.1.4) xterm (407 -> 409) xwayland (24.1.9 -> 24.1.11) zypper (1.14.95 -> 1.14.96) === Details === ==== MicroOS-release ==== Version update (20260426 -> 20260428) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== PackageKit ==== Version update (1.3.4 -> 1.3.5) Subpackages: PackageKit-backend-dnf5 libpackagekit-glib2-18 typelib-1_0-PackageKitGlib-1_0 - Update to version 1.3.5: + This release fixes a critical security vulnerability that allows unprivileged local users to obtain root privileges on any distribution that uses PackageKit. Details will be disclosed very soon, please update to a fixed version of PackageKit immediately (ensure the patch from commit 76cfb675fb31acc3ad5595d4380bfff56d2a8697 is applied). + Drop slack backend + alpm: perform sysupgrade on install and update + freebsd: Fix crashing when libpkg asks about ABI mismatch + portage: Revamp backend + meson: test.depends does not accept a dummy dependency, give it an empty array instead + pkgcli: Set up proxy also if only PAC is available + Do not allow re-invoking methods on non-new transactions + packagekit/progress: updated old usage of raise StopIteration + pkgcli: Add TRANSLATORS comments for commands + pkgcli: Rename list-required-by to list-requiring - Drop 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch: fixed upstream. - Drop 11c5f1f34f48b58ee10acec839dd01a31728704b.patch: fixed upstream. - Add 0001-Do-not-allow-re-invoking-methods-on-non-new-txn.patch: Do not allow re-invoking methods on non-new transactions (bsc#1262220, CVE-2026-41651). ==== distrobox ==== Version update (1.8.2.4 -> 1.8.2.5) Subpackages: distrobox-bash-completion - Drop fix-distrobox-to-newer-zypper.patch since it was merged upstream - Update to 1.8.2.5: * docs: remove bluefin-cli and powershell ublue images by @renner0e in https://github.com/89luca89/distrobox/pull/1997 * docs: update documentation regarding VSCode integration by @ludrol in https://github.com/89luca89/distrobox/pull/1996 * enter: show container command on dry run by @balanza in https://github.com/89luca89/distrobox/pull/2000 * fix: expose correct dryrun command by @balanza in https://github.com/89luca89/distrobox/pull/2006 * fix: setup_zypper: use drop-in config file if possible by @dannyhpy in https://github.com/89luca89/distrobox/pull/2007 * docs: update README with sandboxing alternatives by @Gerharddc in https://github.com/89luca89/distrobox/pull/2009 * feat: add ALT Linux compatibility improvements by @liannnix in https://github.com/89luca89/distrobox/pull/1989 * fix: Pass -xdev to /bin/find by @danielzgtg in https://github.com/89luca89/distrobox/pull/1998 * add Docker Desktop on macOS compatibility by @ericcurtin in https://github.com/89luca89/distrobox/pull/2019 * init: chmod shadow files to 0400 for container storage compatibility by @89luca89 in https://github.com/89luca89/distrobox/pull/2020 * chore(ci): v2 release candidate workflow by @balanza in https://github.com/89luca89/distrobox/pull/2031 * docs(posts): announcing Distrobox v2 by @balanza in https://github.com/89luca89/distrobox/pull/2032 * build(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2045 * build(deps): bump actions/upload-artifact from 4 to 7 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2044 * build(deps): bump actions/download-artifact from 4 to 8 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2043 * build(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in https://github.com/89luca89/distrobox/pull/2042 * docs: issue template notice for distrobox v2 by @balanza in https://github.com/89luca89/distrobox/pull/2049 * init: also clean empty unversioned .so stubs during nvidia setup by @edodusi in https://github.com/89luca89/distrobox/pull/2024 * fix(enter): su argument order in unshare_groups path (legacy) by @Aromatic05 in https://github.com/89luca89/distrobox/pull/2055 * fix(enter): correct order for su commands in unshare-groups by @dottorblaster in https://github.com/89luca89/distrobox/pull/2067 * chore: bump to v1.8.2.5 by @dottorblaster in https://github.com/89luca89/distrobox/pull/2072 ==== gpg2 ==== Version update (2.5.18 -> 2.5.19) - Update to 2.5.19: * gpg: New option --use-ocb-sym * gpg: New options --show-[only-]session-hash * gpgsm: Allow cipher mode to be part of the algo given to the - -cipher-algo option * gpgsm: Emit more details when failing to check a crlDP * agent: Improve pinentry behavior and texts in smartcard context * dirmngr: New keyword "clear" for --keyserver * gpg: Fix edge case in --refresh-keys * gpg: Don't call gcry_kdf_derive with empty passphrase * gpgsm: Skip the optional PKCS#12 PBES2 keyLength parameter to allow import of recently issued certificates by the German Telekom * gpgsm: Fix a bug so that a certificate can be signed using a different algo * gpgsm: Make GCM fully compliant in de-vs mode * gpgsm: Add a certificate chain check for de-vs compliance * gpgsm: Show rsaPSS certificates as de-vs compliant in listings * agent: Rework the trustlist reading code to finally allow a trustlist.txt with a missing trailing LF * ssh: Fix RSA padding in signature handling * gpgtar: Fix -C (--directory) to check the output directory * agent: Raise an error when p >= q for RSA keys to detect incorrect generated *PGP keys ==== kernel-source ==== Version update (6.19.12 -> 7.0.1) - Re-enable ARM architectures and update configs Rather late (well, that's an understatement) but better than never. - commit 46dfbfa - Update config files. Set INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y (bsc#1262308) The same as for SL-16.*. - commit ccbbbdf - Linux 7.0.1 (bsc#1012628). - clockevents: Add missing resets of the next_event_forced flag (bsc#1012628). - mm/userfaultfd: fix hugetlb fault mutex hash calculation (bsc#1012628). - media: hackrf: fix to not free memory after the device is registered in hackrf_probe() (bsc#1012628). - media: vidtv: fix pass-by-value structs causing MSAN warnings (bsc#1012628). - nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map (bsc#1012628). - media: as102: fix to not free memory after the device is registered in as102_usb_probe() (bsc#1012628). - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit (bsc#1012628). - bcache: fix cached_dev.sb_bio use-after-free and crash (bsc#1012628). - ALSA: 6fire: fix use-after-free on disconnect (bsc#1012628). - hwmon: (powerz) Fix use-after-free on USB disconnect (bsc#1012628). - media: em28xx: fix use-after-free in em28xx_v4l2_open() (bsc#1012628). - media: mediatek: vcodec: fix use-after-free in encoder release path (bsc#1012628). - media: vidtv: fix nfeeds state corruption on start_streaming failure (bsc#1012628). - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (bsc#1012628). - mm/kasan: fix double free for kasan pXds (bsc#1012628). - ASoC: qcom: q6apm: move component registration to unmanaged version (bsc#1012628). - KVM: x86: Use scratch field in MMIO fragment to hold small write values (bsc#1012628). - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache (bsc#1012628). - x86: rename and clean up __copy_from_user_inatomic_nocache() (bsc#1012628). - x86-64: rename misleadingly named '__copy_user_nocache()' function (bsc#1012628). - checkpatch: add support for Assisted-by tag (bsc#1012628). - mm: call ->free_folio() directly in folio_unmap_invalidate() (bsc#1012628). - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION (bsc#1012628). - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish (bsc#1012628). - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created (bsc#1012628). - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock (bsc#1012628). - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU (bsc#1012628). - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES migrate test (bsc#1012628). - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown (bsc#1012628). - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup (bsc#1012628). - ocfs2: handle invalid dinode in ocfs2_group_extend (bsc#1012628). - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY (bsc#1012628). - ocfs2: fix possible deadlock between unlink and dio_end_io_write (bsc#1012628). - media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections (bsc#1012628). - arm64: mm: Handle invalid large leaf mappings correctly (bsc#1012628). - vfio/xe: Reorganize the init to decouple migration from reset (bsc#1012628). - dcache: Limit the minimal number of bucket to two (bsc#1012628). - ALSA: ctxfi: Limit PTP to a single page (bsc#1012628). - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates race (bsc#1012628). - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race (bsc#1012628). - USB: serial: option: add Telit Cinterion FN990A MBIM composition (bsc#1012628). - selftests/mm: hmm-tests: don't hardcode THP size to 2MB (bsc#1012628). - staging: sm750fb: fix division by zero in ps_to_hz() (bsc#1012628). - wifi: rtw88: fix device leak on probe failure (bsc#1012628). - scripts: generate_rust_analyzer.py: avoid FD leak (bsc#1012628). - scripts/gdb/symbols: handle module path parameters (bsc#1012628). - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (bsc#1012628). - usb: port: add delay after usb_hub_set_port_power() (bsc#1012628). - usb: gadget: f_hid: don't call cdev_init while cdev in use (bsc#1012628). - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC ... changelog too long, skipping 74 lines ... - commit 5844293 ==== lcms2 ==== Version update (2.18 -> 2.19) - Update to version 2.19 * CMake build system. * Large files support to use profiles up to 4Gb. * Black point compensation works on multi-channel profiles. * jpgicc banner is not shown on normal operation, only when help is requested. * Added a way to access internal transform pipelines. * Add a way to retrieve the CMM signature. * Added extra checks on postscript undocumented functions. * Added guard on integer overflow when reading .cube files. * Added unneeded checks as a try to get rid of spam reports about "vulnerabilities" that are not real. * Creating an output profile by cmsTransform2DeviceLink does not propagate correctly the colorant table. * Added some profile class definitions from iccMAX. * Deprecated uint16 and uint32 types removed from tifdiff. * fixed generation of tifdiff on Cmake and meson. ==== leancrypto ==== - Fix build on kernel 7.0 * Add patch 0001-Linux-kernel-leancrypto_kernel_rng_tester-include-li.patch - Pick fix for ABI issue in AVX2 assembly for Curve448 causing test failures when building with GCC 16. * Add patch leancrypto-ABI-fix.patch ==== libupnp ==== Version update (1.18.4 -> 1.18.5) Subpackages: libixml11 libupnp20 - Update to release 1.18.5 * Fixed CVE-2026-41682 ==== libzypp ==== Version update (17.38.5 -> 17.38.7) - Fix purge-kernel -rc kernel handling (bsc#1239718) - Explicitly_set_pool_DISTTYPE_RPM (fixes #726) - version 17.38.7 (35) - Check for trusted key updates when updating the general keyring (bsc#1259706) - Support multiple MirroredOrigin authorities (bsc#1253193) - Workaround doxygen bug: doxygen/doxygen#12057 - libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842) - version 17.38.6 (35) ==== mpg123 ==== Version update (1.33.4 -> 1.33.5) - Update to version 1.33.5 * mpg123: Fix generic control mode for largefile-sensitive builds, where 32 bit off_t was used with mpg123 API calls expecting 64 bit off_t. * mpg123-id3dump, out123: Enable 64 bit offset usage on largefile-sensitive platforms (regression since 1.32.0). * libmpg123: Announce support for shadow stack / IBT in x86-64 assembly. * libmpg123: Also announce PAC/BTI for non-accurate neon64 (aarch64) synth. * libout123: Add a safeguard to ensure variable-length records from buffer communication are always zero-terminated. * libsyn123: Use union work buffer to avoid casts that may look like breaking strict aliasing. ==== open-vm-tools ==== Subpackages: libvmtools0 - Fix build with glibc 2.43 (boo#1257312) + Add patch: - glibc243.patch ==== python-cryptography ==== Version update (46.0.7 -> 47.0.0) - update to 47.0.0: * Support for Python 3.8 is deprecated and will be removed in the next cryptography release. * BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable. * BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported. * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1. * BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of ValueError. This change affects :func:`~cryptograp hy.hazmat.primitives.serialization.load_pem_private_key`, :fu nc:`~cryptography.hazmat.primitives.serialization.load_der_pr ivate_key`, :func:`~cryptography.hazmat.primitives.serializat ion.load_pem_public_key`, :func:`~cryptography.hazmat.primiti ves.serialization.load_der_public_key`, and :meth:`~cryptography.x509.Certificate.public_key` when called on certificates with unsupported public key algorithms. * BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive. * Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.T ripleDES`. In a future release, only 192-bit (24-byte) keys will be accepted. Users should expand shorter keys themselves (e.g., for single DES: key + key + key, for two-key: key + key[:8]). * Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0. * Support for x86_64 macOS (including publishing wheels) is deprecated and will be removed in the next release. We will switch to publishing an arm64 only wheel for macOS. * Support for 32-bit Windows (including publishing wheels) is deprecated and will be removed in the next release. Users should move to a 64-bit Python installation. * public_bytes and private_bytes methods on keys now raise TypeError (instead of ValueError) if an invalid encoding is provided for the given format. * Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`, :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into :doc:`/hazmat/decrepit/index` and deprecated them in the modes module. They will be removed from the modes module in 49.0.0. * Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit hms.Camellia` into :doc:`/hazmat/decrepit/index` and deprecated it in the cipher module. It will be removed from the cipher module in 49.0.0. * Added :meth:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF.extract` to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. The previous private implementation will be removed in 49.0.0. * Added support for loading elliptic curve keys that contain explicit encodings of the curves secp256r1, secp384r1, and secp521r1. * Added support for :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2d` and :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2i` when using OpenSSL 3.2.0+. * Added derive_into methods to :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`, :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`, :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatK DFHash`, :class:`~cryptography.hazmat.primitives.kdf.concatkd f.ConcatKDFHMAC`, :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id`, :class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC `, :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC`, :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`, :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`, and :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF` to allow deriving keys directly into pre-allocated buffers. * Added encrypt_into and decrypt_into methods to :class:`~cryptography.hazmat.primitives.ciphers.aead.AESCCM`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSI V`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESO CB3`, :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV`, and :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaC ha20Poly1305` to allow encrypting directly into a pre- allocated buffer. * Added support for PKCS1v15 signing without DigestInfo using : class:`~cryptography.hazmat.primitives.asymmetric.utils.NoDig estInfo`. * Added ... changelog too long, skipping 34 lines ... OpenSSL 4.0.0. ==== python-idna ==== Version update (3.11 -> 3.13) - update to 3.13: * Correct classification error for codepoint U+A7F1 * Update to Unicode 17.0.0. * Issue a deprecation warning for the transitional argument. * Added lazy-loading to provide some performance improvements. * Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython. ==== sed ==== Version update (4.9 -> 4.10) - Update to 4.10: * sed 's/a/b/g' (and other global substitutions) now works on input lines longer than 2GB. Previously, matches beyond the 2^31 byte offset would evoke a "panic" (exit 4). * 'sed --follow-symlinks -i' no longer has a TOCTOU race that could let an attacker swap a symlink between resolution and open, causing sed to read attacker-chosen content and write it to the original target. (bsc#1262144, CVE-2026-5958) * sed no longer falsely matches when back-references are combined with optional groups (.?) and the $ anchor. For example, this no longer falsely matches the empty string at beginning of line: $ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/' Xab * In --posix mode, sed no longer mishandles backslash escapes (\n, \t, \a, etc.) after a named character class like [[:alpha:]]. For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the trailing newline, treating \n as a literal backslash and an 'n' rather than a newline. This happened when an earlier backslash escape in the same regex had already been converted, shifting the in-place normalization buffer. * sed --debug no longer crashes when a label (":") command is compiled before the --debug option is processed, e.g., sed -f<(...) --debug. * sed no longer rejects the documented GNU extension 'a**' (equivalent to 'a*') in Basic Regular Expression (BRE) mode. Previously, this worked only with -E (ERE mode), even though grep has always accepted it in BRE mode. * sed no longer rejects "\c[" in regular expressions * 'sed --follow-symlinks -i' no longer mishandles an operand that is a short symbolic link to a long symbolic link to a file. * Fix some some longstanding but unlikely integer overflows. Internally, 'sed' now more often prefers signed integer arithmetic, which can be checked automatically via 'gcc -fsanitize=undefined'. * In the default C locale, diagnostics now quote 'like this' (with apostrophes) instead of `like this' (with a grave accent and an apostrophe). This tracks the GNU coding standards. * 'sed --posix' now warns about uses of backslashes in the 's' command that are handled by GNU sed but are not portable to other implementations. * builds no longer fail on platforms without the header or getopt_long function. - Add disable-backref-test.patch * The bug for back references combined with optional groups and anchor hasn't been fixed in glibc yet, so the tests fail when building with "--without-included-regex". Disable the tests for now. ==== tiff ==== - * CVE-2026-4775: Signed integer overflow in putcontig8bitYCbCr44tile (bsc#1260411) Add tiff-CVE-2026-4775.patch ==== timezone ==== Version update (2026a -> 2026b) - Update to 2026b: * British Columbia moved to permanent -07 on 2026-03-09 * Some more overflow bugs have been fixed in zic ==== vim ==== Version update (9.2.0219 -> 9.2.0398) Subpackages: vim-data-common vim-small - Fix bsc#1261833 / CVE-2026-39881). - Update to 9.2.0398. - Changes: * 9.2.0398: MS-Windows: missing strptime() support * 9.2.0397: tabpanel: double-click opens a new tab * 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS * 9.2.0395: tests: Test_backupskip() may read from $HOME * 9.2.0394: xxd: offsets greater than LONG_MAX print as negative * 9.2.0393: MS-Windows: link error with XPM support on UCRT64 * 9.2.0392: tests: Some tests are flaky * 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting * 9.2.0390: filetype: some Beancount files are not recognized * 9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app * 9.2.0388: strange indent in update_topline() * 9.2.0387: DECRQM request may leave stray chars in terminal * 9.2.0386: No scroll/scrollbar support in the tabpanel * 9.2.0385: Integer overflow with "ze" and large 'sidescrolloff' * 9.2.0384: stale Insstart after cursor move breaks undo * 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs * 9.2.0382: Wayland: focus-stealing is non-working * 9.2.0381: Vim9: Missing check_secure() in exec_instructions() * 9.2.0380: completion: a few issues in completion code * 9.2.0379: gui.color_approx is never used * 9.2.0378: Using int as bool type in win_T struct * 9.2.0377: Using int as bool type in gui_T struct * 9.2.0376: Vim9: elseif condition compiled in dead branch * 9.2.0375: prop_find() does not find a virt text in starting line * 9.2.0374: c_CTRL-{G,T} does not handle offset * 9.2.0373: Ctrl-R mapping not triggered during completion * 9.2.0372: pum: rendering issues with multibyte text and opacity * 9.2.0371: filetype: ghostty config files are not recognized * 9.2.0370: duplicate code with literal string_T assignment * 9.2.0369: multiple definitions of STRING_INIT macro * 9.2.0368: too many strlen() calls when adding strings to dicts * 9.2.0367: runtime(netrw): ~ note expanded on MS Windows * 9.2.0366: pum: flicker when updating pum in place * 9.2.0365: using int as bool * 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails * 9.2.0363: Vim9: variable shadowed by script-local function * 9.2.0362: division by zero with smoothscroll and small windows * 9.2.0361: tests: no tests for ch_listen() with IPs * 9.2.0360: Cannot handle mouse-clicks in the tabpanel * 9.2.0359: wrong VertSplitNC highlighting on winbar * 9.2.0358: runtime(vimball): still path traversal attacks possible * 9.2.0357: [security]: command injection via backticks in tag files * 9.2.0356: Cannot apply 'scrolloff' context lines at end of file * 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract() * 9.2.0354: filetype: not all Bitbake include files are recognized * 9.2.0353: Missing out-of-memory check in register.c * 9.2.0352: 'winhighlight' of left window blends into right window * 9.2.0351: repeat_string() can be improved * 9.2.0350: Enabling modelines poses a risk * 9.2.0349: cannot style non-current window separator * 9.2.0348: potential buffer underrun when setting statusline like option * 9.2.0347: Vim9: script-local variable not found * 9.2.0346: Wrong cursor position when entering command line window * 9.2.0345: Wrong autoformatting with 'autocomplete' * 9.2.0344: channel: ch_listen() can bind to network interface * 9.2.0343: tests: test_clientserver may fail on slower systems * 9.2.0342: tests: test_excmd.vim leaves swapfiles behind * 9.2.0341: some functions can be run from the sandbox * 9.2.0340: pum_redraw() may cause flicker * 9.2.0339: regexp: nfa_regmatch() allocates and frees too often * 9.2.0338: Cannot handle mouseclicks in the tabline * 9.2.0337: list indexing broken on big-endian 32-bit platforms * 9.2.0336: libvterm: no terminal reflow support * 9.2.0335: json_encode() uses recursive algorithm * 9.2.0334: GTK: window geometry shrinks with with client-side decorations * 9.2.0333: filetype: PklProject files are not recognized * 9.2.0332: popup: still opacity rendering issues * 9.2.0331: spellfile: stack buffer overflows in spell file generation * 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough * 9.2.0329: tests: test_indent.vim leaves swapfiles behind * 9.2.0328: Cannot handle mouseclicks in the statusline * 9.2.0327: filetype: uv scripts are not detected * 9.2.0326: runtime(tar): but with dotted path * 9.2.0325: runtime(tar): bug in zstd handling * 9.2.0324: 0x9b byte not unescaped in mapping * 9.2.0323: filetype: buf.lock files are not recognized * 9.2.0322: tests: test_popupwin fails * 9.2.0321: MS-Windows: No OpenType font support * 9.2.0320: several bugs with text properties * 9.2.0319: popup: rendering issues with partially transparent popups * 9.2.0318: cannot configure opacity for popup menu * 9.2.0317: listener functions do not check secure flag * 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType * 9.2.0315: missing bound-checks * 9.2.0314: channel: can bind to all network interfaces * 9.2.0313: Callback channel not registered in GUI * 9.2.0312: C-type names are marked as translatable * 9.2.0311: redrawing logic with text properties can be improved * 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys() * 9.2.0309: Missing out-of-memory check to may_get_cmd_block() * 9.2.0308: Error message E1547 is wrong * 9.2.0307: more mismatches between return types and documentation * 9.2.0306: runtime(tar): some issues with lz4 support * 9.2.0305: mismatch between return types and documentation * 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix * 9.2.0303: tests: zip plugin tests don't check for warning message properly ... changelog too long, skipping 88 lines ... * 9.2.0220: MS-Windows: some defined cannot be set on Cygwin/Mingw ==== vlc ==== Subpackages: libvlc5 libvlccore9 vlc-noX vlc-qt - Fix Requires for ffmpeg library: For building the package ffmpeg-7-mini-libs may be installed which is used for building only, so the name package cannot be used to determine Requires. ==== xbitmaps ==== Version update (1.1.3 -> 1.1.4) - Update to version 1.1.4 * This release adds support for building with meson as well as autoconf. - switch to meson ==== xterm ==== Version update (407 -> 409) Subpackages: xterm-bin xterm-resize - update to 409: * correct one of the special cases added for Debian #1123877 in patch * update version for Extended Window Manager Hints (EWMH), in manpage. ==== xwayland ==== Version update (24.1.9 -> 24.1.11) - Update to 24.1.11 - This release addresses a number of regressions found in Xwayland 24.1.10: * Avoids spurious focus changes with KDE when listening for mouse buttons is enabled for legacy X11 application support * Fix tablet tools not working anymore as "slave" devices * Fix a crash when running some XTS tests * Fix a crash in window damage handling caused a NULL pointer dereference - supersedes the folloging security patches for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003 (bsc#1260922, bsc#1260923, bsc#1260924, bsc#1260925, bsc#1260926) * bsc1260922_CVE-2026-33999_xkb-fix-buffer-re-use-in-_XkbSetCompatMap.patch * bsc1260923_CVE-2026-34000_xkb-Fix-bounds-check-in-_CheckSetGeom.patch * bsc1260924_CVE-2026-34001_miext-sync-Fix-use-after-free-in-miSyncTriggerFence.patch * bsc1260925_CVE-2026-34002_0001-xkb-Fix-out-of-bounds-read-in-CheckModifierMap.patch * bsc1260925_CVE-2026-34002_0002-xkb-Add-more-_XkbCheckRequestBounds.patch * bsc1260926_CVE-2026-34003_0001-xkb-Add-additional-bound-checking-in-CheckKeyTypes.patch ==== zypper ==== Version update (1.14.95 -> 1.14.96) Subpackages: zypper-needs-restarting - Autorefresh ris-services the way as plugin-services (bsc#1246504) It's actually wrong to treat service refreshes different depending on the service type. For the purpose of a service it makes no difference how the data about the repos to use are acquired. - version 1.14.96