Packages changed: MozillaFirefox (142.0.1 -> 143.0) argyllcms (3.3.0 -> 3.4.1) autofs aws-lc (1.59.0 -> 1.61.2) bash-completion cups (2.4.12 -> 2.4.14) cups-filters dracut (059+suse.757.g0d1d426d -> 059+suse.762.g8903c5e2) gdbm (1.24 -> 1.26) glibc kdepim-runtime libjpeg-turbo (3.0.4 -> 3.1.2) libstorage-ng (4.5.274 -> 4.5.275) mozilla-nspr (4.36 -> 4.37) openSUSE-release (20250917 -> 20250920) openssl-3 (3.5.2 -> 3.5.3) openssl (3.5.2 -> 3.5.3) osinfo-db pragha protobuf python-gssapi (1.9.0 -> 1.10.0) python-pycares (4.10.0 -> 4.11.0) raspberrypi-firmware-dt re2c (4.1 -> 4.3) rlwrap (0.46.2 -> 0.47) sac salt sdbootutil (1+git20250909.8b2878e -> 1+git20250917.7aab076) systemd texlive tiff (4.7.0 -> 4.7.1) webp-pixbuf-loader wsdd (0.8 -> 0.9) zenity (4.1.99 -> 4.2.0) === Details === ==== MozillaFirefox ==== Version update (142.0.1 -> 143.0) Subpackages: MozillaFirefox-branding-upstream - Mozilla Firefox 143.0 https://www.firefox.com/en-US/firefox/143.0/releasenotes MFSA 2025-73 (bsc#1249391) * CVE-2025-10527 (bmo#1984825) Sandbox escape due to use-after-free in the Graphics: Canvas2D component * CVE-2025-10528 (bmo#1986185) Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component * CVE-2025-10529 (bmo#1970490) Same-origin policy bypass in the Layout component * CVE-2025-10530 (bmo#1974025) Spoofing issue in the WebAuthn component in Firefox for Android * CVE-2025-10531 (bmo#1978453) Mitigation bypass in the Web Compatibility: Tooling component * CVE-2025-10532 (bmo#1979502) Incorrect boundary conditions in the JavaScript: GC component * CVE-2025-10533 (bmo#1980788) Integer overflow in the SVG component * CVE-2025-10534 (bmo#1665334) Spoofing issue in the Site Permissions component * CVE-2025-10535 (bmo#1979918) Information disclosure, mitigation bypass in the Privacy component in Firefox for Android * CVE-2025-10536 (bmo#1981502) Information disclosure in the Networking: Cache component * CVE-2025-10537 (bmo#1938220, bmo#1980730, bmo#1981280, bmo#1981283, bmo#1984505, bmo#1985067) Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143 - requires NSPR 4.37 NSS 3.115.1 - remove obsolete mozilla-nongnome-proxies.patch - Update MozillaFirefox.desktop from a fresh Factory/Tumbleweed build. ==== argyllcms ==== Version update (3.3.0 -> 3.4.1) - Update to 3.4.1: * Enabled support for JETI specbos extra adapter heads. * Turned off erroneous strip read debugging in munki driver. * Fixed printtarg -T option to work again. * Add delay to ArgyllCMS_install_USB.exe and ArgyllCMS_uninstall_USB.exe exit so that messages can be read. * Changed chartread unexpected patch value warning threshold to dE 95 when no targen -c profile. - Update to 3.4.0: * Added support for Spyder and SpyderPRO (2024) * Renamed proposed CIE 2012 2 and 10 degree to standard CIE 2015 2 and 10 degree observers, as per CIE 170-2:2015. * Added -Y c: option to colprof and invprofcheck to allow setting/overriding alibration curves for setting final ink limits. * Added -Y c: option to xicclu to allow setting/overriding calibration curves for setting final ink limits, and added -T flag to show ink limits. * Fixed Spyder X and X2 to not make Device Disconect noise (if such sounds are enabled) on MSWin. * Fixed bug in colprof -nI failing for CMYK profiles. * Enhanced strip reader patch recognition to reject strips that don't start and end on the media, as well as adding some speed compensation to the patch recognition for non-zerbra ruler measurements. * Fixed bug in i1Pro3 strip reading where it would return bad values if the zerbra stripe wasn't used. * Changed chartread so that it will issue warnings of possible bad row or patch reading even when .ti2 reference measurement is not accurate (i.e. no preconditioning profile used in targen.) * Increased emphasis of making sure that there is contrast between patches at the end of rows in printtarg patch ordering for strip instruments. * Added -C parameter to targen to allow overriding any calibration curves found in the ICC profile, used to estimage the total ink limit from that in the ICC profile. Also better enforces final raw computes ink limits. * Modified ccxxmake so that it checks that it has actually found a white seeming patch to use as the L*a*b* white reference, and the patch to de-weight. If there is no white patch (i.e. just RGB patches) then it will use D65 as the L*a*b* conversion reference. ccxxmake will fail if there are less than 3 patches. * Fixed ICC profile writing so that it clips rather than failing when writing a ColorantTable PCS value that is out of range. A warning to stderr will be issued. * Changed ColorMunki driver so that it is more forgiving about unexpected version string lengths. * Fixed dispcal and dispread so that they won't error out if there is no instrument but the -M parameter is provided. ==== autofs ==== - Link against ldap.so instead of ldap_r.so; the former now provides thread-safety and the latter is a symlink which may not exist (bsc#1249966) * drop autofs-use-libldap_r-instead-of-libldap-for-thread-safety.patch ==== aws-lc ==== Version update (1.59.0 -> 1.61.2) Subpackages: libcrypto-awslc0 libssl-awslc0 - update to version 1.61.2: * Fix build when path has spaces * Fix test issues with run_minimal_tests - update to version 1.61.1: * Fix duplicate test names in CodeBuild integration tests - update to version 1.61.0: * Apply additional X509 validation checks on certificates sourced from trust store * Reorganizing compatibility tests, rework certificates for better groking * Additional X.509 Behavior Compatibility Tests * Add Support for IPv4 and IPv6 X.509 Certificate Name Constraints * Merge main to x509 * Reintroduce support for validating DNS commonName subjects when name constraints are present. * Support client-side hostname checks with leading . * Verify leaf certificate public key rather then leaving it to the caller * Support for explicit curve parameter on EC public keys where parameters match supported curves * Add x86 Keccak implementation * Gate EC explicit curve parameters for X.509 behind flag * Update CPU Jitter Entropy dependency to version 3.6.3 * Fix benchmarking issues with FIPS main * Add standalone MLKEM supported groups * Document and statically assert counters can't overflow * TLS Transfer Serialization Improvements * Fix ternary operator in github workflow * Merge x509 branch into main * Address clang-ci comments on new x509 code * Implement snapsafe fallback entropy source * Rand small fixes * Import s2n-bignum 2025-09-05-04 * Refactor iOS CI script * Re-import mlkem-native for addition of CFI directives * Fix typo in ssl_transfer_asn1 * Fix for zig build * Update SSLProxy patch * ML-DSA service indicator * Add aes-xts AArch64 implementation that will eventually be imported from s2n-bignum. * Fix Keccak MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX flag * Increase SSLBuffer size to INT_MAX * Wrap compiler when FIPS w/ clang v20+ * Test ACCP in FIPS mode as well as non-FIPS * fix: Allow zero-length passwords in PEM key decryption * Use CheckCCompilerFlag to test -Wno-cast-function-type * Make X509 CodeBuild webhook more resilient - update to version 1.60.0: * Anchor CodeBuild account-id patterns * Implement read/write timeouts for BIO datagram * Migrate from CodeBuild account actor filter to pull request comment filter based on GitHub permissions * Implement ragdoll * Add expandedKey ASN.1 encoding for KEM keys ==== bash-completion ==== - Add patch bug1246923.patch * Skip colon from device names for ethtool (bsc#1246923) ==== cups ==== Version update (2.4.12 -> 2.4.14) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.14: See https://github.com/openprinting/cups/releases The hotfix release brings fix for installation process of localized templates and CUPS web UI home pages. - Version upgrade to 2.4.13: See https://github.com/openprinting/cups/releases The release 2.4.13 brings two CVE fixes fix for important CVE-2025-58060 "Authentication bypass with AuthType Negotiate" (bsc#1249049) and fix for moderate CVE-2025-58364 "Remote DoS via null dereference" (bsc#1249128) together with several bug fixes. The release includes a new feature - new attribute for printer and job objects - print-as-raster - which allows enforce rasterization of the file for IPP Everywhere/AirPrint printers, which supports PDF and raster document formats. The feature is useful for working around internal PDF issues in the printer firmware, for example missing diacritic when printing a PDF. Detailed list (from CHANGES.md): * Blocked authentication using alternate methods in cupsd (CVE-2025-58060) * Fixed extension tag handling in 'ipp_read_io()' in libcups (CVE-2025-58364) * Added 'print-as-raster' printer and job attributes for forcing rasterization (Issue #1282) * Updated documentation (Issue #1086) * Updated IPP backend to try a sanitized user name if the printer/server does not like the value (Issue #1145) * Updated the scheduler to send the "printer-added" or "printer-modified" events whenever an IPP Everywhere PPD is installed (Issue #1244) * Updated the scheduler to send the "printer-modified" event whenever the system default printer is changed (Issue #1246) * Fixed a memory leak in 'httpClose' (Issue #1223) * Fixed missing commas in 'ippCreateRequestedArray' (Issue #1234) * Fixed subscription issues in the scheduler and D-Bus notifier (Issue #1235) * Fixed media-default reporting for custom sizes (Issue #1238) * Fixed support for IPP/PPD options with periods or underscores (Issue #1249) * Fixed parsing of real numbers in PPD compiler source files (Issue #1263) * Fixed scheduler freezing with zombie clients (Issue #1264) * Fixed support for the server name in the ErrorLog filename (Issue #1277) * Fixed job cleanup after daemon restart (Issue #1315) * Fixed handling of buggy DYMO USB printer serial numbers (Issue #1338) * Fixed unreachable block in IPP backend (Issue #1351) * Fixed memory leak in _cupsConvertOptions (Issue #1354) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.14 ==== cups-filters ==== - cups-filters-1.28.17-CVE-2024-47176.patch is based on https://github.com/OpenPrinting/cups-browsed/commit/1d1072a0de573b7850958df614e9ec5b73ea0e0d backported to cups-filters 1.28.17 to fix CVE-2024-47176 "cups-browsed binds to UDP INADDR_ANY:631" (bsc#1230939) and to avoid CVE-2024-47850 "cups-browsed can be abused to initiate remote DDoS against third-party targets" (bsc#1231294) by removing legacy CUPS Browsing support in cups-browsed (introduced 2012) which is no longer needed nowadays. CUPS browsing was removed from CUPS since version 1.6. Legacy CUPS Browsing is a generic security risk, see the section "Automated print queue setup via cups-browsed" in https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings - cups-filters-1.28.17-CVE-2024-47076.patch is based on https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3 backported to cups-filters 1.28.17 to fix CVE-2024-47076 "lack of input sanitization in cfGetPrinterAttributes5" (bsc#1230937) - cups-filters-1.28.17-CVE-2024-47175.patch is based on https://github.com/OpenPrinting/libppd/commit/d681747ebf12602cb426725eb8ce2753211e2477 backported to cups-filters 1.28.17 to fix CVE-2024-47175 "lack of input sanitization in _ppdCreateFromIPP()" (bsc#1230932) - In general regarding CUPS and cups-browsed security issues see https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings ==== dracut ==== Version update (059+suse.757.g0d1d426d -> 059+suse.762.g8903c5e2) - Update to version 059+suse.762.g8903c5e2: * fix(dracut.sh): check that custom fw search path exists before reading it * fix(fs-lib): include modules for charsets for working vfat support * fix(lsinitrd, dracut-initramfs-restore): detect initrd for BLS Type #1 entries (bsc#1248271) ==== gdbm ==== Version update (1.24 -> 1.26) Subpackages: libgdbm6 libgdbm_compat4 - version update to 1.26 * New function: gdbm_open_ext * Fixed build on musl libc * Fixed build on MacOS * Improved testsuite - removed patches * gdbm-gcc15.patch (upstreamed) ==== glibc ==== Subpackages: glibc-devel glibc-extra glibc-gconv-modules-extra glibc-locale glibc-locale-base - inet-fortified-namespace.patch: inet-fortified: fix namespace violation (BZ #33227) - abort-fork-lock-init.patch: stdlib: resolve a double lock init issue after fork (BZ #32994) - ld.so-load-segment-gaps.patch: elf: Handle ld.so with LOAD segment gaps in _dl_find_object (BZ #31943) - cancelable-syscall-return-value.patch: nptl: Fix SYSCALL_CANCEL for return values larger than INT_MAX (BZ #33245) - ctype-tls-IE.patch: Use TLS initial-exec model for __libc_tsd_CTYPE_* thread variables (BZ #33234) - i386-gnu-tls-abi-tag.patch: i386: Add GLIBC_ABI_GNU_TLS version (BZ [#33221]) - x86-64-gnu2-tls-abi-tag.patch: x86-64: Add GLIBC_ABI_GNU2_TLS version (BZ #33129) - x86-64-dt-x86-64-plt-abi-tag.patch: x86-64: Add GLIBC_ABI_DT_X86_64_PLT (BZ #33212) - i386-gnu2-tls-abi-tag.patch: i386: Also add GLIBC_ABI_GNU2_TLS version (BZ #33129) - aarch64-sve-powf.patch: AArch64: Fix SVE powf routine (BZ #33299) - For cross builds use the version-suffixed gcc and g++ executable names. ==== kdepim-runtime ==== - Remove obsolete build conditions and requirements (related: boo#1249599) ==== libjpeg-turbo ==== Version update (3.0.4 -> 3.1.2) Subpackages: libjpeg8 libturbojpeg0 - version update to 3.1.2 * The libjpeg-turbo source tree has been reorganized. * cjpeg no longer allows GIF input files to be converted into 12-bit-per-sample JPEG files. * Added support for lossless JPEG images with 2 to 15 bits per sample to the libjpeg and TurboJPEG APIs. * All deprecated constants and methods in the TurboJPEG Java API have been removed. * TJBench command-line arguments are now more consistent with those of cjpeg, djpeg, and jpegtran. * Added a new TJBench option (-pixelformat gray) that can be used to test the performance of compressing/decompressing a grayscale JPEG image from/to a packed-pixel grayscale image. * Fixed an issue whereby, if TJPARAM_NOREALLOC was set, TurboJPEG compression and lossless transformation functions ignored the JPEG buffer size(s) passed to them and assumed that the JPEG buffer(s) had been allocated to a worst-case size returned by tj3JPEGBufSize(). * The TurboJPEG C and Java APIs have been improved. * TJExample has been replaced with three programs (TJComp, TJDecomp, and TJTran) that demonstrate how to approximate the functionality of cjpeg, djpeg, and jpegtran using the TurboJPEG C and Java APIs. - modified patches * libjpeg-turbo-1.3.0-tiff-ojpeg.patch (refreshed) ==== libstorage-ng ==== Version update (4.5.274 -> 4.5.275) Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1 - merge gh#openSUSE/libstorage-ng#1039 - improve memory managment - 4.5.275 ==== mozilla-nspr ==== Version update (4.36 -> 4.37) - update to version 4.37 * bmo#1890927 - PR_GetUniqueIdentity asserts on the 32767th call * bmo#1880254 - error LNK2019: unresolved external symbol _InterlockedCompareExchange * bmo#1905990 - initclk deadline elapsed macOS * bmo#1921087 - Remove prwin.h (formerly known as prwin16.h) * bmo#1939333 - Use builtin atomic functions on RISC-V32/64 * bmo#1917446 - PR_FormatTimeUSEnglish() doesn't support "%e" format specifier ==== openSUSE-release ==== Version update (20250917 -> 20250920) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== openssl-3 ==== Version update (3.5.2 -> 3.5.3) Subpackages: libopenssl3 - Update to 3.5.3: * Added FIPS 140-3 PCT on DH key generation. * Fixed the synthesised OPENSSL_VERSION_NUMBER. - Rebase patches: * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch * openssl-FIPS-limit-rsa-encrypt.patch ==== openssl ==== Version update (3.5.2 -> 3.5.3) - Update to 3.5.3 ==== osinfo-db ==== - Fix the definition of Leap 16.0 to match the current names of the Leap 16.0 ISOs and the Volume IDs contained within those ISOs. (bsc#1236401) add-opensuse-leap-16.0-support.patch ==== pragha ==== Subpackages: pragha-lang pragha-plugins - Drop rygel-devel BuildRequires, what pragha checks for is pkgconfig(rygel-server-2.6), and currently rygel-devel provides pkgconfig(rygel-server-2.8). ==== protobuf ==== Subpackages: libprotobuf-lite32_0_0 libprotobuf32_0_0 libutf8_range-32_0_0 - Add upstream patch to fix build on armv9: * protobuf-gh23194.patch ==== python-gssapi ==== Version update (1.9.0 -> 1.10.0) - Update to 1.10.0 * Update macOS build versions * Fix return type for name property in Credentials class * Remove deprecated license classifier * Update Python requirements and pin Cython - Remove zero-length files from source tree ==== python-pycares ==== Version update (4.10.0 -> 4.11.0) - Update to 4.11.0 * Add support for Python 3.14 (including free-threaded Python) by @ngoldbaum in #256 * build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #259 * build(deps): bump actions/download-artifact from 4 to 5 by @dependabot[bot] in #258 * build(deps): bump pypa/cibuildwheel from 3.1.3 to 3.1.4 by @dependabot[bot] in #257 ==== raspberrypi-firmware-dt ==== - Amend the RP1 ethernet node to work with upstream driver * 0001-Amend-the-RP1-ethernet-node-to-work-with-upstream-dr.patch- ==== re2c ==== Version update (4.1 -> 4.3) - Update to version 4.3 * Added warning -Wdeprecated-eof-rule, this will be turned to error in the future. * Improved re2c performance (made determinization faster, #544). - Update to version 4.2 * Added Swift backend * Added options: + --lang swift + --computed-gotos-relative * Added configurations: + re2c:cgoto:relative, re2c:computed-gotos:relative + re2c:yyfn:throw * Added syntax file code templates: + code:cgoto + code:cgoto_data + code:yytarget_filter + code:type_yyctable * Added syntax file conditionals: + .cgoto.relative + .yyfn.throw * Added some C++ benchmarks without submatch extraction. ==== rlwrap ==== Version update (0.46.2 -> 0.47) - Update to 0.47 * Bug fix - use libptytty by default and add --with-libptytty option to configure. Keep the original ptytty.c code as a fallback. - add libtinfow to the list of libraries that are checked for the presence of tgetent() - only look for filters in $RLWRAP_FILTERDIR and don't add this directory to filter's PATH - have rlwrap source conform to POSIX.1c (as we cannot use Polarhome anymore to test on ancient systems) - extend testclient with a test that spawns a child and then dies (testing the effect of --skip-setctty) - make configure backdate src/completion.rb a few seconds to prevent spurious calls to rbgen ==== sac ==== - Fix build with older JDKs where jar tool does not have long options ==== salt ==== Subpackages: python311-salt salt-master salt-minion - Set python-CherryPy as required for python-salt-testsuite ==== sdbootutil ==== Version update (1+git20250909.8b2878e -> 1+git20250917.7aab076) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20250917.7aab076: * Revert "PCR#15 workaround for LVM devices" * measure-pcr-generator: escape the device name * Fix boot_root for systemd 258 ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-boot systemd-container systemd-experimental udev - Move systemd-pcrlock out from the experimental sub-package to udev (bsc#1248261) - systemd.spec: use %sysusers_generate_pre so that some systemd users are already available in %pre. This is important because D-Bus automatically reloads its configuration whenever new configuration files are installed, i.e. between %pre and %post. (bsc#1248501) No needs for systemd and udev packages as they are always installed during the initial installation. - Sign aarch64 and riscv systemd-boot EFI binaries (bsc#1247474) ==== texlive ==== - Add boost2.dif * Make texlive build with boost 1.89 (boo#1249956) ==== tiff ==== Version update (4.7.0 -> 4.7.1) - Update to 4.7.1: Software configuration changes: * Define HAVE_JPEGTURBO_DUAL_MODE_8_12 and LERC_STATIC in tif_config.h. * CMake: define WORDS_BIGENDIAN via tif_config.h * doc/CMakeLists.txt: remove useless cmake_minimum_required() * CMake: fix build with LLVM/Clang 17 (fixes issue #651) * CMake: set CMP0074 new policy * Set LINKER_LANGUAGE for C targets with C deps * Export tiffxx cmake target (fixes issue #674) * autogen.sh: Enable verbose wget. * configure.ac: Syntax updates for Autoconf 2.71 * autogen.sh: Re-implement based on autoreconf. Failure to update config.guess/config.sub does not return error (fixes issue #672) * CMake: fix CMake 4.0 warning when minimum required version is < 3.10. * CMake: Add build option tiff-static (fixes issue #709) Library changes: * Add TIFFOpenOptionsSetWarnAboutUnknownTags() for explicit control about emitting warnings for unknown tags. No longer emit warnings about unknown tags by default * tif_predict.c: speed-up decompression in some cases. Bug fixes: * tif_fax3: For fax group 3 data if no EOL is detected, reading is retried without synchronisation for EOLs. (fixes issue #54) * Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Improving handling when field_name = NULL. (fixes issue #532) * tiff.h: add COMPRESSION_JXL_DNG_1_7=52546 as used for JPEGXL compression in the DNG 1.7 specification * TIFFWriteDirectorySec: Increment string length for ASCII tags for codec tags defined with FIELD_xxx bits, as it is done for FIELD_CUSTOM tags. (fixes issue #648) * Do not error out on a tag whose tag count value is zero, just issue a warning. Fix parsing a private tag 0x80a6 (fixes issue #647) * TIFFDefaultTransferFunction(): give up beyond td_bitspersample = 24 Fixes https://github.com/OSGeo/gdal/issues/10875) * tif_getimage.c: Remove unnecessary calls to TIFFRGBAImageOK() (fixes issue #175) * Fix writing a Predictor=3 file with non-native endianness * _TIFFVSetField(): fix potential use of unallocated memory (out-of-bounds * read / nullptr dereference) in case of out-of-memory situation when dealing with custom tags (fixes issue #663) * tif_fax3.c: Error out for CCITT fax encoding if SamplesPerPixel is not equal 1 and PlanarConfiguration = Contiguous (fixes issue #26) * tif_fax3.c: error out after a number of times end-of-line or unexpected bad code words have been reached. (fixes issue #670) * Fix memory leak in TIFFSetupStrips() (fixes issue #665) * tif_zip.c: Provide zlib allocation functions. Otherwise for zlib built with - DZ_SOLO inflating will fail. * Fix memory leak in _TIFFSetDefaultCompressionState. (fixes issue #676) * tif_predict.c: Don’t overwrite input buffer of TIFFWriteScanline() if "prediction" is enabled. Use extra working buffer in PredictorEncodeRow(). (fixes issue #5) * tif_getimage.c: update some integer overflow checks (fixes issue #79) * tif_getimage.c: Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented() (fixes issue #704) * TIFFReadRGBAImage(): several fixes to avoid buffer overflows. * Correct passing arguments to TIFFCvtIEEEFloatToNative() and TIFFCvtIEEEDoubleToNative() if HAVE_IEEEFP is not defined. (fixes issue #699) * LZWDecode(): avoid nullptr dereference when trying to read again after EOI marker has been found with remaining output bytes (fixes issue #698) * TIFFSetSubDirectory(): check _TIFFCheckDirNumberAndOffset() return. * TIFFUnlinkDirectory() and TIFFWriteDirectorySec(): clear tif_rawcp when clearing tif_rawdata (fixes issue #711) * JPEGEncodeRaw(): error out if a previous scanline failed to be written, to avoid out-of-bounds access (fixes issue #714) * tif_jpeg: Fix bug in JPEGDecodeRaw() if JPEG_LIB_MK1_OR_12BIT is defined for 8/12bit dual mode, introduced in libjpeg-turbo 2.2, which was actually released as 3.0. Fixes issue #717 * add assert for TIFFReadCustomDirectory infoarray check. * ppm2tiff: Fix bug in pack_words trailing bytes, where last two bytes of each line were written wrongly. (fixes issue #467) * fax2ps: fix regression of commit 28c38d648b64a66c3218778c4745225fe3e3a06d where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer (fixes issue #649) * tiff2pdf: Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH (fixes issue #650) * tiff2pdf: check h_samp and v_samp for range 1 to 4 to avoid division by zero. Fixes issue #654 * tiff2pdf: avoid null pointer dereference. (fixes issue #741) * Improve non-secure integer overflow check (comparison of division result with multiplicant) at compiler optimisation in tiffcp, rgb2ycbcr and tiff2rgba. Fixes issue #546 * tiff2rgba: fix some "a partial expression can generate an overflow before it is assigned to a broader type" warnings. (fixes issue #682) * tiffdither/tiffmedian: Don't skip the first line of the input image. (fixes issue #703) * tiffdither: avoid out-of-bounds read identified in issue #733 * tiffmedian: error out if TIFFReadScanline() fails (fixes issue #707) * tiffmedian: close input file. (fixes issue #735) * thumbail: avoid potential out of bounds access (fixes issue #715) * tiffcrop: close open TIFF files and release allocated buffers before exiting in case of error to avoid memory leaks. (fixes issue #716) * tiffcrop: fix double-free and memory leak exposed by issue #721 * tiffcrop: avoid buffer overflow. (fixes issue #740) * tiffcrop: avoid nullptr dereference. (fixes issue #734) * tiffdump: Fix coverity scan issue CID 1373365: Passing tainted expression *datamem to PrintData, which uses it as a divisor or modulus. * tiff2ps: check return of TIFFGetFiled() for TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer dereference. (fixes issue #718) * tiffcmp: fix memory leak when second file cannot be opened. (fixes issue #718 and issue #729) * tiffcp: fix setting compression level for lossless codecs. (fixes issue #730) * raw2tiff: close input file before exit (fixes issue #742) Tools changes: * tiffinfo: add a -W switch to warn about unknown tags. * tiffdither: process all pages in input TIFF file. ... changelog too long, skipping 26 lines ... * tiff-CVE-2025-8961.patch ==== webp-pixbuf-loader ==== - Drop gdk-pixbuf-thumbnailer Requires: only needed for directory ownership (and deprecated). ==== wsdd ==== Version update (0.8 -> 0.9) - update to 0.9: * Add command line argument to set source port for multicast message for better firewall interoperability * Add initial support for SunOS (#223), without dynamic address/interface monitoring. Thanks to Carsten Grzemba. * Add Socket-activated systemd service (#218). Thanks to Alessandro Astone. * Devices are now recorded based on their URI provided in the endpoint reference address, which is not neccessarily a UUID. This also affects API (see #226). * make `/etc/default/wsdd` optional for systemd (see #212) * Remove support for Python 3.7 and 3.8 in Github workflows. * Clean conection turn-down for Python pre-3.13. Thanks to Alessandro Astone * Handle TimeoutError in metadata exchange. * Proper handling of endpoint addresses as URIs, not UUIDs, see [#226]. ==== zenity ==== Version update (4.1.99 -> 4.2.0) - Update to version 4.2.0: + Updated translations.