Packages changed: MicroOS-release (20250917 -> 20250920) bash-completion cups (2.4.12 -> 2.4.14) dracut (059+suse.757.g0d1d426d -> 059+suse.762.g8903c5e2) gdbm (1.24 -> 1.26) glibc libjpeg-turbo mozilla-nspr (4.36 -> 4.37) openssl-3 (3.5.2 -> 3.5.3) openssl (3.5.2 -> 3.5.3) protobuf raspberrypi-firmware-dt read-only-root-fs sdbootutil (1+git20250909.8b2878e -> 1+git20250917.7aab076) systemd tiff (4.7.0 -> 4.7.1) zypp-boot-plugin === Details === ==== MicroOS-release ==== Version update (20250917 -> 20250920) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== bash-completion ==== - Add patch bug1246923.patch * Skip colon from device names for ethtool (bsc#1246923) ==== cups ==== Version update (2.4.12 -> 2.4.14) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.14: See https://github.com/openprinting/cups/releases The hotfix release brings fix for installation process of localized templates and CUPS web UI home pages. - Version upgrade to 2.4.13: See https://github.com/openprinting/cups/releases The release 2.4.13 brings two CVE fixes fix for important CVE-2025-58060 "Authentication bypass with AuthType Negotiate" (bsc#1249049) and fix for moderate CVE-2025-58364 "Remote DoS via null dereference" (bsc#1249128) together with several bug fixes. The release includes a new feature - new attribute for printer and job objects - print-as-raster - which allows enforce rasterization of the file for IPP Everywhere/AirPrint printers, which supports PDF and raster document formats. The feature is useful for working around internal PDF issues in the printer firmware, for example missing diacritic when printing a PDF. Detailed list (from CHANGES.md): * Blocked authentication using alternate methods in cupsd (CVE-2025-58060) * Fixed extension tag handling in 'ipp_read_io()' in libcups (CVE-2025-58364) * Added 'print-as-raster' printer and job attributes for forcing rasterization (Issue #1282) * Updated documentation (Issue #1086) * Updated IPP backend to try a sanitized user name if the printer/server does not like the value (Issue #1145) * Updated the scheduler to send the "printer-added" or "printer-modified" events whenever an IPP Everywhere PPD is installed (Issue #1244) * Updated the scheduler to send the "printer-modified" event whenever the system default printer is changed (Issue #1246) * Fixed a memory leak in 'httpClose' (Issue #1223) * Fixed missing commas in 'ippCreateRequestedArray' (Issue #1234) * Fixed subscription issues in the scheduler and D-Bus notifier (Issue #1235) * Fixed media-default reporting for custom sizes (Issue #1238) * Fixed support for IPP/PPD options with periods or underscores (Issue #1249) * Fixed parsing of real numbers in PPD compiler source files (Issue #1263) * Fixed scheduler freezing with zombie clients (Issue #1264) * Fixed support for the server name in the ErrorLog filename (Issue #1277) * Fixed job cleanup after daemon restart (Issue #1315) * Fixed handling of buggy DYMO USB printer serial numbers (Issue #1338) * Fixed unreachable block in IPP backend (Issue #1351) * Fixed memory leak in _cupsConvertOptions (Issue #1354) Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.14 ==== dracut ==== Version update (059+suse.757.g0d1d426d -> 059+suse.762.g8903c5e2) Subpackages: dracut-ima - Update to version 059+suse.762.g8903c5e2: * fix(dracut.sh): check that custom fw search path exists before reading it * fix(fs-lib): include modules for charsets for working vfat support * fix(lsinitrd, dracut-initramfs-restore): detect initrd for BLS Type #1 entries (bsc#1248271) ==== gdbm ==== Version update (1.24 -> 1.26) Subpackages: libgdbm6 libgdbm_compat4 - version update to 1.26 * New function: gdbm_open_ext * Fixed build on musl libc * Fixed build on MacOS * Improved testsuite - removed patches * gdbm-gcc15.patch (upstreamed) ==== glibc ==== Subpackages: glibc-locale glibc-locale-base - inet-fortified-namespace.patch: inet-fortified: fix namespace violation (BZ #33227) - abort-fork-lock-init.patch: stdlib: resolve a double lock init issue after fork (BZ #32994) - ld.so-load-segment-gaps.patch: elf: Handle ld.so with LOAD segment gaps in _dl_find_object (BZ #31943) - cancelable-syscall-return-value.patch: nptl: Fix SYSCALL_CANCEL for return values larger than INT_MAX (BZ #33245) - ctype-tls-IE.patch: Use TLS initial-exec model for __libc_tsd_CTYPE_* thread variables (BZ #33234) - i386-gnu-tls-abi-tag.patch: i386: Add GLIBC_ABI_GNU_TLS version (BZ [#33221]) - x86-64-gnu2-tls-abi-tag.patch: x86-64: Add GLIBC_ABI_GNU2_TLS version (BZ #33129) - x86-64-dt-x86-64-plt-abi-tag.patch: x86-64: Add GLIBC_ABI_DT_X86_64_PLT (BZ #33212) - i386-gnu2-tls-abi-tag.patch: i386: Also add GLIBC_ABI_GNU2_TLS version (BZ #33129) - aarch64-sve-powf.patch: AArch64: Fix SVE powf routine (BZ #33299) - For cross builds use the version-suffixed gcc and g++ executable names. ==== libjpeg-turbo ==== - version update to 3.1.2 * The libjpeg-turbo source tree has been reorganized. * cjpeg no longer allows GIF input files to be converted into 12-bit-per-sample JPEG files. * Added support for lossless JPEG images with 2 to 15 bits per sample to the libjpeg and TurboJPEG APIs. * All deprecated constants and methods in the TurboJPEG Java API have been removed. * TJBench command-line arguments are now more consistent with those of cjpeg, djpeg, and jpegtran. * Added a new TJBench option (-pixelformat gray) that can be used to test the performance of compressing/decompressing a grayscale JPEG image from/to a packed-pixel grayscale image. * Fixed an issue whereby, if TJPARAM_NOREALLOC was set, TurboJPEG compression and lossless transformation functions ignored the JPEG buffer size(s) passed to them and assumed that the JPEG buffer(s) had been allocated to a worst-case size returned by tj3JPEGBufSize(). * The TurboJPEG C and Java APIs have been improved. * TJExample has been replaced with three programs (TJComp, TJDecomp, and TJTran) that demonstrate how to approximate the functionality of cjpeg, djpeg, and jpegtran using the TurboJPEG C and Java APIs. - modified patches * libjpeg-turbo-1.3.0-tiff-ojpeg.patch (refreshed) ==== mozilla-nspr ==== Version update (4.36 -> 4.37) - update to version 4.37 * bmo#1890927 - PR_GetUniqueIdentity asserts on the 32767th call * bmo#1880254 - error LNK2019: unresolved external symbol _InterlockedCompareExchange * bmo#1905990 - initclk deadline elapsed macOS * bmo#1921087 - Remove prwin.h (formerly known as prwin16.h) * bmo#1939333 - Use builtin atomic functions on RISC-V32/64 * bmo#1917446 - PR_FormatTimeUSEnglish() doesn't support "%e" format specifier ==== openssl-3 ==== Version update (3.5.2 -> 3.5.3) Subpackages: libopenssl3 - Update to 3.5.3: * Added FIPS 140-3 PCT on DH key generation. * Fixed the synthesised OPENSSL_VERSION_NUMBER. - Rebase patches: * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch * openssl-FIPS-limit-rsa-encrypt.patch ==== openssl ==== Version update (3.5.2 -> 3.5.3) - Update to 3.5.3 ==== protobuf ==== Subpackages: libprotobuf-lite32_0_0 libutf8_range-32_0_0 - Add upstream patch to fix build on armv9: * protobuf-gh23194.patch ==== raspberrypi-firmware-dt ==== - Amend the RP1 ethernet node to work with upstream driver * 0001-Amend-the-RP1-ethernet-node-to-work-with-upstream-dr.patch- ==== read-only-root-fs ==== - Add additional check in %post to prevent generating the btrfs /etc subvolume during a KIWI run [bsc#1250133] [gh#openSUSE/read-only-root-fs#27] ==== sdbootutil ==== Version update (1+git20250909.8b2878e -> 1+git20250917.7aab076) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20250917.7aab076: * Revert "PCR#15 workaround for LVM devices" * measure-pcr-generator: escape the device name * Fix boot_root for systemd 258 ==== systemd ==== Subpackages: libsystemd0 libudev1 systemd-boot systemd-experimental udev - Move systemd-pcrlock out from the experimental sub-package to udev (bsc#1248261) - systemd.spec: use %sysusers_generate_pre so that some systemd users are already available in %pre. This is important because D-Bus automatically reloads its configuration whenever new configuration files are installed, i.e. between %pre and %post. (bsc#1248501) No needs for systemd and udev packages as they are always installed during the initial installation. - Sign aarch64 and riscv systemd-boot EFI binaries (bsc#1247474) ==== tiff ==== Version update (4.7.0 -> 4.7.1) - Update to 4.7.1: Software configuration changes: * Define HAVE_JPEGTURBO_DUAL_MODE_8_12 and LERC_STATIC in tif_config.h. * CMake: define WORDS_BIGENDIAN via tif_config.h * doc/CMakeLists.txt: remove useless cmake_minimum_required() * CMake: fix build with LLVM/Clang 17 (fixes issue #651) * CMake: set CMP0074 new policy * Set LINKER_LANGUAGE for C targets with C deps * Export tiffxx cmake target (fixes issue #674) * autogen.sh: Enable verbose wget. * configure.ac: Syntax updates for Autoconf 2.71 * autogen.sh: Re-implement based on autoreconf. Failure to update config.guess/config.sub does not return error (fixes issue #672) * CMake: fix CMake 4.0 warning when minimum required version is < 3.10. * CMake: Add build option tiff-static (fixes issue #709) Library changes: * Add TIFFOpenOptionsSetWarnAboutUnknownTags() for explicit control about emitting warnings for unknown tags. No longer emit warnings about unknown tags by default * tif_predict.c: speed-up decompression in some cases. Bug fixes: * tif_fax3: For fax group 3 data if no EOL is detected, reading is retried without synchronisation for EOLs. (fixes issue #54) * Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Improving handling when field_name = NULL. (fixes issue #532) * tiff.h: add COMPRESSION_JXL_DNG_1_7=52546 as used for JPEGXL compression in the DNG 1.7 specification * TIFFWriteDirectorySec: Increment string length for ASCII tags for codec tags defined with FIELD_xxx bits, as it is done for FIELD_CUSTOM tags. (fixes issue #648) * Do not error out on a tag whose tag count value is zero, just issue a warning. Fix parsing a private tag 0x80a6 (fixes issue #647) * TIFFDefaultTransferFunction(): give up beyond td_bitspersample = 24 Fixes https://github.com/OSGeo/gdal/issues/10875) * tif_getimage.c: Remove unnecessary calls to TIFFRGBAImageOK() (fixes issue #175) * Fix writing a Predictor=3 file with non-native endianness * _TIFFVSetField(): fix potential use of unallocated memory (out-of-bounds * read / nullptr dereference) in case of out-of-memory situation when dealing with custom tags (fixes issue #663) * tif_fax3.c: Error out for CCITT fax encoding if SamplesPerPixel is not equal 1 and PlanarConfiguration = Contiguous (fixes issue #26) * tif_fax3.c: error out after a number of times end-of-line or unexpected bad code words have been reached. (fixes issue #670) * Fix memory leak in TIFFSetupStrips() (fixes issue #665) * tif_zip.c: Provide zlib allocation functions. Otherwise for zlib built with - DZ_SOLO inflating will fail. * Fix memory leak in _TIFFSetDefaultCompressionState. (fixes issue #676) * tif_predict.c: Don’t overwrite input buffer of TIFFWriteScanline() if "prediction" is enabled. Use extra working buffer in PredictorEncodeRow(). (fixes issue #5) * tif_getimage.c: update some integer overflow checks (fixes issue #79) * tif_getimage.c: Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented() (fixes issue #704) * TIFFReadRGBAImage(): several fixes to avoid buffer overflows. * Correct passing arguments to TIFFCvtIEEEFloatToNative() and TIFFCvtIEEEDoubleToNative() if HAVE_IEEEFP is not defined. (fixes issue #699) * LZWDecode(): avoid nullptr dereference when trying to read again after EOI marker has been found with remaining output bytes (fixes issue #698) * TIFFSetSubDirectory(): check _TIFFCheckDirNumberAndOffset() return. * TIFFUnlinkDirectory() and TIFFWriteDirectorySec(): clear tif_rawcp when clearing tif_rawdata (fixes issue #711) * JPEGEncodeRaw(): error out if a previous scanline failed to be written, to avoid out-of-bounds access (fixes issue #714) * tif_jpeg: Fix bug in JPEGDecodeRaw() if JPEG_LIB_MK1_OR_12BIT is defined for 8/12bit dual mode, introduced in libjpeg-turbo 2.2, which was actually released as 3.0. Fixes issue #717 * add assert for TIFFReadCustomDirectory infoarray check. * ppm2tiff: Fix bug in pack_words trailing bytes, where last two bytes of each line were written wrongly. (fixes issue #467) * fax2ps: fix regression of commit 28c38d648b64a66c3218778c4745225fe3e3a06d where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer (fixes issue #649) * tiff2pdf: Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH (fixes issue #650) * tiff2pdf: check h_samp and v_samp for range 1 to 4 to avoid division by zero. Fixes issue #654 * tiff2pdf: avoid null pointer dereference. (fixes issue #741) * Improve non-secure integer overflow check (comparison of division result with multiplicant) at compiler optimisation in tiffcp, rgb2ycbcr and tiff2rgba. Fixes issue #546 * tiff2rgba: fix some "a partial expression can generate an overflow before it is assigned to a broader type" warnings. (fixes issue #682) * tiffdither/tiffmedian: Don't skip the first line of the input image. (fixes issue #703) * tiffdither: avoid out-of-bounds read identified in issue #733 * tiffmedian: error out if TIFFReadScanline() fails (fixes issue #707) * tiffmedian: close input file. (fixes issue #735) * thumbail: avoid potential out of bounds access (fixes issue #715) * tiffcrop: close open TIFF files and release allocated buffers before exiting in case of error to avoid memory leaks. (fixes issue #716) * tiffcrop: fix double-free and memory leak exposed by issue #721 * tiffcrop: avoid buffer overflow. (fixes issue #740) * tiffcrop: avoid nullptr dereference. (fixes issue #734) * tiffdump: Fix coverity scan issue CID 1373365: Passing tainted expression *datamem to PrintData, which uses it as a divisor or modulus. * tiff2ps: check return of TIFFGetFiled() for TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer dereference. (fixes issue #718) * tiffcmp: fix memory leak when second file cannot be opened. (fixes issue #718 and issue #729) * tiffcp: fix setting compression level for lossless codecs. (fixes issue #730) * raw2tiff: close input file before exit (fixes issue #742) Tools changes: * tiffinfo: add a -W switch to warn about unknown tags. * tiffdither: process all pages in input TIFF file. ... changelog too long, skipping 26 lines ... * tiff-CVE-2025-8961.patch ==== zypp-boot-plugin ==== - Fix build with Boost 1.89.0 (system is headers only) + 8.patch