Packages changed: MozillaFirefox (146.0 -> 146.0.1) alsa-ucm-conf apache2-mod_php8 (8.4.14 -> 8.4.16) babl (0.1.116 -> 0.1.118) busybox dracut (059+suse.769.g693ea004 -> 059+suse.785.g17d177bb) flatpak (1.16.1 -> 1.16.2) fuse3 (3.17.4 -> 3.18.0) fwupd (2.0.18 -> 2.0.19) ibus ibus_gtk4 kernel-firmware-i915 (20251125 -> 20251217) kernel-firmware-intel kernel-firmware-iwlwifi (20251123 -> 20251217) kernel-firmware-platform kernel-firmware-qcom (20251202 -> 20251217) kernel-firmware-realtek (20251118 -> 20251217) kernel-firmware-sound (20251205 -> 20251217) kernel-source (6.18.1 -> 6.18.2) liblouis (3.35.0 -> 3.36.0) libopenmpt (0.8.3 -> 0.8.4) man multipath-tools (0.13.0+127+suse.37f9a4c9 -> 0.13.0+229+suse.dbac936f) nvidia-settings (580.105.08 -> 580.119.02) openSUSE-release (20251217 -> 20251220) opus (1.5.2 -> 1.6) php8 (8.4.14 -> 8.4.16) postgresql18 python-tornado6 (6.5 -> 6.5.4) qt6-webengine rlwrap (0.47.1 -> 0.48) rsync ruby3.4 (3.4.7 -> 3.4.8) sdbootutil (1+git20251211.b3d0304 -> 1+git20251218.1cd7294) selinux-policy (20251211 -> 20251219) webkit2gtk3 (2.50.3 -> 2.50.4) webkit2gtk4 (2.50.3 -> 2.50.4) xdg-user-dirs-gtk (0.14 -> 0.16) === Details === ==== MozillaFirefox ==== Version update (146.0 -> 146.0.1) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 146.0.1 https://www.firefox.com/en-US/firefox/146.0.1/releasenotes/ MFSA 2025-98 (boo#1255367) * CVE-2025-14860 (bmo#2000597) Use-after-free in the Disability Access APIs component * CVE-2025-14861 (bmo#1996570, bmo#1999700) Memory safety bugs fixed in Firefox 146.0. * Improved overall stability by fixing crashes related to browsing, graphics, and accessibility features. (bmo#2001160, bmo#1998185, bmo#1998188) * Fixed an issue where fingerprinting protection caused incorrect font rendering on popular websites. (bmo#2000429) * Fixed crashes related to media playback and GMP process shutdown. (bmo#2002697) * Fixed an issue where desktop profile shortcuts were being unintentionally removed when changing copied profile settings. (bmo#1998209) * Improved sidebar text contrast when using vertical tabs with certain themes. (bmo#2006091) * When restoring from a backup, the restore success message will appear over the new tab page instead of one of the tabs restored from a backup, to avoid cases where the restored tab canceled the restore success message. (bmo#2003307) ==== alsa-ucm-conf ==== - Backport upstream fixes (bsc#1255123): 0001-sof-soundwire-third-fix-for-multi-codec.patch 0002-ucm2-sof-soundwire-Simplify-cs42l45-configs.patch 0003-ucm2-codecs-rt722-add-condition-to-SetLED-for-mic.patch ==== apache2-mod_php8 ==== Version update (8.4.14 -> 8.4.16) - version update to 8.4.16 Core: Sync all boost.context files with release 1.86.0. Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). Fixed bug GH-20286 (use-after-destroy during userland stream_close()). Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. DOM: Fix memory leak when edge case is hit when registering xpath callback. Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). Fix missing NUL byte check on C14NFile(). Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). FTP: Fixed bug GH-20601 (ftp_connect overflow on timeout). GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). Fixed bug GH-20602 (imagescale overflow with large height values). Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). Fixed bug GH-20492 (mbstring compile warning due to non-strings). MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). Opcache: Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). Fix broken return value of fflush() for phar file entries. Fix assertion failure when fseeking a phar file out of bounds. PHPDBG: Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). Standard: Fix memory leak in array_diff() with custom type checks. Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). XML: Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). Zip: Fix crash in property existence test. Don't truncate return value of zip_fread() with user sizes. Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. - main package require wwwrun:www user as it assumes it in filelist [bsc#1255043] - version update to 8.4.15 Core: Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). Fixed bug GH-20085 (Assertion failure when combining lazy object get_properties exception with foreach loop). Fixed bug GH-19844 (Don't bail when closing resources on shutdown). Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). Fixed bug GH-20270 (Broken parent hook call with named arguments). Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). DOM: Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work). Fixed bug GH-20281 (\Dom\Document::getElementById() is inconsistent after nodes are removed). Exif: Fix possible memory leak when tag is empty. FPM: Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution). FTP: Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes). GD: Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). Intl: Fix memory leak on error in locale_filter_matches(). LibXML: Fix not thread safe schema/relaxng calls. MySQLnd: Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). Opcache: Fixed bug GH-20081 (access to uninitialized vars in preload_load()). Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). Fixed bug GH-19875 (JIT 1205 segfault on large file compiled in subprocess). Fixed bug GH-20012 (heap buffer overflow in jit). Partially fixed bug GH-17733 (Avoid calling wrong function when reusing file caches across differing environments). PgSql: Fix memory leak when first string conversion fails. Fix segfaults when attempting to fetch row into a non-instantiable class name. Phar: Fix memory leak of argument in webPhar. Fix memory leak when setAlias() fails. Fix a bunch of memory leaks in phar_parse_zipfile() error handling. Fix file descriptor/memory leak when opening central fp fails. ... changelog too long, skipping 18 lines ... Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. ==== babl ==== Version update (0.1.116 -> 0.1.118) Subpackages: libbabl-0_1-0 libbabl-0_1-0-x86-64-v3 typelib-1_0-Babl-0_1 - Added https://gitlab.gnome.org/GNOME/babl/-/commit/4efc8b827e008417c4995a93ae3310697318cfab.patch Ensure git is really an optional dependency. Can be removed with the next update. - Drop the buildrequires for git-core again - Add BuildRequires for git-core as the meson build now needs git - Update to 0.1.118: - build and portability fixes, babl is now relocatedable. ==== busybox ==== Subpackages: busybox-static - Fix tar hidden files via escape sequence (CVE-2025-46394, bsc#1241661) * 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch - Fix HTTP request header injection in wget (CVE-2025-60876, bsc#1253245) * wget-don-t-allow-control-characters-in-url.patch - Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670) - Fix unshare -mrpf sh core dump on ppc64le (bsc#1249237) * 0001-nsenter-unshare-don-t-use-xvfork_parent_waits_and_ex.patch ==== dracut ==== Version update (059+suse.769.g693ea004 -> 059+suse.785.g17d177bb) - Update to version 059+suse.785.g17d177bb: Fix and update testsuite (bsc#1254873): * test(FULL-SYSTEMD): ignore errors in systemd-vconsole-setup.service * test: move /failed to /run/failed as rootfs might be read-only * test(FULL-SYSTEMD): use poweroff to shut down test * test(FULL SYSTEMD): no need to include dbus to the target rootfs * test: make the size of all test drives 512 MB * fix(systemd): move installation of libkmod to udev-rules module * test: switch to virtio for the QEMU drive * test: switch to virtio for the QEMU drive * test: increase test VM memory from 512M to 1024M to avoid OOM killer * test: move more common test code to test-functions * test: upgrade to ext4 Other: * fix(systemd-networkd): install and enable systemd-networkd-resolve-hook.socket * fix(nfs): do not execute logic in nfs hooks if netroot is not nfs (bsc#1253960) ==== flatpak ==== Version update (1.16.1 -> 1.16.2) Subpackages: flatpak-remote-flathub flatpak-selinux libflatpak0 system-user-flatpak - Update to version 1.16.2: + Enhancements: - Documentation improvements - Support the reinstall option on bundle installations - Enable the VA-API extension for Intel Xe GPUs - Documentation improvements - Add cancellation support for curl downloads + Bug fixes: - Provide an empty /run/host/font-dirs.xml during flatpak build - Fix various issues with flatpak mask and flatpak pin by reloading the repo configuration after changes done via the system helper - Fix an issue where the home directory would accidentally be accessible when a bad version of glib is in use, the app has access to a standard XDG directory, and that directory is not available on the system - flatpak-kill will no longer send SIGKILL to all processes in the current process group - Various bug fixes for the OCI support - Fix various memory leaks - Fix various crashes + Updated translations. - Drop cd80e843435df5ce70d9a2b6710098135ceb9085.patch: Fixed upstream. ==== fuse3 ==== Version update (3.17.4 -> 3.18.0) Subpackages: libfuse3-4 - Update to release 3.18.0 * FUSE-over-uring communication * statx support * FUSE_NOTIFY_INC_EPOCH: New notification mechanism for epoch counters * Fixed double unmount on FUSE_DESTROY * Fixed junk readdirplus results when filesystem does not fill stat info ==== fwupd ==== Version update (2.0.18 -> 2.0.19) Subpackages: fwupd-bash-completion fwupd-lang libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.0.19: + This release adds the following features: - Add two commands to fwupdtool to calculate and find CRCs - Allow systems to use the udev event source without using systemd + This release fixes the following bugs: - Always show the correct new firmware version in 'fwupdmgr get-history' - Fix an integer underflow when parsing a malicious PE file - Fix a regression when enumerating the dell-dock status component - Fix the fuzzer timeout when parsing a synaptics-rmi SBL container - Fix updating the Intel GPU FWDATA section - Respect 'fwupdmgr --force' when installing firmware + This release adds support for the following hardware: - Lenovo Sapphire Folio Keyboard ==== ibus ==== Subpackages: ibus-dict-emoji ibus-gtk ibus-gtk3 ibus-lang libibus-1_0-5 typelib-1_0-IBus-1_0 - use return insted of exit in 20-ibus-plasma-setup.sh * such script is sourced not executed, when using exit other scripts in the same directory are not sourced anymore * fix boo#1255237 ==== ibus_gtk4 ==== - use return insted of exit in 20-ibus-plasma-setup.sh * such script is sourced not executed, when using exit other scripts in the same directory are not sourced anymore * fix boo#1255237 ==== kernel-firmware-i915 ==== Version update (20251125 -> 20251217) - Update aliases for 6.19-rc1 - Update to version 20251217 (git commit c695356f6ea1): * xe: Update GUC to v70.55.3 for BMG, PTL ==== kernel-firmware-intel ==== - Update aliases for 6.19-rc1 ==== kernel-firmware-iwlwifi ==== Version update (20251123 -> 20251217) - Update to version 20251217 (git commit c695356f6ea1): * iwlwifi: add Bz/Sc FW for core101-82 release * iwlwifi: Add Sc/Gf firmware for core101-82 release * iwlwifi: update ty/So/Ma firmwares for core101-82 release * iwlwifi: update cc/Qu/QuZ firmwares for core101-82 release ==== kernel-firmware-platform ==== - Update aliases for 6.19-rc1 ==== kernel-firmware-qcom ==== Version update (20251202 -> 20251217) - Update to version 20251217 (git commit c695356f6ea1): * qcom: drop compatibility a640_zap.mdt symlink - Update to version 20251211 (git commit 6953ec7e9fea): * qcom: Add firmwares for sm8150 GPU * qcom: Add firmwares for sm8450 GPU * qcom: Add firmwares for sm8550 GPU * qcom: Add firmwares for sm8650 GPU * qcom: Add firmwares for sm8750 GPU ==== kernel-firmware-realtek ==== Version update (20251118 -> 20251217) - Update aliases for 6.19-rc1 - Update to version 20251217 (git commit c695356f6ea1): * rtw89: 8852b: update fw to v0.29.29.15 ==== kernel-firmware-sound ==== Version update (20251205 -> 20251217) - Update to version 20251217 (git commit c695356f6ea1): * cirrus: cs35l41: Update firmware and tuning for various HP laptops * cirrus: cs35l41: Add support for new HP Clipper laptop ==== kernel-source ==== Version update (6.18.1 -> 6.18.2) - Update patches.kernel.org/6.18.1-003-ext4-refresh-inline-data-size-before-write-ope.patch (bsc#1012628 CVE-2025-68264 bsc#1255380). - Update patches.kernel.org/6.18.1-004-ksmbd-ipc-fix-use-after-free-in-ipc_msg_send_r.patch (bsc#1012628 CVE-2025-68263 bsc#1255384). - Update patches.kernel.org/6.18.1-006-crypto-zstd-fix-double-free-in-per-CPU-stream-.patch (bsc#1012628 CVE-2025-68262 bsc#1255158). - Update patches.kernel.org/6.18.1-007-ext4-add-i_data_sem-protection-in-ext4_destroy.patch (bsc#1012628 CVE-2025-68261 bsc#1255164). - Update patches.kernel.org/6.18.1-008-rust_binder-fix-race-condition-on-death_list.patch (bsc#1012628 CVE-2025-68260 bsc#1255177). - Update patches.kernel.org/6.18.1-010-KVM-SVM-Don-t-skip-unrelated-instruction-if-IN.patch (bsc#1012628 CVE-2025-68259 bsc#1255199). - Update patches.kernel.org/6.18.1-025-comedi-multiq3-sanitize-config-options-in-mult.patch (bsc#1012628 CVE-2025-68258 bsc#1255182). - Update patches.kernel.org/6.18.1-026-comedi-check-device-s-attached-status-in-compa.patch (bsc#1012628 CVE-2025-68257 bsc#1255167). - Update patches.kernel.org/6.18.1-027-staging-rtl8723bs-fix-out-of-bounds-read-in-rt.patch (bsc#1012628 CVE-2025-68256 bsc#1255138). - Update patches.kernel.org/6.18.1-028-staging-rtl8723bs-fix-stack-buffer-overflow-in.patch (bsc#1012628 CVE-2025-68255). - Update patches.kernel.org/6.18.1-029-staging-rtl8723bs-fix-out-of-bounds-read-in-On.patch (bsc#1012628 CVE-2025-68254 bsc#1255140). - Update patches.kernel.org/6.18.2-517-net-sched-sch_cake-Fix-incorrect-qlen-reductio.patch (bsc#1012628 CVE-2025-68325). - Update patches.kernel.org/6.18.2-589-scsi-imm-Fix-use-after-free-bug-caused-by-unfi.patch (bsc#1012628 CVE-2025-68324). - Update patches.kernel.org/6.18.2-602-usb-typec-ucsi-fix-use-after-free-caused-by-ue.patch (bsc#1012628 CVE-2025-68323). suse-add-cves - commit 9447271 - netfilter: nf_conncount: fix leaked ct in error paths (git-fixes). - commit 05e3e3d - Update config files. - commit 1b7058f - Linux 6.18.2 (bsc#1012628). - smack: fix bug: SMACK64TRANSMUTE set on non-directory (bsc#1012628). - smack: deduplicate "does access rule request transmutation" (bsc#1012628). - smack: deduplicate xattr setting in smack_inode_init_security() (bsc#1012628). - smack: always "instantiate" inode in smack_inode_init_security() (bsc#1012628). - smack: fix bug: invalid label of unix socket file (bsc#1012628). - smack: fix bug: unprivileged task can create labels (bsc#1012628). - smack: fix bug: setting task label silently ignores input garbage (bsc#1012628). - gpu: host1x: Fix race in syncpt alloc/free (bsc#1012628). - accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array() (bsc#1012628). - accel/amdxdna: Call dma_buf_vmap_unlocked() for imported object (bsc#1012628). - accel/ivpu: Ensure rpm_runtime_put in case of engine reset/resume fail (bsc#1012628). - drm/panel: visionox-rm69299: Fix clock frequency for SHIFT6mq (bsc#1012628). - drm/panel: visionox-rm69299: Don't clear all mode flags (bsc#1012628). - accel/ivpu: Rework bind/unbind of imported buffers (bsc#1012628). - accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() (bsc#1012628). - accel/ivpu: Fix DCT active percent format (bsc#1012628). - drm/vgem-fence: Fix potential deadlock on release (bsc#1012628). - bpf: Cleanup unused func args in rqspinlock implementation (bsc#1012628). - bpf: Fix sleepable context for async callbacks (bsc#1012628). - bpf: Fix handling maps with no BTF and non-constant offsets for the bpf_wq (bsc#1012628). - tools/nolibc: handle NULL wstatus argument to waitpid() (bsc#1012628). - USB: Fix descriptor count when handling invalid MBIM extended descriptor (bsc#1012628). - perf bpf_counter: Fix opening of "any"(-1) CPU events (bsc#1012628). - pinctrl: qcom: glymur: Drop unnecessary platform data from match table (bsc#1012628). - pinctrl: qcom: glymur: Fix the gpio and egpio pin functions (bsc#1012628). - ima: Attach CREDS_CHECK IMA hook to bprm_creds_from_file LSM hook (bsc#1012628). - pinctrl: renesas: rzg2l: Fix PMC restore (bsc#1012628). - clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle ... changelog too long, skipping 1022 lines ... - commit 114a3e8 ==== liblouis ==== Version update (3.35.0 -> 3.36.0) Subpackages: liblouis-data liblouis20 python3-louis - Update to version 3.36.0: + This release brings various updates to braille tables, particularly for Slovakian and Norwegian in line with the respective changes to their the braille standards. There are new tables for Macedonian uncontracted braille and the long awaited table for English Grade 3 is finally here. On the technical side, there are modernized Python bindings and better support for building liblouis for environments such as Android. - Update python build/install macros for pyproject.toml. ==== libopenmpt ==== Version update (0.8.3 -> 0.8.4) - Update to 0.8.4: * openmpt123: libsndfile float32 output was broken since 0.8.1. * [Bug] build/download_externals.txt was missing from makefile and msvc source archives. * PT36: Some MODs with samples larger than 64k inside PT36 containers were not read correctly. * IT: Files are no longer interpreted as ModPlug-made (thus disabling all compatibility settings) just because instrument extensions are found (no such files are currently known to exist in the wild). ==== man ==== - Extend tmpfiles template man-db.conf (jsc#PED-14862) * Create cache directories with systemd tmpfiles service ==== multipath-tools ==== Version update (0.13.0+127+suse.37f9a4c9 -> 0.13.0+229+suse.dbac936f) Subpackages: kpartx libmpath0 - Update to version 0.13.0+229+suse.dbac936f: * multipath-tools tests: adaptations for cmocka 2.0 (bsc#1255045, gh#opensvc/multipath-tools#129) * libmpathutil: use union for bitfield (bsc#1255285) * libmultipath: don't access path members in free_pgvec() (gh#opensvc/multipath-tools#128) - Include reviewed upstream fixes post 0.13.0: * more mpathpersist fixes * hwtable updates - Update to version 0.13.0+201+suse.821510bc: * CI: more GitHub workflow updates. No code changes. - Update to version 0.13.0+186+suse.9a8e81de: * CI: GitHub workflow updates. No code changes. ==== nvidia-settings ==== Version update (580.105.08 -> 580.119.02) - update to version 580.119.02 (boo#1254801) ==== openSUSE-release ==== Version update (20251217 -> 20251220) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== opus ==== Version update (1.5.2 -> 1.6) - Update to version 1.6 * A new wideband-to-fullband bandwidth extension (BWE) module. * Support for 96 kHz audio with Opus HD. * Significant improvement to Deep Redundancy (DRED). * A new 24-bit encoder/decoder API. * Fixed-point improvements. ==== php8 ==== Version update (8.4.14 -> 8.4.16) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - version update to 8.4.16 Core: Sync all boost.context files with release 1.86.0. Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). Fixed bug GH-20286 (use-after-destroy during userland stream_close()). Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. DOM: Fix memory leak when edge case is hit when registering xpath callback. Fixed bug GH-20395 (querySelector and querySelectorAll requires elements in $selectors to be lowercase). Fix missing NUL byte check on C14NFile(). Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). FTP: Fixed bug GH-20601 (ftp_connect overflow on timeout). GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). Fixed bug GH-20602 (imagescale overflow with large height values). Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). Fixed bug GH-20492 (mbstring compile warning due to non-strings). MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). Opcache: Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). Fix broken return value of fflush() for phar file entries. Fix assertion failure when fseeking a phar file out of bounds. PHPDBG: Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). Standard: Fix memory leak in array_diff() with custom type checks. Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). XML: Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). Zip: Fix crash in property existence test. Don't truncate return value of zip_fread() with user sizes. Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. - main package require wwwrun:www user as it assumes it in filelist [bsc#1255043] - version update to 8.4.15 Core: Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). Fixed bug GH-20085 (Assertion failure when combining lazy object get_properties exception with foreach loop). Fixed bug GH-19844 (Don't bail when closing resources on shutdown). Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). Fixed bug GH-20270 (Broken parent hook call with named arguments). Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). DOM: Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work). Fixed bug GH-20281 (\Dom\Document::getElementById() is inconsistent after nodes are removed). Exif: Fix possible memory leak when tag is empty. FPM: Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution). FTP: Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes). GD: Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). Intl: Fix memory leak on error in locale_filter_matches(). LibXML: Fix not thread safe schema/relaxng calls. MySQLnd: Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). Opcache: Fixed bug GH-20081 (access to uninitialized vars in preload_load()). Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). Fixed bug GH-19875 (JIT 1205 segfault on large file compiled in subprocess). Fixed bug GH-20012 (heap buffer overflow in jit). Partially fixed bug GH-17733 (Avoid calling wrong function when reusing file caches across differing environments). PgSql: Fix memory leak when first string conversion fails. Fix segfaults when attempting to fetch row into a non-instantiable class name. Phar: Fix memory leak of argument in webPhar. Fix memory leak when setAlias() fails. Fix a bunch of memory leaks in phar_parse_zipfile() error handling. Fix file descriptor/memory leak when opening central fp fails. ... changelog too long, skipping 18 lines ... Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. ==== postgresql18 ==== Subpackages: libpq5 postgresql18-contrib postgresql18-llvmjit postgresql18-server - Fix build on aarch64 with upstream commit 0dceba2: * llvm-21-aarch64.patch ==== python-tornado6 ==== Version update (6.5 -> 6.5.4) - Update to 6.5.4 * The in operator for HTTPHeaders was incorrectly case-sensitive, causing lookups to fail for headers with different casing than the original header name. This was a regression in version 6.5.3 and has been fixed to restore the intended case-insensitive behavior from version 6.5.2 and earlier. - Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904) * Fixed a denial-of-service vulnerability involving quadratic computation when parsing multipart/form-data request bodies. CVE-2025-67726 Thanks to Finder16 for reporting this issue. * Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP headers. CVE-2025-67725. Thanks to Finder16 for reporting this issue. * Fixed a header injection and XSS vulnerability involving the reason argument to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724. Thanks to Finder16 and Cheshire1225 for reporting this issue. * Several demo applications bundled with the Tornado repo (blog, chat, facebook) had an open redirect vulnerability which has been fixed. This is not covered by a CVE or security advisory since the demo applications are not included as a part of the Tornado package when installed, but developers who have copied code from these demos may which to review their own applications for open redirects. Thanks to J1vvoo for reporting this issue. * he s3server demo application contained some path traversal vulnerabilities. Since this demo application was not demonstrating any interesting aspects of Tornado, it has been deleted rather than being fixed. Thanks to J1vvoo for reporting this issue. - Update to 6.5.2 * Fixed a bug that resulted in WebSocket pings not being sent at the configured interval. * Improved logging for invalid Host headers. This was previously logged as an uncaught exception with a stack trace, now it is simply a 400 response (logged as a warning in the access log). * Restored the host argument to .HTTPServerRequest. This argument is deprecated and will be removed in the future, but its removal with no warning in 6.5.0 was a mistake. * Removed a debugging print statement that was left in the code. * Improved type hints for gen.multi. - Update to 6.5.1 * Fixed a bug in multipart/form-data parsing that could incorrectly reject filenames containing characters above U+00FF (i.e. most characters outside the Latin alphabet). ==== qt6-webengine ==== Subpackages: libQt6WebEngineCore6 libQt6WebEngineQuick6 libQt6WebEngineWidgets6 qt6-webengine-imports - boo#1251922 - Re-enable LTO and pass -mno-outline-atomics to 3rdparty/chromium for aarch64 as a workaround until fixed upstream ==== rlwrap ==== Version update (0.47.1 -> 0.48) - Update to 0.48 * Bug fix - rlwrap would mess up history when compiled with readline-8.3 - --filter 'filter_commandline $with 3.4.8) Subpackages: libruby3_4-3_4 - Update to 3.4.8 - Bug #21629: Ruby-3.4.7 prints -Wdefault-const-init-field-unsafe warnings on clang / llvm 21 - Ruby - Ruby Issue Tracking System - Bug #21626: Backport WASI setjmp handler memory leak fixes - Ruby - Ruby Issue Tracking System - Bug #21631: Backport openssl gem bugfix releases - Ruby - Ruby Issue Tracking System - Bug #21632: Backport REXML CVE-2025-58767 fix - Ruby - Ruby Issue Tracking System - Bug #21644: Stack consistency error for the newrange INSN peephole optimization with chilled string - Ruby - Ruby Issue Tracking System - Bug #21668: Improve performance of UnicodeNormalize.canonical_ordering_one - Ruby - Ruby Issue Tracking System - Bug #21638: Ractor-local $DEBUG is not marked - Ruby - Ruby Issue Tracking System - Bug #21652: Marshal#dump documentation out-of-date/unclear regarding Data class - Ruby - Ruby Issue Tracking System - Bug #13671: Regexp with lookbehind and case-insensitivity raises RegexpError only on strings with certain characters - Ruby - Ruby Issue Tracking System - Bug #21625: Allow IO#wait_readable together with IO#ungetc even in text mode - Ruby - Ruby Issue Tracking System - Bug #21671: Rails CI raises Assertion Failed: rbimpl_rstring_getmem:RB_TYPE_P(str, RUBY_T_STRING): actual type: 26 with "-DENABLE_PATH_CHECK=0 -DRUBY_DEBUG=1" enabled - Ruby - Ruby Issue Tracking System - Update next stable version to 4.0 from 3.5 by hsbt ยท Pull Request #15146 - Bug #21679: Segfault when ruby calls pthread_detach in rb_getnameinfo - Ruby - Ruby Issue Tracking System - Bug #21694: Crash when looking up super method from BasicObject - Ruby - Ruby Issue Tracking System - Bug #21707: Destructuring assignment of SimpleDelegator wrapped array bug with YJIT - Ruby - Ruby Issue Tracking System - Bug #21265: Crash when proc from Symbol#to_proc called outside refinement scope - Ruby - Ruby Issue Tracking System - Bug #21703: RUBY_CRASH_REPORT does not work when shelling out in some cases - Ruby - Ruby Issue Tracking System - Bug #21666: Math.lgamma(-1).should == [infinity_value, 1] fails with Fedora glibc-2.42.9000-8.fc44 - Ruby - Ruby Issue Tracking System - Bug #21655: segfault when building 3.3.10 with GCC 15.2.1, regression from 3.3.9 - Ruby - Ruby Issue Tracking System - Bug #21680: Integer#digits bug starting from Ruby 3.1 - Ruby - Ruby Issue Tracking System - Bug #21705: UNIXServer.open(nil) segfaults on Windows - Ruby - Ruby Issue Tracking System - Bug #21648: [prism] ruby crashes for for * in [10]; end - Ruby - Ruby Issue Tracking System - Bug #21187: Strings concatenated with \ getting frozen with literal hashes (PRISM only) - Ruby - Ruby Issue Tracking System - Bug #21757: Splatted args array is mutated when passing unexpected kwargs - Ruby - Ruby Issue Tracking System - Bug #21772: ruby: YJIT has panicked StackOpnd(1) should be a heap object, but was ImmSymbol for VALUE(137647867319760) - Ruby - Ruby Issue Tracking System - Bug #21446: StackOverflow when changing visibility in reopened refinement - Ruby - Ruby Issue Tracking System - Bug #21779: Do not export functions from statically linked extensions - Ruby - Ruby Issue Tracking System - Bug #21266: YJIT GC safety crash with proc objects as block argument - Ruby - Ruby Issue Tracking System https://github.com/ruby/ruby/releases/tag/v3_4_8 ==== sdbootutil ==== Version update (1+git20251211.b3d0304 -> 1+git20251218.1cd7294) Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper - Update to version 1+git20251218.1cd7294: * Improve partition detection for multipath (boo#1254317) ==== selinux-policy ==== Version update (20251211 -> 20251219) Subpackages: selinux-policy-targeted - Update to version 20251219: * Allow 'mysql-systemd-helper upgrade' to work correctly (bsc#1255024) - Save previous file contexts in /run and ensure deletion (bsc#1245303) - Update to version 20251218: * Allow systemd_udev_trigger_generator_t use CAP_SYS_RESOURCE (bsc#1255079) - Update to version 20251217: * Allow snapper_tu_etc_plugin_t to connect to machined varlink socket (bsc#1254889) * Label amavis spool directory correctly (bsc#1254438) ==== webkit2gtk3 ==== Version update (2.50.3 -> 2.50.4) Subpackages: WebKitGTK-4.1-lang libjavascriptcoregtk-4_1-0 libwebkit2gtk-4_1-0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-WebKit2-4_1 webkit2gtk-4_1-injected-bundles - Update to version 2.50.4 (bsc#1255183 bsc#1255191 bsc#1255194 bsc#1255195 bsc#1255198 bsc#1255200): + Correctly handle the program name passed to the sleep disabler. + Ensure GStreamer is initialized before using the Quirks. + Fix several crashes and rendering issues. + Security fixes: CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541. - Add webkit2gtk3-a11y-fix-role-mapping.patch: fix a11y regression where AT-SPI roles were mapped incorrectly. ==== webkit2gtk4 ==== Version update (2.50.3 -> 2.50.4) Subpackages: WebKitGTK-6.0-lang libjavascriptcoregtk-6_0-1 libwebkitgtk-6_0-4 typelib-1_0-JavaScriptCore-6_0 typelib-1_0-WebKit-6_0 webkitgtk-6_0-injected-bundles - Update to version 2.50.4 (bsc#1255183 bsc#1255191 bsc#1255194 bsc#1255195 bsc#1255198 bsc#1255200): + Correctly handle the program name passed to the sleep disabler. + Ensure GStreamer is initialized before using the Quirks. + Fix several crashes and rendering issues. + Security fixes: CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541. - Add webkit2gtk3-a11y-fix-role-mapping.patch: fix a11y regression where AT-SPI roles were mapped incorrectly. ==== xdg-user-dirs-gtk ==== Version update (0.14 -> 0.16) Subpackages: xdg-user-dirs-gtk-lang - Update to version 0.16: + autostart: Add systemd service + Updated translations.