Packages changed: GraphicsMagick Mesa Mesa-drivers NetworkManager-applet apache2-mod_php8 (8.4.20 -> 8.5.5) ca-certificates (2+git20260203.5937e9f -> 2+git20260420.2a8e251) cups (2.4.16 -> 2.4.17) emacs gimp (3.2.2 -> 3.2.4) gnome-remote-desktop (50.0 -> 50.1) gstreamer-plugins-rs libkdcraw libxml2 (2.15.2 -> 2.15.3) mariadb openSUSE-release (20260420 -> 20260422) php8 (8.4.20 -> 8.5.5) python-lxml (6.0.2 -> 6.1.0) quadrapassel (50.0.1 -> 50.1) tar tftp xterm (406 -> 407) yast2-trans (84.87.20260325.bd0ff66bcc -> 84.87.20260414.0f82ab3540) === Details === ==== GraphicsMagick ==== Subpackages: libGraphicsMagick++-Q16-12 libGraphicsMagick-Q16-3 libGraphicsMagick3-config - added patches CVE-2026-33535: Out-of-Bounds write of a zero byte in X11 display interaction [bsc#1260874] * GraphicsMagick-CVE-2026-33535.patch ==== Mesa ==== Subpackages: Mesa-libEGL1 Mesa-libGL1 libgbm1 - Disable vulkan and panfrost on armv6 as it fails to build ==== Mesa-drivers ==== Subpackages: Mesa-dri Mesa-libva Mesa-vulkan-device-select libvulkan_lvp - Disable vulkan and panfrost on armv6 as it fails to build ==== NetworkManager-applet ==== Subpackages: NetworkManager-connection-editor NetworkManager-connection-editor-lang - Migrate to xz compression and manual service run ==== apache2-mod_php8 ==== Version update (8.4.20 -> 8.5.5) - php8-devel: require pkgconfig(capstone) now that we build with libcapstone enabled - version update to 8.5.5 Core: Fixed bug GH-20672 (Incorrect property_info sizing for locally shadowed trait properties). Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies). Bz2: Fix truncation of total output size causing erroneous errors. DOM: Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and xml:lang attributes). FFI: Fixed resource leak in FFI::cdef() onsymbol resolution failure. GD: Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support). Opcache: Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results). Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with IS_UNDEF property in polymorphic context). Fixed bug GH-21395 (uaf in jit). OpenSSL: Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based keys). Fix missing error propagation for BIO_printf() calls. PCNTL: Fixed signal handler installation on AIX by bumping the storage size of the num_signals global. PCRE: Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl, and php_pcre_grep_impl. Phar: Fixed bug GH-21333 (use after free when unlinking entries during iteration of a compressed phar). SNMP: Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with NULL arguments). SOAP: Fixed Set-Cookie parsing bug wrong offset while scanning attributes. SPL: Fixed bug GH-21454 (missing write lock validation in SplHeap). Standard: Fixed bug GH-20906 (Assertion failure when messing up output buffers). Fixed bug GH-20627 (Cannot identify some avif images with getimagesize). Sysvshm: Fix memory leak in shm_get_var() when variable is corrupted. XSL: Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument). Fixed bug GH-21496 (UAF in dom_objects_free_storage). - version update to 8.5.4 Core: Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). Fixed bug GH-21059 (Segfault when preloading constant AST closure). Fixed bug GH-21072 (Crash on (unset) cast in constant expression). Fix deprecation now showing when accessing null key of an array with JIT. Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered by setRawValueWithoutLazyInitialization() and newLazyGhost()). Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when accessing properties on Reflection LazyProxy via isset()). Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked property backing value). Fixed bug GH-21215 (Build fails with -std=). Fixed bug GH-13674 (Build system installs libtool wrappers when using slibtool). Curl: Don't truncate length. Date: Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start). Fix timezone offset with seconds losing precision. DOM: Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError). Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). LDAP: Fixed bug GH-21262 (ldap_modify() too strict controls argument validation makes it impossible to unset attribute). MBString: Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge list of candidate encodings (with 200,000+ entries). Opcache: Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). Fixed bug GH-21227 (Borked SCCP of array containing partial object). OpenSSL: Fix a bunch of leaks and error propagation. Windows: Fixed compilation with clang (missing intrin.h include). - version update to 8.5.3 Core: Fixed bug GH-20806 (preserve_none feature compatiblity with LTO). Fixed bug GH-20767 (build failure with musttail/preserve_none feature on macOs). Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error()). Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). Fixed bug GH-20914 (Internal enums can be cloned and compared). Fix OSS-Fuzz #474613951 (Leaked parent property default value). Fixed bug GH-20895 (ReflectionProperty does not return the PHPDoc of a property if it contains an attribute with a Closure). Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked backing value). Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may uaf). Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). Fixed bug GH-20479 (Hooked object properties overflow). Date: Update timelib to 2022.16. DOM: Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts). MbString: Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). Fixed bug GH-20836 (Stack overflow in mb_convert_variables with recursive array references). Opcache: Fixed bug GH-20818 (Segfault in Tracing JIT with object reference). OpenSSL: Fix memory leaks when sk_X509_new_null() fails. Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. ... changelog too long, skipping 513 lines ... * php-systzdata-v24.patch (refreshed) ==== ca-certificates ==== Version update (2+git20260203.5937e9f -> 2+git20260420.2a8e251) - Update to version 2+git20260420.2a8e251: * update-ca-certificates requires mv and ln from coreutils ==== cups ==== Version update (2.4.16 -> 2.4.17) Subpackages: cups-client cups-config libcups2 libcupsimage2 - Version upgrade to 2.4.17: See https://github.com/openprinting/cups/releases The new release 2.4.17 contains the following security fixes: * CVE-2026-27447: The scheduler treated local user and group names as case-insensitive (bsc#1261572) * CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS directory (bsc#1261571) * CVE-2026-34980: The scheduler did not filter control characters from option values (bsc#1261569) * CVE-2026-34979: The scheduler did not always allocate enough memory for a job's options string (bsc#1261570) * CVE-2026-34990: The scheduler incorrectly allowed local certificates over the loopback interface (bsc#1261568) * CVE-2026-39314: Fixed the range check for job password strings (bsc#1261743) * CVE-2026-39316: Fixed a printer subscription bug in the scheduler (bsc#1261742) * CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends. The last CVE number is requested from Github for several days now, the number will be corrected once we have one, but we decided to make a release to share the other fixes ("we" means the CUPS upstream maintainers). - The release includes other fixes as well, listed in CHANGES.md. Issues are those at https://github.com/OpenPrinting/cups/issues Detailed list (from CHANGES.md): * The scheduler followed symbolic links when cleaning out its temporary directory (Issue #1448) * Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters. * Updated man page `cancel` (Issue #984) * Updated `cupsRasterReadHeader` to validate more of the page header values (Issue #1501) * Fixed an issue with the class/printer CGI name checking. * Fixed infinite loop in `http_write()` on busy print servers (Issue #827) * Fixed potential TLS blocking issues (Issue #1128) * Fixed a job history bug in the scheduler (Issue #1440) * Fixed notifier logging bug that would result in nul bytes getting into the log (Issue #1450) * Fixed possible use-after-free in `cupsdReadClient()` (Issue #1454) * Fixed a document format bug in the IPP backend (Issue #1457) * Fixed DRAIN_OUTPUT race condition (Issue #1461) * Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions were mixed. * Fixed the mapping of supply type keywords to SNMP names. * Fixed a bug in the IPP backend when SNMP was disabled. * Fixed a crash bug in the rastertoepson filter. * Fixed a bug in cgiCheckVariables. * Fixed handling read/write errors with OpenSSL (Issue #1506) * Fixed handling rehandshake error in `_httpTLSRead` (Issue #1508) * Fixed a debug printf bug on Windows (Issue #1529) * Fixed a recursion issue with encoding of nested collections (Issue #1539) * Fixed parsing of the `LimitRequestBody`, `MaxLogSize`, and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540) * Fixed a parsing bug in `ipptool` (Issue #1542) * Fixed blank line detection in the `rastertolabel` filter (Issue #1545) * Fixed `httpPeek` edge case on compressed streams Issues are those at https://github.com/OpenPrinting/cups/issues - Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17 ==== emacs ==== Subpackages: emacs-el emacs-eln emacs-info emacs-nox etags - Add patch emacs-30.2-silent.patch * To silent the useless warning on memmove - Add patch emacs-30.2-tree-sitter-0.26.8.patch * Make it build with tree-sitter-0.26.8 security update (boo#1262007) ==== gimp ==== Version update (3.2.2 -> 3.2.4) Subpackages: gimp-plugin-aa gimp-plugin-python3 libgimp-3_0-0 libgimpui-3_0-0 - Update to 3.2.4 https://www.gimp.org/news/2026/04/19/gimp-3-2-4-released/ ==== gnome-remote-desktop ==== Version update (50.0 -> 50.1) Subpackages: gnome-remote-desktop-lang - Update to version 50.1: + Test improvements + Misc bug fixes & cleanups + Fix black screen on some NVIDIA GPUs + Updated translations. ==== gstreamer-plugins-rs ==== - Revert the dropping of BuildRequiring clang/llvm. It's needed to build the package in SLFO. ==== libkdcraw ==== Subpackages: libKDcrawQt6-5 libkdcraw-qt6 - Restore a Qt 5 based libkcdraw package until krita is ported to Qt 6 ==== libxml2 ==== Version update (2.15.2 -> 2.15.3) Subpackages: libxml2-16 libxml2-tools - Update to version 2.15.3: * Security: - parser: Pass userData to SAX text callbacks in xmlParseReference (type-confusion) - entities: copy children in xmlCopyEntity - c14n: Fix Type confusion in xmlC14NProcessAttrsAxis - python: Do not decref string after adding to the list (double-free / use-after-free) - c14n: Reuse tmp_str, xmlStrcat reallocates *cur (double-free) * Improvements: - schemas: Fix relative schemaLocation resolution in XSI assembly in streaming mode - xmlreader: propagate reader resource loaders to validator parsers - python: Make python bindings python2 compatible - xmlregexp: Fix escape-sequence character range matching - xmlreader: Free input in xmlReaderForFd (memory-leak) - xmlstring: Free cur on every error for xmlStrncat (memory-leak) - catalog: Free xmlCatalogResolveCache on cleanup (memory leak) - Fix nanohttp.c build when --without-output - test: fix mismatched signed/unsigned comparison ==== mariadb ==== Subpackages: libmariadbd19 mariadb-client mariadb-errormessages - Returned provider_lzma.so plugin (boo#1262217). ==== openSUSE-release ==== Version update (20260420 -> 20260422) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== php8 ==== Version update (8.4.20 -> 8.5.5) Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter - php8-devel: require pkgconfig(capstone) now that we build with libcapstone enabled - version update to 8.5.5 Core: Fixed bug GH-20672 (Incorrect property_info sizing for locally shadowed trait properties). Fixed bugs GH-20875, GH-20873, GH-20854 (Propagate IN_GET guard in get_property_ptr_ptr for lazy proxies). Bz2: Fix truncation of total output size causing erroneous errors. DOM: Fixed bug GH-21486 (Dom\HTMLDocument parser mangles xml:space and xml:lang attributes). FFI: Fixed resource leak in FFI::cdef() onsymbol resolution failure. GD: Fixed bug GH-21431 (phpinfo() to display libJPEG 10.0 support). Opcache: Fixed bug GH-21052 (Preloaded constant erroneously propagated to file-cached script). Fixed bug GH-20838 (JIT compiler produces wrong arithmetic results). Fixed bug GH-21267 (JIT tracing: infinite loop on FETCH_OBJ_R with IS_UNDEF property in polymorphic context). Fixed bug GH-21395 (uaf in jit). OpenSSL: Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based keys). Fix missing error propagation for BIO_printf() calls. PCNTL: Fixed signal handler installation on AIX by bumping the storage size of the num_signals global. PCRE: Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, php_pcre_split_impl, and php_pcre_grep_impl. Phar: Fixed bug GH-21333 (use after free when unlinking entries during iteration of a compressed phar). SNMP: Fixed bug GH-21336 (SNMP::setSecurity() undefined behavior with NULL arguments). SOAP: Fixed Set-Cookie parsing bug wrong offset while scanning attributes. SPL: Fixed bug GH-21454 (missing write lock validation in SplHeap). Standard: Fixed bug GH-20906 (Assertion failure when messing up output buffers). Fixed bug GH-20627 (Cannot identify some avif images with getimagesize). Sysvshm: Fix memory leak in shm_get_var() when variable is corrupted. XSL: Fix GH-21357 (XSLTProcessor works with DOMDocument, but fails with Dom\XMLDocument). Fixed bug GH-21496 (UAF in dom_objects_free_storage). - version update to 8.5.4 Core: Fixed bug GH-21029 (zend_mm_heap corrupted on Aarch64, LTO builds). Fixed bug GH-21059 (Segfault when preloading constant AST closure). Fixed bug GH-21072 (Crash on (unset) cast in constant expression). Fix deprecation now showing when accessing null key of an array with JIT. Fixed bug GH-20657 (Assertion failure in zend_lazy_object_get_info triggered by setRawValueWithoutLazyInitialization() and newLazyGhost()). Fixed bug GH-20504 (Assertion failure in zend_get_property_guard when accessing properties on Reflection LazyProxy via isset()). Fixed OSS-Fuzz #478009707 (Borked assign-op/inc/dec on untyped hooked property backing value). Fixed bug GH-21215 (Build fails with -std=). Fixed bug GH-13674 (Build system installs libtool wrappers when using slibtool). Curl: Don't truncate length. Date: Fixed bug GH-20936 (DatePeriod::__set_state() cannot handle null start). Fix timezone offset with seconds losing precision. DOM: Fixed bug GH-21077 (Accessing Dom\Node::baseURI can throw TypeError). Fixed bug GH-21097 (Accessing Dom\Node properties can can throw TypeError). LDAP: Fixed bug GH-21262 (ldap_modify() too strict controls argument validation makes it impossible to unset attribute). MBString: Fixed bug GH-21223; mb_guess_encoding no longer crashes when passed huge list of candidate encodings (with 200,000+ entries). Opcache: Fixed bug GH-20718 ("Insufficient shared memory" when using JIT on Solaris). Fixed bug GH-21227 (Borked SCCP of array containing partial object). OpenSSL: Fix a bunch of leaks and error propagation. Windows: Fixed compilation with clang (missing intrin.h include). - version update to 8.5.3 Core: Fixed bug GH-20806 (preserve_none feature compatiblity with LTO). Fixed bug GH-20767 (build failure with musttail/preserve_none feature on macOs). Fixed bug GH-20837 (NULL dereference when calling ob_start() in shutdown function triggered by bailout in php_output_lock_error()). Fix OSS-Fuzz #471533782 (Infinite loop in GC destructor fiber). Fix OSS-Fuzz #472563272 (Borked block_pass JMP[N]Z optimization). Fixed bug GH-20914 (Internal enums can be cloned and compared). Fix OSS-Fuzz #474613951 (Leaked parent property default value). Fixed bug GH-20895 (ReflectionProperty does not return the PHPDoc of a property if it contains an attribute with a Closure). Fixed bug GH-20766 (Use-after-free in FE_FREE with GC interaction). Fix OSS-Fuzz #471486164 (Broken by-ref assignment to uninitialized hooked backing value). Fix OSS-Fuzz #438780145 (Nested finally with repeated return type check may uaf). Fixed bug GH-20905 (Lazy proxy bailing __clone assertion). Fixed bug GH-20479 (Hooked object properties overflow). Date: Update timelib to 2022.16. DOM: Fixed GH-21041 (Dom\HTMLDocument corrupts closing tags within scripts). MbString: Fixed bug GH-20833 (mb_str_pad() divide by zero if padding string is invalid in the encoding). Fixed bug GH-20836 (Stack overflow in mb_convert_variables with recursive array references). Opcache: Fixed bug GH-20818 (Segfault in Tracing JIT with object reference). OpenSSL: Fix memory leaks when sk_X509_new_null() fails. Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. ... changelog too long, skipping 513 lines ... * php-systzdata-v24.patch (refreshed) ==== python-lxml ==== Version update (6.0.2 -> 6.1.0) - update to 6.1.0 (CVE-2026-41066): * This release fixes a possible external entity injection (XXE) vulnerability in ``iterparse()`` and the ``ETCompatXMLParser``. * GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in ``lxml.html.defs``. * The default chunk size for reading from file-likes in ``iterparse()`` is now configurable with a new ``chunk_size`` argument. * LP#2148019: Spurious MemoryError during namespace cleanup. * Several out of memory error cases now raise ``MemoryError`` that were not handled before. * Slicing with large step values (outside of ``+/- sys.maxsize``) could trigger undefined C behaviour. * LP#2125399: Some failing tests were fixed or disabled in PyPy. * LP#2138421: Memory leak in error cases when setting the ``public_id`` or ``system_url`` of a document. * Memory leak in case of a memory allocation failure when copying document subtrees. * When mapping an XPath result to Python failed, the result memory could leak. * When preparing an XSLT transform failed, the XSLT parameter memory could leak. ==== quadrapassel ==== Version update (50.0.1 -> 50.1) Subpackages: quadrapassel-lang - Update to version 50.1: + Reduced the bonus for destroying the bottom row + Added the ability to hold pieces + Fixed a bug where the gamepad could start or unpause games when not in focus + Changed the GioApplicationFlags to 'G_APPLICATION_DEFAULT_FLAGS' + Updated translations. ==== tar ==== Subpackages: tar-lang tar-rmt - Ensure the date in .info files is reproducible (boo#1047218) ==== tftp ==== - jsc#PED-14746: Fix packages for Immutable Mode * Remove /srv/tftpboot from package, system-user-tftp already provides that. ==== xterm ==== Version update (406 -> 407) Subpackages: xterm-bin xterm-resize - update to 407: * add private modes 1020 to 1023 for reporting whether xterm uses UTF-8, whether CJK-width is set, whether Emoji-width is set, and whether private-width is set. * add resource privateWidth to control whether PUA (private use area) codes are neutral width or single-width. * improve fix for Debian #738794, to show boxes for codes which are neither combining characters or valid Unicode characters * improve switching to/from UTF-8 mode by saving, restoring and resetting the G0-G3 array (Debian #1124802). * use ST consistently in terminfo rather than legacy BEL minor updates to configure script and terminfo * add option --enable-resize-adjust for saving and repainting parts of the window which are lost when the user resizes the window ==== yast2-trans ==== Version update (84.87.20260325.bd0ff66bcc -> 84.87.20260414.0f82ab3540) Subpackages: yast2-trans-af yast2-trans-ar yast2-trans-bg yast2-trans-bn yast2-trans-bs yast2-trans-ca yast2-trans-cs yast2-trans-cy yast2-trans-da yast2-trans-de yast2-trans-el yast2-trans-en_GB yast2-trans-es yast2-trans-et yast2-trans-fa yast2-trans-fi yast2-trans-fr yast2-trans-gl yast2-trans-gu yast2-trans-hi yast2-trans-hr yast2-trans-hu yast2-trans-id yast2-trans-it yast2-trans-ja yast2-trans-jv yast2-trans-ka yast2-trans-km yast2-trans-ko yast2-trans-lo yast2-trans-lt yast2-trans-mk yast2-trans-mr yast2-trans-nb yast2-trans-nl yast2-trans-pa yast2-trans-pl yast2-trans-pt yast2-trans-pt_BR yast2-trans-ro yast2-trans-ru yast2-trans-si yast2-trans-sk yast2-trans-sl yast2-trans-sr yast2-trans-sv yast2-trans-ta yast2-trans-th yast2-trans-tr yast2-trans-uk yast2-trans-vi yast2-trans-wa yast2-trans-xh yast2-trans-zh_CN yast2-trans-zh_TW yast2-trans-zu - Update to version 84.87.20260414.0f82ab3540: * Translated using Weblate (Arabic)