Packages changed:
cnf
dhcp
glib2-branding-openSUSE
kernel-firmware-amdgpu
kernel-firmware-ath10k
kernel-firmware-ath11k (20250227 -> 20250424)
kernel-firmware-ath12k (20250206 -> 20250424)
kernel-firmware-atheros
kernel-firmware-bluetooth
kernel-firmware-bnx2
kernel-firmware-brcm
kernel-firmware-chelsio
kernel-firmware-dpaa2
kernel-firmware-i915
kernel-firmware-intel
kernel-firmware-iwlwifi (20250312 -> 20250423)
kernel-firmware-liquidio
kernel-firmware-marvell
kernel-firmware-media (20250422 -> 20250424)
kernel-firmware-mediatek
kernel-firmware-mellanox
kernel-firmware-mwifiex
kernel-firmware-network
kernel-firmware-nfp
kernel-firmware-nvidia
kernel-firmware-platform
kernel-firmware-prestera
kernel-firmware-qcom
kernel-firmware-qlogic
kernel-firmware-radeon
kernel-firmware-realtek
kernel-firmware-serial
kernel-firmware-sound
kernel-firmware-ti
kernel-firmware-ueagle
kernel-firmware-usb-network
libssh
libzip
lilv
lua54
mariadb-connector-c
open-vm-tools
openssh (9.9p2 -> 10.0p2)
openssh-askpass-gnome (9.9p2 -> 10.0p2)
orca
publicsuffix (20250407 -> 20250424)
python-M2Crypto (0.44.0 -> 0.45.1)
python-gevent (24.10.3 -> 25.4.2)
python-h11 (0.14.0 -> 0.16.0)
python-httpcore (1.0.8 -> 1.0.9)
python313 (3.13.2 -> 3.13.3)
python313-core (3.13.2 -> 3.13.3)
sane-backends
sdbootutil (1+git20250423.61ca94f -> 1+git20250425.25d659b)
unbound (1.22.0 -> 1.23.0)
=== Details ===
==== cnf ====
Subpackages: cnf-bash cnf-locale
- Fix Obsolete of a scout-command-not-found to <= 0.2.9
==== dhcp ====
Subpackages: dhcp-client dhcp-relay dhcp-server
- Add compile option '-std=gnu17' to fix build with gcc15.
[bsc#1241472]
==== glib2-branding-openSUSE ====
- Update defaults to match current situation:
+ Remove banshee preference: banshee has not been shipped since
2016.
+ Add Loupe to the preferred applications for images
+ Do not use Eog by default. As it's alphabetically before
Loupe, Eog would always win the way it was listed (when
installed).
+ Explicitly set image/tiff to org.gnome.Loupe as Eog is no
longer part of the default installations.
==== kernel-firmware-amdgpu ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ath10k ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ath11k ====
Version update (20250227 -> 20250424)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250424 (git commit c8af472e05cb):
* ath11k: WCN6855 hw2.0: update board-2.bin
* ath11k: IPQ5018 hw1.0: update to WLAN.HK.2.6.0.1-01300-QCAHKSWPL_SILICONZ-1
==== kernel-firmware-ath12k ====
Version update (20250206 -> 20250424)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250424 (git commit c8af472e05cb):
* ath12k: WCN7850 hw2.0: update to WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
* ath12k: QCN9274 hw2.0: update board-2.bin
==== kernel-firmware-atheros ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-bluetooth ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-bnx2 ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-brcm ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-chelsio ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-dpaa2 ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-i915 ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-intel ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-iwlwifi ====
Version update (20250312 -> 20250423)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250423 (git commit c67433231cbd):
* iwlwifi: add Bz/gl FW for core95-82 release
* iwlwifi: update ty/So/Ma firmwares for core95-82 release
* iwlwifi: update cc/Qu/QuZ firmwares for core95-82 release
- Update to version 20250422 (git commit 32f3227b67c0):
* iwlwifi: add Bz-hr FW for core93-123 release
==== kernel-firmware-liquidio ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-marvell ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-media ====
Version update (20250422 -> 20250424)
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
- Update to version 20250424 (git commit c8af472e05cb):
* qcom: vpu: update video firmware binary for SA8775p
==== kernel-firmware-mediatek ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-mellanox ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-mwifiex ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-network ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-nfp ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-nvidia ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-platform ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-prestera ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-qcom ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-qlogic ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-radeon ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-realtek ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-serial ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-sound ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ti ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-ueagle ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== kernel-firmware-usb-network ====
- Change conflicts filesystem < 84 to conflicts filesystem without
may-perform-usrmerge. Version 84 is specific to Tumbleweed; CODE
16 uses Version 16; yet we need to ensure we get an up-to-date
version of filesystem. Relying on the recently introduced provides
instructing zypp about the usrmerge is perfect for this use case.
==== libssh ====
Subpackages: libssh-config libssh4
- Fix build and tests with OpenSSH >= 10.0
* Use %make_build instead of naked make
* Add patches:
- libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- libssh-misc-Fix-OpenSSH-banner-parsing.patch
==== libzip ====
- Fix libzip-devel dependencies. libzip-targets*.cmake create
CMake targets for zipcmp, zipmerge and ziptool.
==== lilv ====
- Rework the way the preferred python flavor is used as prefix so
it also works with Slowroll
- Add BuildRequires for pkgconfig(zix) which was pulled in
indirectly but is actually required since 0.24.22.
- Generate the python subpackage with the python flavored prefix
it's being used instead of always using python3
==== lua54 ====
- Fix license: it is MIT, not GPL-3.0-or-later.
==== mariadb-connector-c ====
- add patches from upstream to fix gcc-15 compile time errors:
* mariadb-connector-c-3.4.5-gcc15.patch
* mariadb-connector-c-3.4.5-gcc15-part2.patch
==== open-vm-tools ====
Subpackages: libvmtools0 open-vm-tools-desktop
- (bsc#1237147): Newer version of containerd do not have the directory
/usr/share/go/1.x/contrib/src/github.com/containerd/containerd/api.
Update detect-suse-location.patch to point to the directory
/usr/share/go/1.x/contrib/src/github.com/containerd/containerd/vendor/github.com/containerd/containerd/api
to find the needed files and update the tasks.proto file to import from
github.com/containerd/containerd/vendor/github.com/containerd/containerd/api
==== openssh ====
Version update (9.9p2 -> 10.0p2)
Subpackages: openssh-clients openssh-common openssh-server
- Add openssh-send-extra-term-env.patch, which appends a few
environment variables useful for terminal identification to the
default send and accept lists.
- "Update" to openssh 10.0p2:
- There was an issue during the packaging of 10.0p1 which made it
identify itself as 10.0p2 so 10.0p1 is now considered identical
to 10.0p2 and upstream won't release a separate 10.0p2 package.
- Update to openssh 10.0p1:
= Potentially-incompatible changes
* This release removes support for the weak DSA signature
algorithm, completing the deprecation process that began in
2015 (when DSA was disabled by default) and repeatedly warned
over the last 12 months.
* scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
scp & sftp. This disables implicit session creation by these
tools when ControlMaster was set to yes/auto by configuration,
which some users found surprising. This change will not prevent
scp/sftp from using an existing multiplexing session if one had
already been created. GHPR557
* This release has the version number 10.0 and announces itself
as "SSH-2.0-OpenSSH_10.0". Software that naively matches
versions using patterns like "OpenSSH_1*" may be confused by
this.
* sshd(8): this release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as the
authentication code will be unloaded after the authentication
phase completes. This change should be largely invisible to
users, though some log messages may now come from "sshd-auth"
instead of "sshd-session". Downstream distributors of OpenSSH
will need to package the sshd-auth binary.
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the
default key exchange in OpenSSH for the last 14 years.
* sshd(8): this release removes the implicit fallback to
compiled-in groups for Diffie-Hellman Group Exchange KEX when
the moduli file exists but does not contain moduli within the
client-requested range. The fallback behaviour remains for the
case where the moduli file does not exist at all. This allows
administrators more explicit control over which DH groups will
be selected, but can lead to connection failures if the moduli
file is edited incorrectly. bz#2793
= Security
* sshd(8): fix the DisableForwarding directive, which was failing
to disable X11 forwarding and agent forwarding as documented.
X11 forwarding is disabled by default in the server and agent
forwarding is off by default in the client.
= New features
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
* ssh(1): add %-token and environment variable expansion to the
ssh_config SetEnv directive.
* ssh(1): allow %-token and environment variable expansion in
the ssh_config User directive, with the exception of %r and %C
which would be self-referential. bz#3477
* ssh(1), sshd(8): add "Match version" support to ssh_config and
sshd_config. Allows matching on the local version of OpenSSH,
e.g. "Match version OpenSSH_10.*".
* ssh(1): add support for "Match sessiontype" to ssh_config.
Allows matching on the type of session initially requested,
either "shell" for interactive sessions, "exec" for command
execution sessions, "subsystem" for subsystem requests, such as
sftp, or "none" for transport/forwarding-only sessions.
* ssh(1): add support for "Match command ..." support to
ssh_config, allowing matching on the remote command as
specified on the command-line.
* ssh(1): allow 'Match tagged ""' and 'Match command ""' to match
empty tag and command values respectively.
* sshd(8): allow glob(3) patterns to be used in sshd_config
AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
bz2755
* sshd(1): support the VersionAddendum in the client, mirroring
the option of the same name in the server; bz2745
* ssh-agent(1): the agent will now delete all loaded keys when
signaled with SIGUSR1. This allows deletion of keys without
having access to $SSH_AUTH_SOCK.
* Portable OpenSSH, ssh-agent(1): support systemd-style socket
activation in ssh-agent using the LISTEN_PID/LISTEN_FDS
mechanism. Activated when these environment variables are set,
... changelog too long, skipping 116 lines ...
* fix-nopie-flag.patch
==== openssh-askpass-gnome ====
Version update (9.9p2 -> 10.0p2)
- "Update" to openssh 10.0p2:
* No changes for askpass, see main package changelog for
details.
- Update to openssh 10.0p1:
* No changes for askpass, see main package changelog for
details.
==== orca ====
Subpackages: orca-lang
- Downgrade Wnck to Recommends. It is an optional dependency and
is not used under Wayland (bsc#1241516).
==== publicsuffix ====
Version update (20250407 -> 20250424)
- Update to version 20250424:
* Add lp.dev to public_suffix_list.dat (#2391)
* fix: autopin dependencies (#2430)
* Run go mod tidy
* Bump golang.org/x/net from 0.33.0 to 0.38.0 in /tools (#2438)
* Add mmv.kr / vki.kr (#2442)
* dev.project-study.com (#2444)
* add `preview.site` (#2445)
* Add `luyani.app` (#2440)
* Add objectstorage.ch (#2439)
* Add val.run (#2432)
* Update public_suffix_list.dat (#2437)
* Add seg.ar to public_suffix_list.dat (#2433)
* Add convex.app and convex.site (#2436)
* Add e2b.app (#2431)
* Add *.devinapps.com (#2435)
* Add rules for Amazon Cognito (#2366)
* add `figma.site` (#2429)
==== python-M2Crypto ====
Version update (0.44.0 -> 0.45.1)
- Update to 0.45.1:
- ci: switch from using sha1 to sha256.
- ci(keys): regenerate rsa*.pem keys as well
- fix: make the package compatible with OpenSSL >= 3.4 (don’t
rely on LEGACY crypto-policies)
- chore: package also system_shadowing directory to make builds more reliable
- Update to 0.45.0:
- chore: preparing 0.45.0 release
- fix(lib,ssl): rewrite ssl_accept, ssl_{read,write}_nbio for better error handling
- fix: replace m2_PyBuffer_Release with native PyBuffer_Release
- chore: build Windows builds with Python 3.13 as well
- fix: remove support for Engine
- chore: use actual license of the project
- ci(Debian): make M2Crypto buildable on Debian (bsc#1240965)
- swig: Workaround for reading sys/select.h ending with wrong types.
- ci: bump required setuptools version because of change in naming strategy
- fix: add fix for build with older GCC
- fix: remove AnyStr and Any types
==== python-gevent ====
Version update (24.10.3 -> 25.4.2)
- Update to 25.4.2: [bsc#1241067, bsc#1241037]
* Make gevent's queue classes subscriptable to match the standard
library. See issue #2102.
* Make the c-ares resolver build on Windows.
* The gevent testsuite runs a copy of the test_ssl from cpython but
the follwoing change has not been ported yet:
- gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError
in ConnectionHandler [gh#python/cpython/pull/126503]
- Rebase gevent-openssl35-test-fix.patch
- Upstream PR: [gh#gevent/gevent/pull/2103]
- Update to 25.4.1
* Remove some legacy code that supported Python 2 for compatibility
with the upcoming releases of Cython 3.1.
* Add a new environment variable and configuration setting to control
whether blocking reports are printed by the monitor thread.
* Add initial support for Python 3.14a7.
* Fix using gevent’s BackdoorServer with Unix sockets.
* Do not use pywsgi in a security-conscious environment. Fix one
security issue related to HTTP 100 Continue handling. See issue #2075.
==== python-h11 ====
Version update (0.14.0 -> 0.16.0)
- Update 0.16.0:
* Security fix (CVE-2025-43859, bsc#1241872)
Reject certain malformed Transfer-Encoding: chunked bodies that
were previously accepted. These could have enabled
request-smuggling attacks when an h11-based HTTP server was placed
behind a load balancer with a matching bug in its chunked
handling.
Advisory with more details:
https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
- 0.15.0:
* Reject Content-Lengths >= 1 zettabyte (1 billion terabytes) early,
without attempting to parse the integer (#181)
==== python-httpcore ====
Version update (1.0.8 -> 1.0.9)
- Update to 1.0.9
* Resolve
https://github.com/advisories/GHSA-vqfr-h8mv-ghfj with h11
dependency update. (#1008)
==== python313 ====
Version update (3.13.2 -> 3.13.3)
Subpackages: python313-curses python313-dbm python313-tk python313-x86-64-v3
- Update to 3.13.3:
- Tools/Demos
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.
- gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.
- Tests
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.
- gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).
- gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.
- gh-126332: Add unit tests for pyrepl.
- Security
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using
a carefully constructed encoded-word if the resulting
rendered email was transmitted or re-parsed.
- Library
- gh-132174: Fix function name in error message of
_interpreters.run_string.
- gh-132171: Fix crash of _interpreters.run_string on string
subclasses.
- gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN
environment variable knob in subprocess to control the use
of os.posix_spawn().
- gh-132159: Do not shadow user arguments in generated
__new__() by decorator warnings.deprecated. Patch by Xuehai
Pan.
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating
contextvars.ContextVar with weird unahashable string names.
- gh-131668: socket: Fix code parsing AF_BLUETOOTH socket
addresses.
- gh-131492: Fix a resource leak when constructing a
gzip.GzipFile with a filename fails, for example when
passing an invalid compresslevel.
- gh-131325: Fix sendfile fallback implementation to drain
data after writing to transport in asyncio.
- gh-129843: Fix incorrect argument passing in
warnings.warn_explicit().
- gh-131204: Use monospace font from System Font Stack for
cross-platform support in difflib.HtmlDiff.
- gh-130940: The PyConfig.use_system_logger attribute,
introduced in Python 3.13.2, has been removed. The
introduction of this attribute inadvertently introduced an
ABI breakage on macOS and iOS. The use of the system logger
is now enabled by default on iOS, and disabled by default
on macOS.
- gh-131045: Fix issue with __contains__, values, and
pseudo-members for enum.Flag.
- gh-130959: Fix pure-Python implementation of
datetime.time.fromisoformat() to reject times with spaces
in fractional part (for example, 12:34:56.400 +02:00),
matching the C implementation. Patch by Michał Gorny.
- gh-130637: Add validation for numeric response data in
poplib.POP3.stat() method
- gh-130461: Remove .. index:: directives from the uuid
module documentation. These directives previously created
entries in the general index for getnode() as well as
the uuid1(), uuid3(), uuid4(), and uuid5() constructor
functions.
- gh-130379: The zipapp module now calculates the list of
files to be added to the archive before creating the
archive. This avoids accidentally including the target when
it is being created in the source directory.
- gh-130285: Fix corner case for random.sample() allowing the
counts parameter to specify an empty population. So now,
sample([], 0, counts=[]) and sample('abc', k=0, counts=[0,
0, 0]) both give the same result as sample([], 0).
- gh-130250: Fix regression in traceback.print_last().
- gh-130230: Fix crash in pow() with only Decimal third
argument.
- gh-118761: Reverts a change in the previous release
attempting to make some stdlib imports used within the
subprocess module lazy as this was causing errors during
... changelog too long, skipping 175 lines ...
(gh#python/cpython#132535).
==== python313-core ====
Version update (3.13.2 -> 3.13.3)
Subpackages: libpython3_13-1_0 libpython3_13-1_0-x86-64-v3 python313-base python313-base-x86-64-v3
- Update to 3.13.3:
- Tools/Demos
- gh-131852: msgfmt no longer adds the POT-Creation-Date to
generated .mo files for consistency with GNU msgfmt.
- gh-85012: Correctly reset msgctxt when compiling messages
in msgfmt.
- gh-130025: The iOS testbed now correctly handles symlinks
used as Python framework references.
- Tests
- gh-131050: test_ssl.test_dh_params is skipped if the
underlying TLS library does not support finite-field
ephemeral Diffie-Hellman.
- gh-129200: Multiple iOS testbed runners can now be started
at the same time without introducing an ambiguity over
simulator ownership.
- gh-130292: The iOS testbed will now run successfully on a
machine that has not previously run Xcode tests (such as CI
configurations).
- gh-130293: The tests of terminal colorization are no longer
sensitive to the value of the TERM variable in the testing
environment.
- gh-126332: Add unit tests for pyrepl.
- Security
- gh-131809: Update bundled libexpat to 2.7.1
- gh-131261: Upgrade to libexpat 2.7.0
- gh-127371: Avoid unbounded buffering for
tempfile.SpooledTemporaryFile.writelines(). Previously,
disk spillover was only checked after the lines iterator
had been exhausted. This is now done after each line is
written.
- gh-121284: Fix bug in the folding of rfc2047 encoded-words
when flattening an email message using a modern email
policy. Previously when an encoded-word was too long for
a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the
original text could be left unencoded and unquoted. This
could theoretically be used to spoof header lines using
a carefully constructed encoded-word if the resulting
rendered email was transmitted or re-parsed.
- Library
- gh-132174: Fix function name in error message of
_interpreters.run_string.
- gh-132171: Fix crash of _interpreters.run_string on string
subclasses.
- gh-129204: Introduce new _PYTHON_SUBPROCESS_USE_POSIX_SPAWN
environment variable knob in subprocess to control the use
of os.posix_spawn().
- gh-132159: Do not shadow user arguments in generated
__new__() by decorator warnings.deprecated. Patch by Xuehai
Pan.
- gh-132075: Fix possible use of socket address structures
with uninitialized members. Now all structure members are
initialized with zeroes by default.
- gh-132002: Fix crash when deallocating
contextvars.ContextVar with weird unahashable string names.
- gh-131668: socket: Fix code parsing AF_BLUETOOTH socket
addresses.
- gh-131492: Fix a resource leak when constructing a
gzip.GzipFile with a filename fails, for example when
passing an invalid compresslevel.
- gh-131325: Fix sendfile fallback implementation to drain
data after writing to transport in asyncio.
- gh-129843: Fix incorrect argument passing in
warnings.warn_explicit().
- gh-131204: Use monospace font from System Font Stack for
cross-platform support in difflib.HtmlDiff.
- gh-130940: The PyConfig.use_system_logger attribute,
introduced in Python 3.13.2, has been removed. The
introduction of this attribute inadvertently introduced an
ABI breakage on macOS and iOS. The use of the system logger
is now enabled by default on iOS, and disabled by default
on macOS.
- gh-131045: Fix issue with __contains__, values, and
pseudo-members for enum.Flag.
- gh-130959: Fix pure-Python implementation of
datetime.time.fromisoformat() to reject times with spaces
in fractional part (for example, 12:34:56.400 +02:00),
matching the C implementation. Patch by Michał Gorny.
- gh-130637: Add validation for numeric response data in
poplib.POP3.stat() method
- gh-130461: Remove .. index:: directives from the uuid
module documentation. These directives previously created
entries in the general index for getnode() as well as
the uuid1(), uuid3(), uuid4(), and uuid5() constructor
functions.
- gh-130379: The zipapp module now calculates the list of
files to be added to the archive before creating the
archive. This avoids accidentally including the target when
it is being created in the source directory.
- gh-130285: Fix corner case for random.sample() allowing the
counts parameter to specify an empty population. So now,
sample([], 0, counts=[]) and sample('abc', k=0, counts=[0,
0, 0]) both give the same result as sample([], 0).
- gh-130250: Fix regression in traceback.print_last().
- gh-130230: Fix crash in pow() with only Decimal third
argument.
- gh-118761: Reverts a change in the previous release
attempting to make some stdlib imports used within the
subprocess module lazy as this was causing errors during
... changelog too long, skipping 175 lines ...
(gh#python/cpython#132535).
==== sane-backends ====
Subpackages: libsane1 sane-backends-autoconfig
- add c23-keywords.patch from upstream to fix gcc15 compile error
==== sdbootutil ====
Version update (1+git20250423.61ca94f -> 1+git20250425.25d659b)
Subpackages: sdbootutil-dracut-measure-pcr sdbootutil-snapper
- Update to version 1+git20250425.25d659b:
* get-timeout for sd-boot return unsigned value
* jeos-firstboot-enroll: drop unused variable
* jeos-firstboot-enroll: continue if no enrollment (bsc#1236583)
* jeos-firstboot-enroll: hide keyctl output
* jeos-firstboot-enroll: add title and description
==== unbound ====
Version update (1.22.0 -> 1.23.0)
Subpackages: libunbound8 unbound-anchor
- Update to 1.23.0:
Features:
* Increase the default of max-global-quota to 200 from 128 after
operational feedback. Still keeping the possible amplification
factor (CAMP related issues) in the hundreds.
* Fix #1175: serve-expired does not adhere to secure-by-default
principle. The default value of serve-expired-client-timeout
is set to 1800 as suggested by RFC8767.
* For #1175, the default value of serve-expired-ttl is set to 86400
(1 day) as suggested by RFC8767.
* For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
* Add resolver.arpa and service.arpa to the default locally served
zones.
* Merge #1042: Fast Reload. The unbound-control fast_reload is added.
It reads changed config in a thread, then only briefly pauses the
service threads, that keep running. DNS service is only interrupted
briefly, less than a second.
* Merge #1019: Redis read-only replica support.
Introduces new 'redis-replica-*' options for the Redis cache backend.
* Merge #902: DNS Error Reporting (RFC 9567). Introduces new
configuration option 'dns-error-reporting' and new statistics for
'num.dns_error_reports'.
Bug Fixes:
* Fix #1154: Tag Incorrectly Applying for Other Interfaces
Using the Same IP. This fix is not for 1.22.0.
* Fix #1163: Typos in unbound.conf documentation.
* Merge #1159: Stats for discard-timeout and wait-limit.
* Add test case for #1159.
* Some clean up for stat_values.test.
* Merge #1170 from Melroy van den Berg, Fix chroot manpage
description.
* Merge #1157 from Liang Zhu, Fix heap corruption when calling
ub_ctx_delete in Windows.
* Fix redis that during a reload it does not fail if the redis
server does not connect or does not respond. It still logs the
errors and if the server is up checks expiration features.
* Merge #1167: Makefile.in: fix occasional parallel build failures
around bison rule.
* Fix SETEX check during Redis (re)initialization.
* Fix for the serve expired DNSSEC information fix, it would not allow
current delegation information be updated in cache. The fix allows
current delegation and validation recursion information to be
updated, but as a consequence no longer has certain expired
information around for later dnssec valid expired responses.
* Fix to log redis timeout error string on failure.
* More descriptive text for 'harden-algo-downgrade'.
* Complete fix for max-global-quota to 200.
* Fix #1183: the data being used is released in method
nsec3_hash_test_entry.
* Fix for #1183: release nsec3 hashes per test file.
* Merge #1169 from Sergey Kacheev, fix: lock-free counters for
auth_zone up/down queries.
* Fix comparison to help static analyzer.
* For #1175, update serve-expired tests.
* Merge #1189: Fix the dname_str method to cause conversion errors
when the domain name length is 255.
* Merge #1197: dname_str() fixes.
* Merge #1198: Fix log-servfail with serve expired and no useful cache
contents.
* Safeguard alias loop while looking in the cache for expired answers.
* Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
drop.
* Fix typo in log_servfail.tdir test.
* Merge #1204: ci: set persist-credentials: false for actions/checkout
per zizmor suggestion.
* Merge #1174: Serve expired cache update fixes. Fixes a regression bug
with serve-expired that appeared in 1.22.0 and would not allow the
iterator to update the cache with not-yet-validated entries resulting
in increased outgoing traffic.
* Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
handshake.
* Fix #1213: Misleading error message on default access control causing
refuse.
* Merge #1221: Consider auth zones when checking for forwarders.
* Merge #1222: Unique DoT and DoH SSL contexts to allow for different
ALPN.
* Create the quic SSL listening context only when needed.
* Fix compile of interface check code when dnscrypt or quic is
disabled.
* Fix encoding of RR type ATMA.
* Fix to check length in ATMA string to wire.
* Merge #1229: check before use daemon->shm_info.
* Use the same interface listening port discovery code for all needed
protocols.
* Port to string only when needed before getaddrinfo().
* Do not open unencrypted channels next to encrypted ones on the same
port.
* Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
set.
* Merge #1220 from Petr Menšík, Add unbound members group access to
control key.
* Make the default value of module-config "validator iterator"
regardless of compilation options. --enable-subnet would implicitly
change the value to enable the subnetcache module by default in the
past.
* Fix #986: Resolving sas.com with dnssec-validation fails though
signed delegations seem to be (mostly) correct.
Consider reconfigurations when calculating the still_useful_timeout
... changelog too long, skipping 62 lines ...
* Merge #1265: Fix WSAPoll.
