Packages changed:
apache2-mod_php8 (8.4.8 -> 8.4.10)
chrony (4.6.1 -> 4.7)
gcc15
git (2.50.0 -> 2.50.1)
libcamera
libstorage-ng (4.5.260 -> 4.5.261)
llvm20
openSUSE-release (20250709 -> 20250710)
pcsc-towitoko
php8 (8.4.8 -> 8.4.10)
python-Pygments
python-click
python-kiwi (10.2.26 -> 10.2.27)
python-notify2
python-typing_extensions (4.13.2 -> 4.14.0)
systemd-rpm-macros (24 -> 26)
=== Details ===
==== apache2-mod_php8 ====
Version update (8.4.8 -> 8.4.10)
- version update to 8.4.10 [bsc#1246146][bsc#1246148][bsc#1246167]
BcMath:
Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes).
Core:
Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout).
Fixed GH-18695 (zend_ast_export() - float number is not preserved).
Fix handling of references in zval_try_get_long().
Do not delete main chunk in zend_gc.
Fix compile issues with zend_alloc and some non-default options.
Curl:
Fix memory leak when setting a list via curl_setopt fails.
Date:
Fix leaks with multiple calls to DatePeriod iterator current().
DOM:
Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword).
FPM:
Fixed GH-18662 (fpm_get_status segfault).
Hash:
Fixed bug GH-14551 (PGO build fails with xxhash).
Intl:
Fix memory leak in intl_datetime_decompose() on failure.
Fix memory leak in locale lookup on failure.
Opcache:
Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
ODBC:
Fix memory leak on php_odbc_fetch_hash() failure.
OpenSSL:
Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
Fixed bug #74796 (Requests through http proxy set peer name).
PGSQL:
Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
PDO ODBC:
Fix memory leak if WideCharToMultiByte() fails.
PDO Sqlite:
Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type.
Phar:
Add missing filter cleanups on phar failure.
Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek).
PHPDBG:
Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
Random:
Fix reference type confusion and leak in user random engine.
Readline:
Fix memory leak when calloc() fails in php_readline_completion_cb().
SimpleXML:
Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes).
SOAP:
Fix memory leaks in php_http.c when call_user_function() fails.
Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491)
Standard:
Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
Tidy:
Fix memory leak in tidy output handler on error.
Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.
- modified patches
% php-build-reproducible-phar.patch (refreshed)
==== chrony ====
Version update (4.6.1 -> 4.7)
Subpackages: chrony-pool-openSUSE
- Update to version 4.5:
* Add opencommands directive to select remote monitoring
commands
* Add interval option to driftfile directive
* Add waitsynced and waitunsynced options to local directive
* Add sanity checks for integer values in configuration
* Add support for systemd Type=notify service
* Add RTC refclock driver
* Allow PHC refclock to be specified with network interface name
* Don’t require multiple refclock samples per poll to simplify
filter configuration
* Keep refclock reachable when dropping samples with large delay
* Improve quantile-based filtering to adapt faster to larger
delay
* Improve logging of selection failures
* Detect clock interference from other processes
* Try to reopen message log (-l option) on cyclelogs command
* Fix sourcedir reloading to not multiply sources
* Fix tracking offset after failed clock step
* Drop support for NTS with Nettle < 3.6 and GnuTLS < 3.6.14
* Drop support for building without POSIX threads
- Update clknetsim to snapshot 530d1a5.
==== gcc15 ====
Subpackages: cpp15 gcc15-locale libasan8 libatomic1 libgcc_s1 libgcc_s1-32bit libgccjit0 libgfortran5 libgomp1 libhwasan0 libitm1 liblsan0 libobjc4 libquadmath0 libstdc++6 libstdc++6-32bit libstdc++6-locale libstdc++6-pp libstdc++6-pp-32bit libtsan2 libubsan1
- Prune the use of update-alternatives from openSUSE Factory and
SLFO.
- Adjust crosses to conflict consistently where they did not
already and make them use unsuffixed binaries.
==== git ====
Version update (2.50.0 -> 2.50.1)
Subpackages: git-core git-email git-gui git-web gitk perl-Git
- refreshed gitk sha256 patches:
0001-gitk-Add-support-of-SHA256-repo.patch
0002-git-gui-Add-support-of-SHA256-repo.patch
- update to 2.50.1 (boo#1245938 boo#1245939 boo#1245942 boo#1245943
boo#1245946 boo#1245947)
Security fixes for CVE-2025-27613, CVE-2025-27614,
CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385,
and CVE-2025-48386
CVE-2025-27613, Gitk:
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not.
CVE-2025-27614, Gitk:
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invoking `gitk filename`, where
`filename` has a particular structure.
CVE-2025-46334, Git GUI (Windows only):
A malicious repository can ship versions of sh.exe or typical
textconv filter programs such as astextplain. On Windows, path
lookup can find such executables in the worktree. These programs
are invoked when the user selects "Git Bash" or "Browse Files" from
the menu.
CVE-2025-46835, Git GUI:
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file.
CVE-2025-48384, Git:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout.
CVE-2025-48385, Git:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution.
CVE-2025-48386, Git:
The wincred credential helper uses a static buffer (`target`) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
`wcsncat()`, leading to potential buffer overflows.
==== libcamera ====
Subpackages: libcamera-base0_5 libcamera0_5
- Add reproducible.patch to skip module signing (boo#1217690)
==== libstorage-ng ====
Version update (4.5.260 -> 4.5.261)
Subpackages: libstorage-ng-lang libstorage-ng-ruby libstorage-ng1
- merge gh#openSUSE/libstorage-ng#1026
- log output of lvmdevices during probing for debugging
- 4.5.261
==== llvm20 ====
- Replace usage of %jobs for reproducible builds (boo#1237231)
- Install liborc_rt-*.a on loongarch64
==== openSUSE-release ====
Version update (20250709 -> 20250710)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd
- automatically generated by openSUSE-release-tools/pkglistgen
==== pcsc-towitoko ====
Subpackages: libtowitoko2
- Fix build with gcc15:
* Remove bool typedef as not needed and not used in the code
* Add towitoko-gcc15.patch
==== php8 ====
Version update (8.4.8 -> 8.4.10)
Subpackages: php8-ctype php8-dom php8-iconv php8-openssl php8-pdo php8-sqlite php8-tokenizer php8-xmlreader php8-xmlwriter
- version update to 8.4.10 [bsc#1246146][bsc#1246148][bsc#1246167]
BcMath:
Fixed bug GH-18641 (Accessing a BcMath\Number property by ref crashes).
Core:
Fixed bugs GH-17711 and GH-18022 (Infinite recursion on deprecated attribute evaluation) and GH-18464 (Recursion protection for deprecation constants not released on bailout).
Fixed GH-18695 (zend_ast_export() - float number is not preserved).
Fix handling of references in zval_try_get_long().
Do not delete main chunk in zend_gc.
Fix compile issues with zend_alloc and some non-default options.
Curl:
Fix memory leak when setting a list via curl_setopt fails.
Date:
Fix leaks with multiple calls to DatePeriod iterator current().
DOM:
Fixed bug GH-18744 (classList works not correctly if copy HTMLElement by clone keyword).
FPM:
Fixed GH-18662 (fpm_get_status segfault).
Hash:
Fixed bug GH-14551 (PGO build fails with xxhash).
Intl:
Fix memory leak in intl_datetime_decompose() on failure.
Fix memory leak in locale lookup on failure.
Opcache:
Fixed bug GH-18743 (Incompatibility in Inline TLS Assembly on Alpine 3.22).
ODBC:
Fix memory leak on php_odbc_fetch_hash() failure.
OpenSSL:
Fix memory leak of X509_STORE in php_openssl_setup_verify() on failure.
Fixed bug #74796 (Requests through http proxy set peer name).
PGSQL:
Fixed GHSA-hrwm-9436-5mv3 (pgsql extension does not check for errors during escaping). (CVE-2025-1735)
Fix warning not being emitted when failure to cancel a query with pg_cancel_query().
PDO ODBC:
Fix memory leak if WideCharToMultiByte() fails.
PDO Sqlite:
Fixed memory leak with Pdo_Sqlite::createCollation when the callback has an incorrect return type.
Phar:
Add missing filter cleanups on phar failure.
Fixed bug GH-18642 (Signed integer overflow in ext/phar fseek).
PHPDBG:
Fix 'phpdbg --help' segfault on shutdown with USE_ZEND_ALLOC=0.
Random:
Fix reference type confusion and leak in user random engine.
Readline:
Fix memory leak when calloc() fails in php_readline_completion_cb().
SimpleXML:
Fixed bug GH-18597 (Heap-buffer-overflow in zend_alloc.c when assigning string with UTF-8 bytes).
SOAP:
Fix memory leaks in php_http.c when call_user_function() fails.
Fixed GHSA-453j-q27h-5p8x (NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix). (CVE-2025-6491)
Standard:
Fixed GHSA-3cr5-j632-f35r (Null byte termination in hostnames). (CVE-2025-1220)
Tidy:
Fix memory leak in tidy output handler on error.
Fix tidyOptIsReadonly deprecation, using tidyOptGetCategory.
- modified patches
% php-build-reproducible-phar.patch (refreshed)
==== python-Pygments ====
- Skip testcase that breaks with pytest 8.4.
==== python-click ====
- Add click-8.2.1-clirunner.patch to fix clirunner breaking other
modules' tests, cf. github.com/pallets/click/issues/2939
==== python-kiwi ====
Version update (10.2.26 -> 10.2.27)
- Bump version: 10.2.26 → 10.2.27
- Fix regression in get_partition_node_name
backwards compat for lsblk before 2.38
if START column not supported, fall back to default sort
- Add global option --setenv
Allow to set environment variables in the caller environment
via the commandline, e.g --setenv SOURCE_DATE_EPOCH=42
- Seed filesystem UUIDs with SOURCE_DATE_EPOCH
For reproducible builds the calculation of the filesystem UUID
should be persistent with each rebuild of the image. To achieve
this the UUID is calculated using the SOURCE_DATE_EPOCH from
the environment plus a char-number representation of the filesystem
label name as random seed. In kiwi every filesystem is created
with a label, thus only in case there is no SOURCE_DATE_EPOCH
available we continue to create the UUID as random data.
This Fixes #2761
- Add label attribute for <partition> section
Allow to specify a filesystem label as part of a <partition>
definition. So far the label was set by the name of the
partition. With the new label attribute, a filesystem label
different from the partition name can be set. This commit
also updates/fixes the documentation in this regard.
- Improve log message in SystemIdentifier
Add some scope information such that we know from where
this log information originates from.
- Add rd.kiwi.install.devicepersistency
Allow to specify which type of persistent device name should
be used to build up the list of installation disk devices.
For example rd.kiwi.install.devicepersistency=by-path would
use the by-path representations for the available disk
devices. The default (by-id) stays untouched. In case an
invalid or not present device representation is selected, kiwi
falls back to the non persistent unix node names.
- Update test-image-disk
Add NetworkManager for better remote debugging capabilities
- Make mbr-id deterministic
Log the value of SDE so it is available to review,
even if the build system does not tell about it.
Update the tests to cover the new code-path.
Co-Authored-By: Marcus Schäfer <
[email protected]>
- Ensure dracut initrd is reproducible
This helps a bit with issue #2358
Add reproducible flag for UKI too
Update tests accordingly
Co-Authored-By: Marcus Schäfer <
[email protected]>
==== python-notify2 ====
- Switch to pyproject macros.
==== python-typing_extensions ====
Version update (4.13.2 -> 4.14.0)
- Update to 4.14.0
* Remove `__or__` and `__ror__` methods from `typing_extensions.Sentinel`
on Python versions <3.10. PEP 604 was introduced in Python 3.10, and
`typing_extensions` does not generally attempt to backport PEP-604 methods
to prior versions.
* Further update `typing_extensions.evaluate_forward_ref` with changes in Python 3.14.
- from version 4.14.0rc1
* Drop support for Python 3.8 (including PyPy-3.8). Patch by Victorien Plot.
* Do not attempt to re-export names that have been removed from `typing`,
anticipating the removal of `typing.no_type_check_decorator` in Python 3.15.
Patch by Jelle Zijlstra.
* Update `typing_extensions.Format`, `typing_extensions.evaluate_forward_ref`, and
`typing_extensions.TypedDict` to align
with changes in Python 3.14. Patches by Jelle Zijlstra.
* Fix tests for Python 3.14 and 3.15. Patches by Jelle Zijlstra.
* Add support for inline typed dictionaries (PEP 764).
Patch by [Victorien Plot](
https://github.com/Viicos).
* Add `typing_extensions.Reader` and `typing_extensions.Writer`. Patch by
Sebastian Rittau.
* Add support for sentinels (PEP 661). Patch by Victorien Plot.
- Update BuildRequires from pyproject.toml
==== systemd-rpm-macros ====
Version update (24 -> 26)
- Bump version to 26
- Introduce %udev_trigger_with_reload() for packages that need to trigger events
in theirs scriplets. The new macro automatically triggers a reload of the udev
rule files as this step is often overlooked by packages (bsc#1237143).
- Bump to version 25
- Turn %tmpfiles_create/%sysusers_create into NOPs
The 2 following macros have also been converted into NOPs since we moved to
file triggers. Some packages might have assumed that their effects were
effective as soon as the macros return. However such assumption on tmpfiles
can't work on transactional systems anyways where changes must take place on
reboot.
When a system user/group needs to be created in %%pre, so proper ownership are
used when package's files are installed, "sysusers_create_package()" should be
used.
