Packages changed: MozillaFirefox (151.0.3 -> 151.0.4) binutils boost-base boost-extra cyrus-imapd file (5.47 -> 5.48) fwupd (2.1.3 -> 2.1.4) hplip lftp ncurses (6.6.20260530 -> 6.6.20260608) openSUSE-release (20260609 -> 20260610) patterns-base perl-Cpanel-JSON-XS (4.410.0 -> 4.420.0) sdl2-compat (2.32.68 -> 2.32.70) shotwell (0.32.16 -> 0.32.17) systemd (260.1 -> 260.2) transmission (4.1.1 -> 4.1.2) === Details === ==== MozillaFirefox ==== Version update (151.0.3 -> 151.0.4) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 151.0.4: * Fixed an issue where Firefox could fall back to software rendering on some older GPUs, reducing graphics performance (bmo#2043249) * Fixed an issue where some text input fields could incorrectly show a resize handle (bmo#2044051) ==== binutils ==== Subpackages: libctf-nobfd0 libctf0 libsframe2 - Add pr33427-fix-loongarch64-glibc-build-with-gcc16.patch to backport a fix for assertion failures when building glibc for loongarch64 with GCC 16. ==== boost-base ==== Subpackages: boost-license1_91_0 libboost_filesystem1_91_0 libboost_filesystem1_91_0-x86-64-v3 libboost_iostreams1_91_0 libboost_iostreams1_91_0-x86-64-v3 libboost_locale1_91_0 libboost_locale1_91_0-x86-64-v3 libboost_thread1_91_0 libboost_thread1_91_0-x86-64-v3 - Force remove boost_atomic directory to fix the failing build with GCC 16 ==== boost-extra ==== Subpackages: libboost_python-py3-1_91_0 libboost_python-py3-1_91_0-x86-64-v3 - Force remove boost_atomic directory to fix the failing build with GCC 16 ==== cyrus-imapd ==== Subpackages: cyradm libcyrus0 perl-Cyrus-Annotator perl-Cyrus-IMAP perl-Cyrus-SIEVE-managesieve - Adapt license ==== file ==== Version update (5.47 -> 5.48) Subpackages: file-magic libmagic1 - Update to 5.48: * add landlock support (valoq) * add BE/LE GUID * multiple fixes to prevent integer overflow in 32 bits (kerwin) * PR/745: bitstreamout: Don't flush when trying to set negative offsets on pipes, just continue, fixes 'cat file.zip | file -' * PR/753: vmihalko: Fix race is magic_getpath() * PR/728: Anton Monroe: Reinstate regex/c - Port patch file-5.47.dif and rename it to file-5.48.dif - Port patches * file-4.21-xcursor.dif * file-5.19-biorad.dif * file-5.19-printf.dif * file-5.22-elf.dif * file-5.28-btrfs-image.dif * file-secure_getenv.patch - Remove patches now upstream * file-5.47-regression.dif * file-5.47-s390x.patch * file-5.47-stanza.patch ==== fwupd ==== Version update (2.1.3 -> 2.1.4) Subpackages: fwupd-bash-completion fwupd-lang libfwupd3 typelib-1_0-Fwupd-2_0 - Update to version 2.1.4: + This release adds the following features: - Add a libcrypto-based JCat implementation for Android - Add support for NixOS to the quickstart script - Add support for the Compal BIOS version format - Allow a remote to specify that a username or password is required - Allow storing a per-user password in XDG_CONFIG_HOME - Detect encrypted swap devices below device-mapper - Ensure that all firmware subclasses set the maximum size - Remove the flashrom plugin - Save the SMBIOS BiosReleaseDate string to uploaded reports - Tell Star Labs coreboot users to manually update when required + This release fixes the following bugs: - Add a retry limit when updating failing Goodix MoC devices - Add several bounds checks for when updating Dell docks - Add vendor name and name for the various Framework UEFI certificates - Allow recovery if the Lenovo dock internal state is invalid - Avoid truncation when calculating the AMD GPU atombios size - Check firmware size against Novatek flash start address - Check for config offset overflow when updating Synaptics RMI devices - Check for multiplication overflow in BCM57xx stage1 size calculation - Check for overflow when writing to CCGX DMC devices - Check stream size before calculating Legion HID ID offset - Check stream size before subtracting Ilitek ITS CRC length - Clear Sunplus camera download state if the previous flash failed - Do not show plugin warnings when using --version - Filter the install flags provided by the D-Bus client - Fix a potential heap buffer overflow in FDT strlist parsing - Fix a potential heap buffer overflow in Nordic HID peer validation - Fix a potential OOB read in DFOTA modem response parsing - Fix a potential path traversal vulnerability in firmware backup - Fix a regression when searching for file magic - Fix a regression when using report-export --sign - Fix fwupd domain check bypass when using Qubes - Ignore efivar free space requirement on Microsoft Hyper-V hosts - Limit the number of hints a D-Bus client can set - Limit the size of parsed USB descriptors to ~64KiB - Make it easy to enable an authenticated remote - Make the Novatek boot update more reliable - Only read BCR from Intel SPI controllers - Prevent a possible division by zero error in the progressbar code - Prevent decompression bomb attacks in uSWID zlib payload parsing - Prevent NVRAM-seeded ptential path traversal when loading ESP files - Redact the username and password of remotes when using a non-active console - Require authorization for firmware installation on emulated devices - Require authorization for more D-Bus methods from non-local users - Restrict Curl protocols to prevent potential SSRF attacks - Restrict ModifyRemote to prevent a supply-chain redirection - Show a short easy-to-read string as the Pixart touchpad name - Tolerate post-quantum CA PKCS#7 failures when using Qubes - Validate ACPI PHAT specific data offset before parsing - Validate Corsair write size before subtracting header size - Validate DFU address offset before parsing the header - Validate Elan touchpad IAP address is within firmware bounds - Validate Logitech TAP AP region bounds before calculating size - Validate payload length is large enough for FPC sec-link - Validate sector range before writing pixart-tp firmware - Validate VBE area start does not exceed area size - Validate write offset does not exceed TI TPS6598x stream size + This release adds support for the following hardware: - Egis MoC devices with PID 9201 - Intel Arc Pro B65 and Arc Pro B70 (#10389) - Lenovo dock devices in 'provisioned' mode - Pixart TP devices with PID 1343 - Several GigaDevice and Puya SPI chips - Drop no longer needed BuildRequires: pkgconfig(jcat), pkgconfig(flashrom) ==== hplip ==== Subpackages: hplip-base hplip-common hplip-cups hplip-driver-hpcups hplip-sane libhplip0 - hp-plugin: fix plugin installation from local file (lp#2154206) * add pluginhandler-fix-plugin-installation-from-local-fil.patch ==== lftp ==== - Revert changes to "lftp-4.9.2-cdefs.patch" from 2025-08-06. The updated patch does not apply to our code and breaks the build on ppc64le. We'll stick to our local copy for the time being instead of following src.fedoraproject.org. ==== ncurses ==== Version update (6.6.20260530 -> 6.6.20260608) Subpackages: libncurses6 ncurses-utils terminfo terminfo-base terminfo-iterm terminfo-screen - Add ncurses patch 20260608 + amend *.map to put recent cookie-related functions in a new tinfo ".current" section (report by Sven Joachim). + add npc to kmscon, fixing flash -TD - Add ncurses patch 20260607 + actually add kmscon (report by Branden Robinson) - Add ncurses patch 20260606 + add kmscon (report by Jocelyn Falempe) -TD + fix a minor regression in infocmp -g option. + fixes for compiler warnings/cppcheck. ==== openSUSE-release ==== Version update (20260609 -> 20260610) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== patterns-base ==== Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced - only do Requires: libyui-ncurses-pkg and libyui-qt-pkg if Tumbleweed since libyui is no longer available in Leap 16.1 ==== perl-Cpanel-JSON-XS ==== Version update (4.410.0 -> 4.420.0) - updated to 4.420.0 (4.42) see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes 4.42 2026-06-27 (rurban) - Ensure encode with a type spec hashref does not change the hashref argument (GH #240) - Fix -e docs: "written" → "read" (GH #239, reported by Ron Savage). - Fix Boolean eq overload matching undef (GH #207, reported by fd-t). Cpanel::JSON::XS::Boolean overloaded eq would match undef as equal to false because undef stringifies to "". Added defined() guard. - Fix error messages showing overloaded stringification for blessed objects (GH #191, reported by karenetheridge). Error messages now use ClassName=TYPE(addr) format, bypassing any "" overload. - Fix type_all_string overriding allow_blessed/convert_blessed (GH #175, reported by alpha6). With type_all_string + allow_blessed, blessed objects are now encoded as null (not stringified as HASH address). - Fix infinite recursion when encode is called from a "" overload (GH #128, reported by pbrthemaster). The recursion guard temporarily clears convert_blessed and allow_stringify flags on the JSON object before calling the overload, preventing re-entrant encode loops. - Fix $obj->new creating a broken object (GH #93, reported by cpansprout). When new() is called on an existing object (e.g. $json->new->new), the class name is now extracted from the object's stash rather than using the stringified reference. - Change allow_nonref default to true (GH #241, matching JSON::PP and JSON::XS 4.0+ and the insecure RFC 7159). encode and decode now accept non-reference values by default. decode_json() with an explicit 0/1 second argument still works. allow_nonref(0) to disable scalars-only for secure JSON. - Fix minor t/12_blessed.t typo. - Fix GH #112: encode large whole-number NV values without .0 on 32-bit Perl (values exceeding UV_MAX that Perl stores as float). - Fix GH #197: prefer IOK over pNOK when encoding values where IV is accurate but NV is imprecise (SvNOK not set). ==== sdl2-compat ==== Version update (2.32.68 -> 2.32.70) - Update to release 2.32.70 * Fixed showing the on-screen keyboard at application startup. ==== shotwell ==== Version update (0.32.16 -> 0.32.17) Subpackages: shotwell-lang - Update to version 0.32.17: + Fix issue with Flicker and non-latin titles ==== systemd ==== Version update (260.1 -> 260.2) Subpackages: libsystemd0 libsystemd0-32bit libudev1 systemd-32bit systemd-boot systemd-container systemd-lang udev - Temporarily add 1001-units-drop-Before-sockets.target-from-networkd-resol.patch until upstream releases it. - Import commit a1ca0edbe97b747694600671445c19aa565f7b7e (merge of v260.2) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/1e45daa2fb423eb95ad00dcc389e03cfea8f86dc...a1ca0edbe97b747694600671445c19aa565f7b7e This update includes the following fix: a2c799878a logind: keep lingering users at startup-time GC (bsc#1262305) ==== transmission ==== Version update (4.1.1 -> 4.1.2) Subpackages: transmission-common transmission-gtk transmission-gtk-lang - Update to 4.1.2: + Highlights: Fixed `4.1.0` bug that could cause duplicate HTTP announces to be sent to trackers. + All Platforms: - Reject benc data that has invalid characters. - Fixed a bug during the startup sequence where if one torrent failed to parse, subsequent torrents would also fail. - Fixed a bug that stalled some downloads at 99%. - Fixed a `4.1.0` upgrade bug that could overwrite `utp_enabled` and `tcp_enabled` settings. - Fixed a `4.1.0` crash that could happen when a peer supplied `reqq` value smaller than 32 in LTEP handshake. - Fixed a `4.1.0` regression that periodically wrote upload & download stats to disk even when Transmission had been idle since the last write, preventing the stats file's disk from hibernating while idle. - Fixed a `4.1.0` bug that prevented TCP peer connections on some systems. - Added safeguards to HTTP responses to prevent clickjacking. - Fixed edge case that didn't preserve the order of a batch of torrents when moving their queue position up or down. - Added sanitization for UTF-8 client names provided by peers during handshake. - Stopped appending redundant zeros to blocklist files when downloaded from a remote URL. - Fixed a build failure that occurred when building with link-time optimization. + Qt Client: - Fixed a `4.1.0` crash when parsing some RPC responses from older Transmission servers. - Fixed a `4.1.0` bug that saved both deprecated and current settings names to `settings.json`. + GTK Client: - Fixed a `4.1.0` bug that did not show translated logging level strings. - Fixed a `4.1.0` crash when toggling alternative speed limits. + Web Client: - Fixed a `4.1.0` bug that displayed timestamps in some dropdowns as `6.75:45` instead of `6:45`. - Fixed a bug that could show incorrect torrent status when reconnecting to the server after a lost connection. + transmission-remote: Improved `transmission-remote` console output for JSON-RPC 2. - Add ExcludeArch: ix86, stop building for 32bit.