Packages changed: MicroOS-release (20260625 -> 20260627) glib2 (2.88.1 -> 2.88.2) gvfs (1.60.0 -> 1.60.1) jq (1.8.1 -> 1.8.2) libslirp (4.9.1+1 -> 4.9.3+4) libzio (1.14 -> 1.15) nftables patterns-kde tesseract-ocr === Details === ==== MicroOS-release ==== Version update (20260625 -> 20260627) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== glib2 ==== Version update (2.88.1 -> 2.88.2) Subpackages: glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 typelib-1_0-GLib-2_0 typelib-1_0-GLibUnix-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Update to version 2.88.2: + gnulib: Fix unused flags variable warning + CI: set msys2-clang64 as default job for merges + Updated translations. ==== gvfs ==== Version update (1.60.0 -> 1.60.1) Subpackages: gvfs-backends - Update to version 1.60.1: + smb: Fix authentication fallback broken with Samba 4.24 + dav: Fix redirect handling to prevent HTTPS downgrade and credential leakage + Some other fixes + Updated translations. - Drop gvfs-fix-udisks2-crash.patch: Fixed upstream. ==== jq ==== Version update (1.8.1 -> 1.8.2) Subpackages: libjq1 - Update to version 1.8.2 Security fixes * CVE-2026-32316: Fix heap buffer overflow in jvp_string_append and jvp_string_copy_replace_bad. * CVE-2026-33947: Limit path depth to prevent stack overflow in jv_setpath, jv_getpath, jv_delpaths. * CVE-2026-33948: Fix NUL truncation in the JSON parser. * CVE-2026-39956: Fix _strindices missing runtime type checks. * CVE-2026-39979: Fix out-of-bounds read in jv_parse_sized(). * CVE-2026-40164: Randomize hash seed to mitigate hash collision DoS attacks. * CVE-2026-40612: Limit containment check depth to prevent stack overflow in contains. * CVE-2026-41256: Fix NUL truncation in program files loaded with -f. * CVE-2026-41257: Fix signed-int overflow in stack_reallocate. * CVE-2026-43894: Reject numeric literals longer than DEC_MAX_DIGITS (999999999). * CVE-2026-43895: Reject embedded NUL bytes in module import paths. * CVE-2026-43896: Limit recursive object merge depth to prevent stack overflow. * CVE-2026-44777: Detect circular module imports to prevent stack overflow. * CVE-2026-47770: Guard deep structural equality and comparison recursion. * CVE-2026-49839: Fix heap-buffer-overflow in raw file loading. * CVE-2026-54679: Tighten string length bounds and propagate invalid jv in implode. * GHSA-gf4g-95wj-4q4r: Fix use-after-free in args2obj() array argument path. * GHSA-hj52-j2c9-r8r4: Fix signed-int overflow in tokenadd to prevent buffer overflow. * Limit the number of function parameters and definitions to prevent SEGV. * Pre-allocate tokenbuf for string parser to avoid undefined behavior. * Avoid stack overflow when freeing deeply nested values. * Fix memory leaks and double frees. Releasing * Update GPG signing key. CLI changes * Improve error message truncation with closing delimiters. * Remove extra space from die function output. * Fix raw input flag not to corrupt multi-byte characters. * Fix crash when importing a module with errors twice. * Increase the maximum printing depth from 256 to 10000. Changes to existing functions * Fix rtrimstr("") always outputting "". * Fix infinite loop and undefined behavior in del(.[nan]). * Refactor @uri and @urid to fix multi-byte UTF-8 corruption. * Fix tonumber and toboolean to reject strings with embedded null bytes. * Fix undefined behavior in modulo operator. * Fix reversed pointer subtraction in f_env bounds check. * Fix missing validity check in f_strflocaltime after f_localtime. * Fix year 2038 problem on 32-bit platforms. * Use // instead of //= in from_entries definition. Build and test changes * Drop strptime test using non-portable %F. * Limit oniguruma depth to 1024 in jq_fuzz_execute. * Fix localization test for time formatting functions. * Fix expected value assertion. * Fix typo in tests/jq.test. * Refactor tm2jv to handle fractional seconds. * Fix jq_fuzz_parse_stream: use iterative parser API for streaming mode. * Fix crashes and resource leaks in jq_testsuite. * Support building with --disable-maintainer-mode and source != build dir. * Respect SOURCE_DATE_EPOCH while generating man page. * Fix undefined pointer arithmetic in UTF-8 helpers. * Fix one-byte over-read in BASE64_DECODE_TABLE. - Drop not longer needed patches: * CVE-2026-32316.patch * CVE-2026-33947.patch * CVE-2026-33948.patch * CVE-2026-39956.patch * CVE-2026-39979.patch * CVE-2026-40164.patch * CVE-2026-40612.patch * CVE-2026-41256.patch * CVE-2026-41257.patch * CVE-2026-43894.patch * CVE-2026-43895.patch * CVE-2026-43896.patch * CVE-2026-44777_0.patch * CVE-2026-44777_1.patch ==== libslirp ==== Version update (4.9.1+1 -> 4.9.3+4) - Update to version 4.9.3+4: * Add CVE information * slirp: permit guestfwd to vhost_addr/vnameserver_addr * Test qemu migration support * Release v4.9.3 * slirp: Fix migration break on incorrect vmstate retcode * Add missing diff url * Release v4.9.2 * tcp_sockclosed: Set linger timer on remaining closing states * oob: cap urgent data count to what is actually available * bootp: allow https for UEFI HTTP boot * ncsi: Document the Get Version ID (GVI) packet handler * ncsi: Document why we fix memory alignment by adding 2-byte padding * ncsi: add documentation comments to the packet handler table for improved readability * Fix byte order * SO_ERROR: take the errno as error hint * vmstate: pass on read/write errors for state * cope with SO_ERROR possibly failing * Move the modified 3-Clause BSD text into LICENSE * fix: honor dns server port number on macos - fixes CVE-2026-9539 [bsc#1268903] ==== libzio ==== Version update (1.14 -> 1.15) - Update to version 1.15 Refactored zio.c as well as optimized - Functional Verification: All compression formats (gzip, bzip2, lzma, xz, zstd) were validated via the test loop. - Static Analysis & Bugfixes: - Fixed a memory leak and uninitialized value in autodetect and fzopen. - Fixed Double-Free vulnerabilities in zio_open_gzip_pipe and zio_open_bzip2_pipe. - Compatibility: Verified the HAS_LZMADEC_H path with the legacy lzmadec.h. - Optimizations: Replaced heap allocation for the check buffer with a stack-based buffer in fzopen and _knowntype_fdzopen to reduce overhead. ==== nftables ==== Subpackages: libnftables1 python313-nftables - add support-reproducible-build.patch: this is a cherry pick of four unreleased upstream commits which are needed to properly backport the reproducible build feature. ==== patterns-kde ==== - Disambiguate kde_utilities and kde_utilities_opt pattern summaries (bsc#1267854) ==== tesseract-ocr ==== Subpackages: libtesseract5 tesseract-ocr-common - Drop the now-unused OpenCL build dependencies opencl-headers and pkgconfig(OpenCL) (boo#1213370): * OpenCL support is experimental and disabled (the --enable-opencl configure flag was already removed); these requires were left behind and only bloated the build. * With OpenCL off, libtesseract no longer links libOpenCL.so.1, so it no longer fails to start with "libOpenCL.so.1: cannot open shared object file" (boo#1232640).