Packages changed: MicroOS-release (20260708 -> 20260709) curl (8.20.0 -> 8.21.0) libXfont2 libva (2.23.0 -> 2.24.0) nvme-cli (2.16 -> 3.0~b.3) openSUSE-build-key python-maturin (1.13.1 -> 1.14.1) python-tornado6 xorg-x11-server === Details === ==== MicroOS-release ==== Version update (20260708 -> 20260709) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== curl ==== Version update (8.20.0 -> 8.21.0) Subpackages: libcurl4 - Update to 8.21.0: * Security fixes: - CVE-2026-8286: wrong STARTTLS connection reuse (bsc#1268402) - CVE-2026-8458: wrong reuse for different services (bsc#1268407) - CVE-2026-8924: traling dot domain super cookie (bsc#1268409) - CVE-2026-8925: SASL double-free (bsc#1268411) - CVE-2026-8926: password leak with netrc and user in URL (bsc#1268412) - CVE-2026-8927: env-set cross-proxy Digest auth state leak (bsc#1268413) - CVE-2026-8932: incomplete mTLS config matching in conn reuse (bsc#1268414) - CVE-2026-9079: stale proxy password leak (bsc#1268415) - CVE-2026-9080: UAF after pause in socket callback (bsc#1268416) - CVE-2026-9545: exposing HTTP/3 early data (bsc#1268417) - CVE-2026-9546: sending old referer (bsc#1268419) - CVE-2026-9547: SSH improper host validation (bsc#1268420) - CVE-2026-10536: HTTP/2 stream-dependency tree UAF (bsc#1268422) - CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop (bsc#1268423) - CVE-2026-11564: Native CA trust persist (bsc#1268424) - CVE-2026-11586: WS Auto-PONG memory exhaustion (bsc#1268425) - CVE-2026-11856: cross-origin Digest auth state leak (bsc#1268426) - CVE-2026-12064: proto-default skips SSH verification (bsc#1268427) * For a complete changelog see: https://curl.se/ch/8.21.0.html - Remove patches now in upstream: curl-disabled-redirect-protocol-message.patch libcurl-fix-wakeup-consumption.patch ==== libXfont2 ==== - bsc1269018_CVE-2026-56001_0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch * BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow (CVE-2026-56001, bsc#1269018) - bsc1269019_CVE-2026-56002_0002-pcfread-validate-bitmap-sizes-and-offsets-against-pe.patch * PCF Font Parsing Heap Buffer Overflow (CVE-2026-56002, bsc#1269019) - bsc1269020_CVE-2026-56003_0003-bitscale-add-bounds-check-to-computeProps-for-proper.patch * computeProps Property Buffer Heap Buffer Overflow (CVE-2026-56003, bsc#1269020) ==== libva ==== Version update (2.23.0 -> 2.24.0) Subpackages: libva-drm2 libva-wayland2 libva-x11-2 libva2 - update to 2.24.0: * va: Add VA_PICTURE_H264_NON_EXISTING flag * va: use secure_getenv instead of getenv in va_x11.c * doc: fix libva av1 link for doxygen * trace: dump input/output data in va_TraceProtectedSessionExecute * trace: Add ProtectedSession Related Log in Trace ==== nvme-cli ==== Version update (2.16 -> 3.0~b.3) - Update to version 3.0~b.3: * Release v3.0-b.3 * doc: Regenerate all docs for v3.0-b.3 * libnvme: rename Python binding to libnvme3 * libnvme: classify scoped IPv6 addresses with the TID's numeric test * libnvme/test: drop the netdb gating from the libnvme tests * nvme-cli/fabrics: resolve hostnames before handing addresses to libnvme * libnvme: reject hostname addresses instead of resolving them * libnvme/util: reimplement numeric address helpers without getaddrinfo * nvme-top: avoid recreating the global NVMe context on topology updates * libnvme: return status from libnvme_refresh_topology() * sfx-nvme: fix sizeof mismatch in calloc in nvme_dump_evtlog() * libnvme/tid: group functions by role in tid.c/tid.h * libnvme/fabrics: use str(), not get_canonical(), in the exclusion log * libnvme/tid: replace per-field setters with a set_identity triplet * libnvme/tid: drop get_hash() and equal() * libnvme/tid: reject hostnames, canonicalize numeric addresses * libnvme/doc: add the smart-TID design * libnvme/doc: state the library/application boundary * nvme-print: Update generic name listing to be platform independent * readme: Add readme section on Windows build and environment setup script * plugins: Add build support on Windows * libnvme: fix null pointer dereference in _discovery_config_json() * nvme_test: Update run_ns_io to be platform agnostic. * nbft: fix missing error checks for ftell() and rewind() * nvme-print: use status variable instead of errno * nvme: do not print status message on default * nvme-print-json: centralize init/finish * nvme-print-json: only output json if none empty * nvme-print: add nvme_show_verbose_* helpder * plugins: add newline after json output * tests: Add linting support for all python files recursively under tests. * tests/plugins: Expand testing framework to support plugin tests * nvme: enable cli for windows build * nvme-top: synthesize NVMe kobject uevent on ENOBUFS * nvme-top: support paging in the top dashboard * nvme-top: restore selected subsystem to the first entry * libnvme-wrap: drop unused code * nvme: add windows support for rpmb hash functions * test: Update build configuration to support testing on Windows * test-uint128: Update tostr_test locale handling to be Windows compatible * tests: Update get features test base on Windows capabilities * tests: Configure PATH for tests in a platform-agnostic way. * tests: Add is_windows check and skip unsupported tests on Windows * libnvme: make discovery connects honor the exclusion list * plugins/exclusion: operate on the default list when --name is omitted * libnvme: substitute RUNDIR into the registry udev rule - spec file updates * removed nvme-cli-rpmlintrc * remove duplicates (fdupes) * rename library package name to libnvme3-1 * fixed soname versioning * added ldconfig section for libnvme * fixed include path * fixed python sitesearch path - Update to version 3.0.b.2: * Release v3.0-b.2 * doc: Regenerate all docs for v3.0-b.2 * ioctl-win: Implement reset_ctrl_device using a PnP-level reset. * nvme-cli/fabrics: note an excluded target on connect under --verbose * doc: move REGISTRY.md under libnvme/design/ * doc: add NVMe-oF exclusion list documentation * nvme-cli/fabrics: add --exclude to nvme disconnect * plugins/exclusion: add the nvme exclusion management plugin * libnvme: add the NVMe-oF exclusion list * libnvme: add the libnvmf_tid transport identity * libnvme: add shared fabrics helpers in preparation for exclusion list * libnvme: drop the log messages from the no-netdb stubs * tree: add windows tree support * tree: add global context to libnvme_get_ctrl_transport * nvme: Open files using nvme_open_rawdata to fix Windows issues * plugins/wdc: fix typed malloc size expressions for log buffers * wdc-nvme: validate PCI ID lookup in wdc_log_page_directory() * tree: replace strdup with xstrdup in nvme_alloc_subsystem() * micron: Fix temp directory access security * micron: Fix possible NULL pointer dereference issues * micron: Fix buffer overflow vulnerabilities * fabrics: split uuid_from_dmi_entries file read function * fabrics: make uuid_from_dmi_entries more robust * wdc-nvme: fix null dereference of sph in get_dev_mgmt_log_page_lid_data() * doc: document nvme-cli-ai companion repository * solidigm: Apply fixes to allow compilation on Windows * micron: Fix command injection vulnerabilities * plugins/sandisk: fix memory leak in sndk_get_enc_drive_capabilities() * libnvme: validate context in libnvme_rescan_ctrl() * nvme: fix null pointer dereference in get_log_offset() * plugins/sed: fix null pointer dereference in sedopal_print_locking_features() * telemetry-log: Fix telemetry-log invalid argument error - Update to version 3.0.b.1: * Release v3.0-b.1 * doc: Regenerate all docs for v3.0-b.1 * libnvme/json: persist the registry owner in the config file * libnvme/test: fix exit-code capture in config-diff.sh * tree-linux: move all sysfs-related code to this file * fabrics: move hostnqn/hostid code to fabrics files * tree: unexport libnvme_host_get_ids * scan: refactor filter API * lib: remove log arguments from global context constructor * linux: move crypto APIs in new header ... changelog too long, skipping 844 lines ... * remmove 0002-fabrics-add-helper-to-update-tls-and-concat.patch ==== openSUSE-build-key ==== - Update key for zSystems (managed by OBS, expires 2026-12-06) - replace gpg-pubkey-f6ab3975-62e9e6fb.asc - by gpg-pubkey-f6ab3975-66f622c2.asc ==== python-maturin ==== Version update (1.13.1 -> 1.14.1) - Update to 1.14.1 * Bump uraimo/run-on-arch-action to v3 to fix pytest job * Fix platform tag logic to generate the same as cpython on AIX * Bump pyo3-introspection * Upgrade cargo-zigbuild & cargo-xwin * Fix issues around crates enabling abi3 and abi3t features * Add PEP 740 publish attestations to PyPI releases * Set PYO3_PYTHON to run scripts for stable ABI builds * Fix shell quoting in CI scripts * Release v1.14.1 - Update to 1.14.0 * Support parent-relative pyproject metadata in sdists * Update PyPI platform tag validation * maint: update setup emsdk action in generate-ci * fix: only shim bin wheels during auditwheel repair * fix: avoid editable ELF truncation from stale hardlinks * Fix Pyodide Emscripten platform tags * build(deps): bump openssl from 0.10.79 to 0.10.80 * Use pax instead of GNU headers for tar * feat: add default exclude pycache and *.pyc files * Documentation: fix the update_readme script * Fix python versions used in integration_pyo3_mixed_conda * Add support for finding free-threaded interpreters for --find-interpreters * build(deps): bump tar from 0.4.45 to 0.4.46 * Stubs: also generate them for mixed PyO3 projects * Don't depend on CFFI on PyPy * resolve_platform_tags: remove a redundant case * GeneratorOutput::additional_files remove Option * Support pyo3 abi3t features on Python3.15 and PyO3 0.29 - update vendor tarball to bump openssl crate to 0.10.80 (fixes CVE-2026-41676 (bsc#1270208), CVE-2026-41677 (bsc#1270620), CVE-2026-41678 (bsc#1270706), CVE-2026-41681 (bsc#1270772), CVE-2026-41898 (bsc#1270801), CVE-2026-44662 (bsc#1270936), CVE-2026-42327 (bsc#1270515), CVE-2026-45784 (bsc#1270994)) ==== python-tornado6 ==== - Fix test_strip_headers_on_redirect's URL-embedded-credentials cases. * Update the test_strip_headers_on_redirect test to Correctly handle credential injection in redirect URLs and account for a known libcurl regression with same-origin redirects. (gh#tornadoweb/tornado#3674) * Add python-tornado6-Fix-test_strip_headers_on_redirects.patch ==== xorg-x11-server ==== Subpackages: xorg-x11-server-Xvfb - bsc1268893_CVE-2026-55999_0002-fb-mi-glamor-reject-glyphs-with-negative-dimensions.patch * glamor Font Atlas Heap Buffer Overflow (CVE-2026-55999, bsc#1268893) - bsc1268893_CVE-2026-55999_0003-glamor-reject-fonts-with-per-glyph-metrics-exceeding.patch * GLX contextTags Use-After-Free in CommonMakeCurrent() (CVE-2026-55999, bsc#1268893) - U_GLX-Free-the-tag-of-the-old-context-later.patch bsc1268894_CVE-2026-56000_0001-glx-free-old-context-tag-before-allocating-new-one-i.patch * GLX contextTags Use-After-Free in CommonMakeCurrent() (CVE-2026-56000, bsc#1268894)