Packages changed: MicroOS-release (20250218 -> 20250219) cockpit (322 -> 332) cockpit-podman (91 -> 100) grub2 hwdata (0.391 -> 0.392) kernel-source (6.13.2 -> 6.13.3) orc (0.4.40 -> 0.4.41) polkit-default-privs (1550+20250212.5d3f04e -> 1550+20250217.25d4aef) sdbootutil (1+git20250210.45458c4 -> 1+git20250219.a796c24) selinux-policy (20250212 -> 20250218) thin-provisioning-tools xen xfsprogs (6.11.0 -> 6.13.0) === Details === ==== MicroOS-release ==== Version update (20250218 -> 20250219) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== cockpit ==== Version update (322 -> 332) Subpackages: cockpit-bridge cockpit-networkmanager cockpit-packagekit cockpit-system cockpit-ws - Update to 332 - Updated naming convention for motd to issue and relevant patches - Added 0007-Remove-DynamicUser-setting-as-these-conflict-with-re.patch since dynamic users can't be resolved since systemd is missing in nsswitch bsc#1230638 - Remove 0005-cockpit-ws-user-remove-default-deps.patch - Fix dynamic users for 330 since systemd isn't included in the nsswitch.conf - Tidy up pam_oath removal for leap - Ship a new pam file since Leap15 doesn't have pam_oath - Don't change motd if we don't have pam_oath - Properly fix pidfd_getpid - This can be dropped once we update again as it's been upstreamed - Update to 330 - Web server: Increased sandboxing, setuid removal, bootc support - Development: New install mode using systemd-sysext - update to 329.1: - cockpit.js: Put back cockpit.{resolve,reject}() to fix subscription-manager-cockpit - Past updates: * 329 - Shell: Extra warnings when connecting to remote hosts * 328: - Bug fixes and performance improvements * 327: - Connect to similar servers without Cockpit installed * 326: - cockpit-pcp package is now obsolete - cockpit/ws container: Connect to servers without installed Cockpit - cockpit/ws container: Support host specific SSH keys - Storage: Support for Stratis filesystem sizes and limits * 325: - client: Properly handle unknown SSH host keys * 324: - Bug fixes and performance improvements * 323.1: - Translation updates * 323: - login: Prevent multiple logins in a single browser session - Update documentation links ==== cockpit-podman ==== Version update (91 -> 100) - Update to version 100 * dropped: correct-container-search.patch as this behaviour is fixed upstream - New version 99, updates since 91: * Update to translations * Bug fixes * pull images from registries without search API * Render ports are ranges in container integration tab ==== grub2 ==== Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls - Security fixes for 2024 * 0001-misc-Implement-grub_strlcpy.patch - Fix CVE-2024-45781 (bsc#1233617) * 0002-fs-ufs-Fix-a-heap-OOB-write.patch - Fix CVE-2024-56737 (bsc#1234958) - Fix CVE-2024-45782 (bsc#1233615) * 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch - Fix CVE-2024-45780 (bsc#1233614) * 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch - Fix CVE-2024-45783 (bsc#1233616) * 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch * 0006-kern-file-Ensure-file-data-is-set.patch * 0007-kern-file-Implement-filesystem-reference-counting.patch - Fix CVE-2025-0624 (bsc#1236316) * 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch - Fix CVE-2024-45774 (bsc#1233609) * 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch - Fix CVE-2024-45775 (bsc#1233610) * 0010-commands-extcmd-Missing-check-for-failed-allocation.patch - Fix CVE-2025-0622 (bsc#1236317) * 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch - Fix CVE-2025-0622 (bsc#1236317) * 0012-normal-Remove-variables-hooks-on-module-unload.patch - Fix CVE-2025-0622 (bsc#1236317) * 0013-gettext-Remove-variables-hooks-on-module-unload.patch - Fix CVE-2024-45776 (bsc#1233612) * 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch - Fix CVE-2024-45777 (bsc#1233613) * 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch - Fix CVE-2025-0690 (bsc#1237012) * 0016-commands-read-Fix-an-integer-overflow-when-supplying.patch - Fix CVE-2025-1118 (bsc#1237013) * 0017-commands-minicmd-Block-the-dump-command-in-lockdown-.patch - Fix CVE-2024-45778 (bsc#1233606) - Fix CVE-2024-45779 (bsc#1233608) * 0018-fs-bfs-Disable-under-lockdown.patch - Fix CVE-2025-0677 (bsc#1237002) - Fix CVE-2025-0684 (bsc#1237008) - Fix CVE-2025-0685 (bsc#1237009) - Fix CVE-2025-0686 (bsc#1237010) - Fix CVE-2025-0689 (bsc#1237011) * 0019-fs-Disable-many-filesystems-under-lockdown.patch - Fix CVE-2025-1125 (bsc#1237014) - Fix CVE-2025-0678 (bsc#1237006) * 0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch - Updated to upstream version * 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch - Bump upstream SBAT generation to 5 ==== hwdata ==== Version update (0.391 -> 0.392) - Update to version 0.392: * Update pci and vendor ids ==== kernel-source ==== Version update (6.13.2 -> 6.13.3) - Linux 6.13.3 (bsc#1012628). - irqchip/lan966x-oic: Make CONFIG_LAN966X_OIC depend on CONFIG_MCHP_LAN966X_PCI (bsc#1012628). - btrfs: fix lockdep splat while merging a relocation root (bsc#1012628). - btrfs: fix assertion failure when splitting ordered extent after transaction abort (bsc#1012628). - btrfs: do not output error message if a qgroup has been already cleaned up (bsc#1012628). - btrfs: fix use-after-free when attempting to join an aborted transaction (bsc#1012628). - arm64/mm: Ensure adequate HUGE_MAX_HSTATE (bsc#1012628). - exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case (bsc#1012628). - s390/stackleak: Use exrl instead of ex in __stackleak_poison() (bsc#1012628). - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (bsc#1012628). - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (bsc#1012628). - btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents (bsc#1012628). - sched: Don't try to catch up excess steal time (bsc#1012628). - x86: Convert unreachable() to BUG() (bsc#1012628). - locking/ww_mutex/test: Use swap() macro (bsc#1012628). - lockdep: Fix upper limit for LOCKDEP_*_BITS configs (bsc#1012628). - x86/amd_nb: Restrict init function to AMD-based systems (bsc#1012628). - drm/virtio: New fence for every plane update (bsc#1012628). - drm: Add panel backlight quirks (bsc#1012628). - drm/amd/display: Add support for minimum backlight quirk (bsc#1012628). - drm: panel-backlight-quirks: Add Framework 13 matte panel (bsc#1012628). - drm: panel-backlight-quirks: Add Framework 13 glossy and 2.8k panels (bsc#1012628). - nvkm/gsp: correctly advance the read pointer of GSP message queue (bsc#1012628). - nvkm: correctly calculate the available space of the GSP cmdq buffer (bsc#1012628). - drm/tests: hdmi: handle empty modes in find_preferred_mode() (bsc#1012628). - drm/tests: hdmi: return meaningful value from set_connector_edid() (bsc#1012628). - drm/amd/display: Populate chroma prefetch parameters, DET buffer fix (bsc#1012628). - drm/amd/display: Overwriting dualDPP UBF values before usage (bsc#1012628). - printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX (bsc#1012628). - drm/msm/dpu: filter out too wide modes if no 3dmux is present (bsc#1012628). - drm/connector: add mutex to protect ELD from concurrent access (bsc#1012628). - drm/bridge: anx7625: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/bridge: ite-it66121: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/amd/display: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/exynos: hdmi: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/msm/dp: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/radeon: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/sti: hdmi: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/vc4: hdmi: use eld_mutex to protect access to connector->eld (bsc#1012628). - drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor (bsc#1012628). - drm/amdgpu: Don't enable sdma 4.4.5 CTXEMPTY interrupt (bsc#1012628). - drm/amdkfd: Queue interrupt work to different CPU (bsc#1012628). - drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT (bsc#1012628). - drm/bridge: it6505: fix HDCP Bstatus check (bsc#1012628). - drm/bridge: it6505: fix HDCP encryption when R0 ready (bsc#1012628). - drm/bridge: it6505: fix HDCP CTS compare V matching (bsc#1012628). - drm/bridge: it6505: fix HDCP CTS KSV list wait timer (bsc#1012628). - safesetid: check size of policy writes (bsc#1012628). - drm/amd/display: Increase sanitizer frame larger than limit when compile testing with clang (bsc#1012628). - drm/amd/display: Limit Scaling Ratio on DCN3.01 (bsc#1012628). - ring-buffer: Make reading page consistent with the code logic (bsc#1012628). - wifi: ath12k: Fix for out-of bound access error (bsc#1012628). - wifi: ath12k: ath12k_mac_op_set_key(): fix uninitialized symbol 'ret' (bsc#1012628). - wifi: rtw89: add crystal_cap check to avoid setting as overflow value (bsc#1012628). - tun: fix group permission check (bsc#1012628). - mmc: core: Respect quirk_max_rate for non-UHS SDIO card (bsc#1012628). ... changelog too long, skipping 663 lines ... - commit fda61c9 ==== orc ==== Version update (0.4.40 -> 0.4.41) - Update to version 0.4.41: + orccodemem: Don't modify the process umask, which caused race conditions with other threads + x86: various SSE and MMX fixes + avx: Fix sqrtps encoding causing an illegal instruction crash + Hide internal symbols from ABI and do not install internal headers + Rename backend to target, including `orc-backend` meson option and `ORC_BACKEND` environment variable + Testsuite, tools: Disambiguate OrcProgram naming conventions + Build: Fix `_clear_cache` call for Clang and error out on implicit function declarations + opcodes: Use MIN instead of CLAMP for known unsigned values to fix compiler warnings + Spelling fix in debug log message ==== polkit-default-privs ==== Version update (1550+20250212.5d3f04e -> 1550+20250217.25d4aef) - Update to version 1550+20250217.25d4aef: * profiles: add systemd-sysupdated (bsc#1237106) ==== sdbootutil ==== Version update (1+git20250210.45458c4 -> 1+git20250219.a796c24) Subpackages: sdbootutil-snapper sdbootutil-tukit - Update to version 1+git20250219.a796c24: * generator: exit if /etc/crypttab is missing * Fix measure-pcr-validator StandardOutput - Update to version 1+git20250217.f216443: * Remove .conf suffix from grubenv (bsc#1237198) - Update to version 1+git20250214.ef3b642: * Add banner reporting PCR 15 mismatch * Generate PCR 15 predictions if crypttab changed * Create predictions for PCR 15 * Add measure-pcr-validator service * Order devices when FIDO2 keys are used * Set BuildArch to noarch * Add dracut measure-pcr module with generator * Add tpm2-pcr-measure crypttab parameter * Fix help indentation ==== selinux-policy ==== Version update (20250212 -> 20250218) Subpackages: selinux-policy-targeted - Update to version 20250218: * Enable postfix_local_write_mail_spool boolean by default for targeted only * Revert "Enable postfix_local_write_mail_spool boolean by default" * Support openSUSE-specific krb5kdc paths (bsc#1237064) ==== thin-provisioning-tools ==== - Enable internal testsuite - Refresh vendored dependencies ==== xen ==== - bsc#1233796 - [XEN][15-SP7-BEAT3] Xen call trace and APIC Error found after reboot operation on AMD machine. x86-shutdown-offline-APs-with-interrupts-disabled-on-all-CPUs.patch ==== xfsprogs ==== Version update (6.11.0 -> 6.13.0) - mkfs: fix filesize function compilation error on 32-bit archs - add mkfs-fix-filesize-function-compilation-error-on-32-b.patch - update to 6.13.0 - xfs_protofile: fix device number encoding - xfs_protofile: fix mode formatting error - mkfs: fix file size setting when interpreting a protofile - xfs_repair: require zeroed quota/rt inodes in metadir superblocks - mkfs: use a default sector size that is also suitable for the rtdev - xfs_scrub_all.timer: don't run if /var/lib/xfsprogs is readonly - xfs_logprint: Fix super block buffer interpretation issue - mkfs: allow sizing realtime allocation groups for concurrency - build: initialize stack variables to zero by default - m4: fix statx override selection if /usr/include doesn't define it - mkfs: fix parsing of value-less -d/-l concurrency cli option - xfs_db: improve error message when unknown btree type given to btheight - xfs_repair: don't obliterate return codes - xfs_db: fix multiple dblock commands - xfs: don't return an error from xfs_update_last_rtgroup_size for !XFS_RT - xfs_io: add extsize command support - xfs_io: allow foreign FSes to show FS_IOC_FSGETXATTR details - mkfs: enable rt quota options - xfs_quota: report warning limits for realtime space quotas - mkfs: add quota flags when setting up filesystem - xfs_repair: try not to trash qflags on metadir filesystems - xfs_repair: support quota inodes in the metadata directory - xfs_db: support metadir quotas - libfrog: scrub quota file metapaths - mkfs: format realtime groups - mkfs: add headers to realtime bitmap blocks - xfs_scrub: use histograms to speed up phase 8 on the realtime volume - xfs_scrub: trim realtime volumes too - xfs_scrub: call GETFSMAP for each rt group in parallel - xfs_scrub: cleanup fsmap keys initialization - xfs_scrub: check rtgroup metadata directory connections - xfs_scrub: scrub realtime allocation group metadata - xfs_spaceman: report on realtime group health - xfs_mdrestore: restore rt group superblocks to realtime device - xfs_io: display rt group in verbose fsmap output - xfs_io: display rt group in verbose bmap output - xfs_io: add a command to display realtime group information - xfs_io: add a command to display allocation group information - xfs_io: support scrubbing rtgroup metadata paths - xfs_io: support scrubbing rtgroup metadata - xfs_db: report rt group and block number in the bmap command - xfs_db: dump rt summary blocks - xfs_db: dump rt bitmap blocks - xfs_db: metadump realtime devices - xfs_db: metadump metadir rt bitmap and summary files - xfs_db: enable conversion of rt space units - xfs_db: support changing the label and uuid of rt superblocks - xfs_db: support dumping realtime group data and superblocks - xfs_db: listify the definition of enum typnm - xfs_db: enable rtconvert to handle segmented rtblocks - xfs_db: enable the rtblock and rtextent commands for segmented rt block numbers - xfs_repair: repair rtbitmap and rtsummary block headers - xfs_repair: support realtime superblocks - xfs_repair: find and clobber rtgroup bitmap and summary files - xfs_repair: support realtime groups - xfs_repair: add a real per-AG bitmap abstraction - xfs_repair: simplify rt_lock handling - xfs_repair: improve rtbitmap discrepancy reporting - xfs_repair: refactor offsetof+sizeof to offsetofend - xfs_repair: refactor phase4 - xfs_repair: adjust rtbitmap/rtsummary word updates to handle big endian values - xfs_logprint: report realtime EFIs - libfrog: add bitmap_clear - libfrog: report rt groups in output - libfrog: support scrubbing rtgroup metadata paths - man: document rgextents geom field - man: document the rt group geometry ioctl - mkfs: add a utility to generate protofiles - mkfs: support copying in xattrs - mkfs: support copying in large or sparse files - mkfs.xfs: enable metadata directories - xfs_repair: do not count metadata directory files when doing quotacheck - xfs_repair: truncate and unmark orphaned metadata inodes - xfs_repair: drop all the metadata directory files during pass 4 - xfs_repair: metadata dirs are never plausible root dirs - xfs_repair: mark space used by metadata files - xfs_repair: update incore metadata state whenever we create new files - xfs_repair: don't let metadata and regular files mix - xfs_repair: rebuild the metadata directory - xfs_repair: check metadata inode flag - xfs_repair: dont check metadata directory dirent inumbers - xfs_repair: handle sb_metadirino correctly when zeroing supers - xfs_scrub: re-run metafile scrubbers during phase 5 - xfs_scrub: scan metadata directories during phase 3 - xfs_scrub: tread zero-length read verify as an IO error - xfs_spaceman: report health of metadir inodes too - xfs_io: support scrubbing metadata directory paths - xfs_io: support flag for limited bulkstat of the metadata directory - xfs_db: drop the metadata checking code from blockget - xfs_db: display di_metatype - xfs_db: show the metadata root directory when dumping superblocks - xfs_db: support metadata directories in the path command - xfs_db: don't obfuscate metadata directories and attributes - xfs_db: report metadir support for version command - xfs_db: disable xfs_check when metadir is enabled - xfs_io: support scrubbing metadata directory paths ... changelog too long, skipping 26 lines ... - ------------------------------------------------------------------