SUSE-CU-2026:6169-1: Security update of rancher/seedimage-builder

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Jun 19 07:05:10 UTC 2026


SUSE Container Update Advisory: rancher/seedimage-builder
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6169-1
Container Tags        : rancher/seedimage-builder:1.9.2 , rancher/seedimage-builder:1.9.2-3.7 , rancher/seedimage-builder:latest
Container Release     : 3.7
Severity              : critical
Type                  : security
References            : 1010996 1010996 1012628 1027519 1035807 1036457 1079600 1084929
                        1084929 1084929 1084929 1084929 1158038 1159034 1159103 1174091
                        1174091 1176053 1188441 1189495 1189788 1193454 1194818 1194818
                        1194869 1196933 1198323 1198823 1198830 1198832 1199079 1199079
                        1199079 1200528 1200723 1201840 1202970 1204538 1204562 1204968
                        1205042 1205462 1205462 1205462 1205588 1206044 1206608 1207266
                        1207377 1207543 1207697 1208690 1208783 1208928 1209831 1210638
                        1210938 1211649 1211721 1211888 1213123 1213873 1214285 1214285
                        1214285 1214364 1214718 1214724 1214869 1214870 1214871 1214960
                        1215199 1215199 1215377 1215377 1215484 1215484 1215628 1215720
                        1216063 1216091 1216091 1216091 1216320 1216355 1216378 1216378
                        1216378 1217070 1217538 1217690 1217782 1217783 1217826 1217877
                        1217885 1217885 1218110 1218345 1218424 1218459 1218459 1218459
                        1218474 1218609 1218609 1218644 1218851 1218879 1218880 1219001
                        1219038 1219041 1219049 1219080 1219276 1219458 1219503 1219559
                        1219559 1219559 1219561 1219561 1219666 1219724 1219823 1219826
                        1219885 1220066 1220096 1220117 1220117 1220252 1220262 1220262
                        1220338 1220338 1220356 1220357 1220523 1220690 1220693 1220696
                        1220724 1220763 1220770 1220771 1220772 1220877 1220905 1220905
                        1221107 1221107 1221126 1221126 1221164 1221239 1221289 1221289
                        1221289 1221326 1221332 1221334 1221342 1221365 1221399 1221400
                        1221482 1221630 1221645 1221652 1221665 1221666 1221667 1221668
                        1221751 1221752 1221753 1221760 1221763 1221763 1221786 1221787
                        1221812 1221821 1221822 1221824 1221827 1221831 1221831 1221854
                        1221854 1221857 1221906 1221940 1221984 1222044 1222121 1222254
                        1222302 1222335 1222350 1222364 1222372 1222387 1222433 1222434
                        1222453 1222465 1222465 1222465 1222548 1222584 1222620 1222625
                        1222633 1222634 1222684 1222808 1222899 1222967 1222973 1222985
                        1222992 1223053 1223074 1223191 1223234 1223293 1223294 1223295
                        1223296 1223297 1223298 1223306 1223336 1223346 1223347 1223348
                        1223353 1223395 1223423 1223424 1223425 1223428 1223596 1223605
                        1223605 1223635 1223720 1223731 1223742 1223763 1223767 1223777
                        1223803 1223849 1223880 1223903 1223947 1224105 1224262 1224282
                        1224285 1224285 1224323 1224386 1224386 1224388 1224415 1224485
                        1224496 1224510 1224535 1224631 1224636 1224690 1224694 1224700
                        1224711 1225070 1225197 1225291 1225365 1225451 1225475 1225551
                        1225582 1225598 1225598 1225607 1225660 1225718 1225751 1225771
                        1225814 1225832 1225838 1225903 1225946 1225953 1226031 1226127
                        1226141 1226412 1226414 1226415 1226447 1226447 1226448 1226448
                        1226463 1226492 1226502 1226529 1226530 1226588 1226604 1226660
                        1226743 1226751 1226765 1226798 1226801 1226834 1226874 1226885
                        1226920 1227010 1227052 1227106 1227117 1227138 1227149 1227182
                        1227186 1227187 1227308 1227316 1227316 1227322 1227355 1227378
                        1227378 1227383 1227437 1227492 1227493 1227494 1227525 1227590
                        1227593 1227594 1227595 1227618 1227620 1227623 1227627 1227634
                        1227706 1227722 1227724 1227725 1227728 1227729 1227732 1227733
                        1227734 1227747 1227750 1227754 1227758 1227760 1227761 1227764
                        1227766 1227770 1227771 1227772 1227774 1227781 1227784 1227785
                        1227787 1227790 1227791 1227792 1227796 1227798 1227799 1227802
                        1227808 1227810 1227811 1227812 1227815 1227816 1227818 1227820
                        1227823 1227824 1227826 1227828 1227829 1227830 1227832 1227833
                        1227834 1227839 1227840 1227846 1227849 1227851 1227853 1227863
                        1227864 1227865 1227867 1227869 1227870 1227883 1227884 1227888
                        1227891 1227893 1227929 1227950 1227957 1227981 1227999 1228020
                        1228021 1228041 1228081 1228081 1228081 1228086 1228086 1228091
                        1228142 1228165 1228182 1228184 1228184 1228192 1228216 1228223
                        1228235 1228236 1228247 1228321 1228409 1228410 1228426 1228427
                        1228429 1228434 1228446 1228447 1228449 1228450 1228452 1228456
                        1228457 1228458 1228459 1228460 1228462 1228463 1228466 1228468
                        1228469 1228470 1228472 1228479 1228480 1228481 1228482 1228483
                        1228484 1228485 1228486 1228487 1228489 1228491 1228492 1228493
                        1228494 1228495 1228496 1228499 1228500 1228501 1228502 1228503
                        1228505 1228508 1228509 1228510 1228511 1228513 1228515 1228516
                        1228518 1228520 1228525 1228527 1228530 1228531 1228535 1228539
                        1228553 1228561 1228563 1228564 1228565 1228567 1228568 1228572
                        1228574 1228575 1228576 1228579 1228580 1228581 1228582 1228584
                        1228586 1228588 1228590 1228591 1228599 1228615 1228616 1228617
                        1228625 1228626 1228633 1228635 1228636 1228640 1228643 1228644
                        1228646 1228649 1228650 1228654 1228655 1228656 1228658 1228659
                        1228660 1228662 1228665 1228666 1228667 1228672 1228673 1228674
                        1228677 1228680 1228687 1228690 1228705 1228706 1228707 1228708
                        1228709 1228710 1228718 1228720 1228721 1228722 1228723 1228724
                        1228726 1228727 1228728 1228733 1228737 1228743 1228748 1228754
                        1228756 1228757 1228758 1228764 1228766 1228779 1228780 1228780
                        1228801 1228809 1228849 1228850 1228857 1228879 1228959 1228964
                        1228966 1228967 1228971 1228973 1228977 1228978 1228979 1228986
                        1228988 1228989 1228991 1228992 1229003 1229003 1229005 1229007
                        1229024 1229025 1229042 1229045 1229046 1229047 1229054 1229056
                        1229069 1229086 1229106 1229109 1229122 1229122 1229122 1229122
                        1229122 1229122 1229122 1229134 1229136 1229137 1229154 1229156
                        1229160 1229163 1229164 1229167 1229168 1229169 1229170 1229171
                        1229172 1229173 1229174 1229228 1229228 1229238 1229239 1229240
                        1229241 1229243 1229244 1229245 1229246 1229247 1229248 1229249
                        1229250 1229251 1229252 1229253 1229254 1229255 1229256 1229272
                        1229287 1229290 1229291 1229292 1229294 1229296 1229297 1229298
                        1229299 1229301 1229303 1229304 1229305 1229307 1229309 1229312
                        1229313 1229314 1229315 1229316 1229317 1229318 1229319 1229320
                        1229327 1229339 1229341 1229342 1229344 1229345 1229346 1229347
                        1229349 1229350 1229351 1229353 1229354 1229355 1229356 1229357
                        1229358 1229359 1229360 1229365 1229366 1229369 1229370 1229373
                        1229374 1229376 1229379 1229381 1229382 1229383 1229386 1229388
                        1229390 1229391 1229392 1229395 1229398 1229399 1229400 1229402
                        1229403 1229404 1229407 1229409 1229410 1229411 1229413 1229414
                        1229417 1229444 1229451 1229452 1229455 1229456 1229465 1229472
                        1229476 1229480 1229481 1229482 1229484 1229485 1229486 1229487
                        1229488 1229489 1229490 1229493 1229495 1229496 1229497 1229500
                        1229503 1229518 1229539 1229596 1229685 1229704 1229707 1229739
                        1229743 1229746 1229747 1229752 1229754 1229755 1229756 1229759
                        1229761 1229767 1229781 1229784 1229785 1229787 1229788 1229789
                        1229792 1229820 1229822 1229827 1229830 1229837 1229930 1229930
                        1229930 1229931 1229931 1229931 1229932 1229932 1229932 1229940
                        1229950 1229952 1229952 1229997 1230007 1230029 1230029 1230052
                        1230056 1230078 1230093 1230093 1230145 1230227 1230267 1230322
                        1230468 1230516 1230551 1230552 1230596 1230615 1230642 1230642
                        1230679 1230698 1230698 1230778 1230840 1230861 1230861 1230906
                        1230944 1230944 1231048 1231055 1231141 1231185 1231185 1231208
                        1231230 1231284 1231284 1231328 1231328 1231373 1231463 1231472
                        1231472 1231476 1231494 1231499 1231565 1231565 1231589 1231591
                        1231605 1231605 1231698 1231698 1231714 1231727 1231775 1231776
                        1231792 1231792 1231795 1231833 1231986 1232024 1232030 1232063
                        1232063 1232227 1232227 1232234 1232234 1232241 1232276 1232351
                        1232411 1232425 1232458 1232528 1232528 1232579 1232579 1232579
                        1232579 1232601 1232601 1232770 1232844 1232844 1232921 1232931
                        1232948 1233078 1233078 1233282 1233289 1233289 1233313 1233322
                        1233333 1233517 1233529 1233593 1233594 1233606 1233608 1233609
                        1233610 1233612 1233613 1233614 1233615 1233616 1233617 1233667
                        1233668 1233699 1233752 1233752 1233773 1233785 1234015 1234015
                        1234015 1234015 1234022 1234022 1234027 1234050 1234068 1234068
                        1234100 1234100 1234100 1234101 1234101 1234101 1234102 1234102
                        1234102 1234103 1234103 1234103 1234104 1234104 1234104 1234128
                        1234128 1234313 1234313 1234383 1234512 1234563 1234634 1234665
                        1234665 1234718 1234736 1234736 1234752 1234765 1234765 1234765
                        1234798 1234798 1234812 1234812 1234881 1234881 1234958 1234959
                        1234959 1235147 1235151 1235265 1235475 1235475 1235475 1235598
                        1235636 1235695 1235784 1235786 1235849 1235905 1236045 1236045
                        1236046 1236046 1236136 1236136 1236136 1236151 1236177 1236177
                        1236217 1236217 1236217 1236217 1236217 1236217 1236217 1236217
                        1236270 1236282 1236282 1236282 1236316 1236317 1236384 1236481
                        1236507 1236533 1236588 1236589 1236590 1236619 1236619 1236621
                        1236621 1236632 1236664 1236705 1236801 1236801 1236801 1236820
                        1236839 1236839 1236877 1236878 1236878 1236886 1236886 1236939
                        1236976 1236977 1236978 1236982 1236982 1236983 1236999 1237000
                        1237001 1237002 1237003 1237005 1237006 1237008 1237009 1237010
                        1237011 1237012 1237013 1237014 1237018 1237019 1237020 1237021
                        1237042 1237044 1237096 1237137 1237147 1237172 1237363 1237363
                        1237370 1237370 1237418 1237418 1237496 1237496 1237587 1237618
                        1237641 1237695 1237695 1237949 1238315 1238450 1238472 1238572
                        1238572 1238591 1238593 1238686 1238700 1238700 1238724 1238848
                        1238849 1238929 1239012 1239092 1239182 1239206 1239210 1239225
                        1239334 1239335 1239335 1239385 1239439 1239439 1239533 1239543
                        1239618 1239618 1239623 1239625 1239632 1239637 1239718 1239749
                        1239749 1239763 1239809 1239866 1239883 1239883 1239941 1239944
                        1240009 1240009 1240031 1240070 1240132 1240150 1240310 1240311
                        1240343 1240343 1240366 1240366 1240385 1240414 1240414 1240466
                        1240529 1240550 1240550 1240623 1240626 1240698 1240755 1240764
                        1240870 1240897 1240897 1240919 1240919 1240997 1241002 1241002
                        1241020 1241020 1241052 1241052 1241078 1241078 1241083 1241083
                        1241112 1241114 1241114 1241166 1241190 1241190 1241205 1241219
                        1241284 1241453 1241453 1241463 1241474 1241551 1241551 1241612
                        1241637 1241680 1241680 1241724 1241802 1241826 1241826 1241826
                        1241830 1241857 1241857 1241857 1241872 1241897 1241938 1241957
                        1241957 1242011 1242063 1242114 1242170 1242170 1242174 1242300
                        1242505 1242623 1242631 1242715 1242827 1242827 1242844 1242844
                        1242938 1242938 1242971 1242974 1242986 1242987 1242987 1243005
                        1243105 1243106 1243109 1243112 1243166 1243226 1243226 1243226
                        1243254 1243254 1243268 1243268 1243268 1243274 1243279 1243297
                        1243313 1243314 1243317 1243317 1243332 1243397 1243419 1243419
                        1243422 1243423 1243443 1243452 1243457 1243503 1243505 1243505
                        1243507 1243581 1243633 1243662 1243706 1243756 1243760 1243767
                        1243767 1243787 1243802 1243833 1243861 1243867 1243887 1243901
                        1243923 1243933 1243935 1243935 1243992 1243997 1244003 1244011
                        1244035 1244042 1244057 1244079 1244079 1244105 1244156 1244156
                        1244156 1244156 1244157 1244157 1244157 1244157 1244158 1244263
                        1244325 1244325 1244325 1244449 1244449 1244449 1244485 1244485
                        1244485 1244485 1244509 1244509 1244550 1244550 1244554 1244554
                        1244555 1244555 1244557 1244557 1244561 1244561 1244564 1244564
                        1244565 1244565 1244566 1244566 1244567 1244567 1244568 1244568
                        1244570 1244570 1244571 1244571 1244572 1244572 1244574 1244574
                        1244575 1244575 1244580 1244580 1244596 1244680 1244700 1244700
                        1244705 1244710 1244933 1244937 1245169 1245193 1245203 1245220
                        1245274 1245275 1245292 1245292 1245309 1245309 1245310 1245310
                        1245311 1245311 1245312 1245312 1245314 1245314 1245317 1245317
                        1245452 1245496 1245551 1245551 1245636 1245667 1245672 1245738
                        1245759 1245878 1245878 1245914 1245931 1245953 1245969 1245985
                        1246011 1246019 1246025 1246038 1246080 1246118 1246151 1246184
                        1246197 1246197 1246231 1246282 1246296 1246296 1246360 1246360
                        1246399 1246460 1246464 1246466 1246472 1246481 1246486 1246504
                        1246556 1246597 1246597 1246602 1246602 1246604 1246622 1246623
                        1246706 1246707 1246730 1246743 1246806 1246934 1246934 1246965
                        1246965 1246974 1246974 1246974 1246995 1246995 1246995 1247030
                        1247054 1247074 1247074 1247105 1247106 1247108 1247114 1247117
                        1247193 1247222 1247228 1247240 1247242 1247242 1247249 1247286
                        1247286 1247292 1247326 1247326 1247367 1247432 1247470 1247495
                        1247495 1247500 1247539 1247581 1247582 1247594 1247594 1247690
                        1247712 1247719 1247720 1247735 1247816 1247816 1247816 1247816
                        1247819 1247819 1247850 1247850 1247850 1247858 1247858 1247858
                        1247884 1247885 1247907 1247938 1247939 1247948 1248006 1248082
                        1248093 1248097 1248117 1248158 1248158 1248166 1248175 1248178
                        1248179 1248185 1248188 1248196 1248206 1248208 1248209 1248211
                        1248212 1248213 1248214 1248216 1248217 1248222 1248227 1248228
                        1248229 1248232 1248234 1248240 1248301 1248330 1248356 1248356
                        1248356 1248360 1248366 1248373 1248373 1248373 1248384 1248400
                        1248410 1248438 1248501 1248501 1248501 1248502 1248516 1248516
                        1248586 1248586 1248586 1248626 1248630 1248631 1248660 1248670
                        1248672 1248678 1248687 1248842 1248897 1248937 1249013 1249049
                        1249088 1249090 1249128 1249130 1249140 1249147 1249161 1249179
                        1249191 1249191 1249191 1249207 1249208 1249226 1249235 1249241
                        1249302 1249307 1249317 1249348 1249348 1249348 1249367 1249367
                        1249367 1249375 1249375 1249375 1249385 1249385 1249391 1249397
                        1249398 1249417 1249450 1249495 1249512 1249537 1249584 1249584
                        1249584 1249590 1249608 1249609 1249657 1249686 1249735 1249814
                        1249895 1249985 1249998 1250003 1250032 1250082 1250086 1250091
                        1250133 1250192 1250202 1250224 1250232 1250232 1250232 1250233
                        1250234 1250279 1250349 1250373 1250379 1250388 1250388 1250399
                        1250400 1250410 1250413 1250436 1250452 1250455 1250471 1250471
                        1250491 1250508 1250508 1250508 1250513 1250536 1250553 1250553
                        1250553 1250553 1250562 1250562 1250562 1250566 1250567 1250573
                        1250596 1250625 1250628 1250632 1250655 1250664 1250692 1250704
                        1250705 1250721 1250738 1250748 1250748 1250749 1250946 1250952
                        1250983 1250983 1251135 1251176 1251177 1251194 1251213 1251232
                        1251233 1251253 1251253 1251254 1251254 1251255 1251255 1251256
                        1251256 1251257 1251257 1251258 1251258 1251259 1251259 1251260
                        1251260 1251261 1251261 1251262 1251262 1251263 1251275 1251276
                        1251277 1251305 1251363 1251442 1251511 1251511 1251511 1251547
                        1251649 1251679 1251679 1251679 1251679 1251794 1251795 1251804
                        1251809 1251819 1251827 1251827 1251827 1251850 1251930 1251933
                        1251956 1251958 1251958 1251959 1251959 1251960 1251960 1251966
                        1251967 1251971 1251979 1251981 1251982 1252008 1252025 1252025
                        1252033 1252035 1252036 1252039 1252044 1252046 1252047 1252048
                        1252051 1252052 1252056 1252060 1252062 1252064 1252065 1252067
                        1252069 1252070 1252072 1252074 1252075 1252076 1252078 1252079
                        1252081 1252082 1252083 1252153 1252217 1252217 1252217 1252224
                        1252250 1252250 1252253 1252265 1252266 1252267 1252270 1252270
                        1252290 1252290 1252290 1252318 1252330 1252333 1252336 1252337
                        1252346 1252348 1252349 1252376 1252390 1252390 1252425 1252525
                        1252543 1252652 1252678 1252679 1252688 1252689 1252696 1252712
                        1252725 1252729 1252734 1252744 1252752 1252752 1252772 1252773
                        1252774 1252780 1252784 1252785 1252787 1252789 1252797 1252819
                        1252822 1252826 1252841 1252848 1252849 1252850 1252851 1252854
                        1252858 1252861 1252862 1252865 1252866 1252873 1252890 1252891
                        1252900 1252902 1252909 1252911 1252915 1252918 1252921 1252924
                        1252930 1252930 1252931 1252931 1252932 1252932 1252933 1252933
                        1252934 1252934 1252935 1252935 1252939 1252974 1253001 1253025
                        1253029 1253029 1253029 1253049 1253060 1253078 1253079 1253087
                        1253126 1253129 1253132 1253140 1253155 1253177 1253177 1253178
                        1253178 1253188 1253193 1253233 1253238 1253262 1253321 1253332
                        1253332 1253333 1253333 1253334 1253344 1253365 1253400 1253404
                        1253413 1253414 1253415 1253415 1253437 1253442 1253458 1253491
                        1253500 1253512 1253581 1253581 1253581 1253584 1253584 1253611
                        1253623 1253637 1253674 1253679 1253691 1253739 1253739 1253740
                        1253741 1253741 1253746 1253757 1253757 1253757 1253783 1253786
                        1253889 1253901 1253901 1253901 1253960 1253963 1253977 1254041
                        1254041 1254079 1254079 1254079 1254094 1254108 1254116 1254126
                        1254128 1254132 1254157 1254157 1254157 1254158 1254158 1254158
                        1254159 1254159 1254159 1254160 1254160 1254160 1254161 1254195
                        1254196 1254196 1254196 1254244 1254244 1254264 1254266 1254293
                        1254293 1254297 1254299 1254308 1254310 1254324 1254336 1254353
                        1254362 1254363 1254378 1254400 1254401 1254408 1254415 1254425
                        1254430 1254431 1254435 1254441 1254441 1254441 1254441 1254441
                        1254441 1254447 1254471 1254472 1254477 1254480 1254480 1254480
                        1254510 1254518 1254519 1254520 1254563 1254563 1254563 1254571
                        1254615 1254616 1254618 1254621 1254624 1254629 1254650 1254662
                        1254666 1254666 1254666 1254670 1254670 1254670 1254679 1254791
                        1254793 1254794 1254795 1254796 1254797 1254798 1254808 1254809
                        1254813 1254815 1254817 1254820 1254821 1254824 1254825 1254827
                        1254828 1254829 1254830 1254832 1254835 1254839 1254840 1254842
                        1254843 1254845 1254846 1254847 1254849 1254850 1254851 1254852
                        1254854 1254856 1254858 1254860 1254861 1254864 1254867 1254868
                        1254869 1254871 1254873 1254878 1254892 1254894 1254900 1254928
                        1254928 1254957 1254959 1254961 1254964 1254977 1254996 1254997
                        1255024 1255026 1255027 1255030 1255034 1255035 1255039 1255040
                        1255041 1255042 1255052 1255053 1255057 1255058 1255064 1255065
                        1255066 1255066 1255066 1255068 1255071 1255072 1255075 1255077
                        1255081 1255082 1255083 1255087 1255092 1255094 1255095 1255097
                        1255099 1255102 1255103 1255111 1255116 1255120 1255121 1255122
                        1255124 1255128 1255129 1255131 1255134 1255135 1255136 1255138
                        1255140 1255142 1255144 1255145 1255146 1255148 1255149 1255150
                        1255152 1255154 1255155 1255156 1255157 1255161 1255164 1255167
                        1255169 1255171 1255172 1255175 1255179 1255181 1255182 1255186
                        1255187 1255190 1255193 1255196 1255197 1255199 1255202 1255203
                        1255206 1255209 1255216 1255218 1255220 1255221 1255223 1255226
                        1255227 1255228 1255230 1255231 1255232 1255233 1255234 1255241
                        1255242 1255243 1255244 1255245 1255246 1255247 1255251 1255252
                        1255253 1255255 1255256 1255259 1255260 1255261 1255262 1255266
                        1255268 1255269 1255272 1255273 1255274 1255276 1255279 1255285
                        1255297 1255311 1255312 1255316 1255318 1255319 1255325 1255326
                        1255326 1255327 1255329 1255346 1255346 1255349 1255351 1255354
                        1255357 1255372 1255377 1255378 1255379 1255380 1255395 1255400
                        1255400 1255401 1255402 1255403 1255415 1255417 1255428 1255433
                        1255434 1255459 1255480 1255482 1255483 1255488 1255489 1255490
                        1255491 1255493 1255495 1255505 1255506 1255507 1255508 1255509
                        1255526 1255527 1255529 1255530 1255533 1255536 1255537 1255541
                        1255542 1255544 1255547 1255550 1255552 1255553 1255567 1255569
                        1255572 1255580 1255593 1255601 1255603 1255611 1255614 1255622
                        1255672 1255678 1255688 1255694 1255695 1255698 1255703 1255706
                        1255707 1255708 1255709 1255715 1255721 1255722 1255723 1255724
                        1255731 1255731 1255731 1255732 1255732 1255732 1255733 1255733
                        1255733 1255734 1255734 1255734 1255764 1255765 1255765 1255768
                        1255811 1255812 1255813 1255814 1255816 1255821 1255822 1255823
                        1255858 1255868 1255895 1255930 1255931 1255932 1255934 1255943
                        1255944 1256013 1256025 1256032 1256070 1256070 1256105 1256105
                        1256105 1256160 1256238 1256244 1256246 1256340 1256341 1256341
                        1256341 1256389 1256390 1256399 1256418 1256427 1256427 1256427
                        1256435 1256436 1256457 1256459 1256483 1256484 1256484 1256495
                        1256498 1256499 1256500 1256525 1256525 1256525 1256526 1256526
                        1256526 1256572 1256576 1256579 1256582 1256584 1256586 1256591
                        1256592 1256593 1256594 1256597 1256605 1256606 1256607 1256608
                        1256609 1256610 1256611 1256612 1256613 1256616 1256617 1256619
                        1256622 1256623 1256624 1256624 1256624 1256625 1256627 1256628
                        1256630 1256632 1256638 1256640 1256641 1256643 1256644 1256644
                        1256644 1256645 1256646 1256650 1256651 1256653 1256654 1256655
                        1256656 1256659 1256660 1256661 1256664 1256665 1256667 1256668
                        1256674 1256675 1256677 1256679 1256680 1256682 1256683 1256688
                        1256689 1256708 1256716 1256717 1256718 1256719 1256720 1256721
                        1256722 1256723 1256724 1256725 1256726 1256728 1256730 1256732
                        1256733 1256734 1256737 1256738 1256739 1256741 1256742 1256744
                        1256748 1256749 1256752 1256754 1256755 1256756 1256757 1256759
                        1256760 1256761 1256763 1256766 1256766 1256766 1256770 1256773
                        1256774 1256777 1256779 1256780 1256780 1256781 1256784 1256785
                        1256792 1256793 1256794 1256794 1256802 1256804 1256804 1256804
                        1256805 1256805 1256805 1256805 1256805 1256807 1256807 1256807
                        1256808 1256808 1256808 1256809 1256809 1256809 1256810 1256810
                        1256810 1256811 1256811 1256811 1256812 1256812 1256812 1256816
                        1256816 1256817 1256817 1256818 1256818 1256819 1256819 1256820
                        1256820 1256821 1256821 1256822 1256822 1256822 1256829 1256830
                        1256830 1256830 1256831 1256832 1256833 1256834 1256834 1256834
                        1256835 1256835 1256835 1256836 1256836 1256836 1256837 1256837
                        1256837 1256838 1256838 1256838 1256839 1256839 1256839 1256840
                        1256840 1256840 1256841 1256864 1256865 1256865 1256867 1256867
                        1256876 1256878 1256880 1256906 1256928 1256940 1256941 1256942
                        1256943 1256944 1256945 1256946 1256947 1256962 1256969 1256975
                        1256976 1257005 1257005 1257005 1257007 1257010 1257010 1257015
                        1257029 1257031 1257035 1257042 1257046 1257049 1257053 1257076
                        1257111 1257143 1257144 1257144 1257144 1257153 1257154 1257154
                        1257155 1257158 1257159 1257163 1257164 1257167 1257168 1257174
                        1257179 1257180 1257181 1257181 1257202 1257204 1257207 1257208
                        1257209 1257215 1257217 1257218 1257220 1257221 1257222 1257225
                        1257227 1257228 1257231 1257232 1257234 1257235 1257236 1257238
                        1257238 1257243 1257244 1257245 1257246 1257274 1257276 1257277
                        1257279 1257282 1257296 1257309 1257325 1257332 1257353 1257354
                        1257355 1257359 1257359 1257364 1257364 1257364 1257365 1257365
                        1257365 1257396 1257463 1257466 1257472 1257473 1257473 1257474
                        1257490 1257490 1257492 1257496 1257496 1257496 1257504 1257521
                        1257551 1257552 1257553 1257554 1257556 1257557 1257559 1257560
                        1257561 1257562 1257565 1257570 1257572 1257573 1257576 1257579
                        1257580 1257581 1257583 1257586 1257593 1257593 1257593 1257594
                        1257594 1257594 1257595 1257595 1257595 1257600 1257603 1257625
                        1257625 1257631 1257635 1257661 1257667 1257667 1257669 1257679
                        1257682 1257686 1257687 1257688 1257692 1257703 1257704 1257705
                        1257706 1257707 1257709 1257714 1257715 1257716 1257718 1257722
                        1257723 1257726 1257729 1257730 1257732 1257734 1257735 1257737
                        1257739 1257740 1257741 1257742 1257743 1257744 1257745 1257746
                        1257747 1257749 1257750 1257755 1257757 1257758 1257759 1257761
                        1257762 1257763 1257765 1257768 1257770 1257772 1257775 1257776
                        1257788 1257789 1257790 1257805 1257808 1257809 1257811 1257813
                        1257814 1257815 1257816 1257817 1257818 1257825 1257825 1257830
                        1257831 1257875 1257877 1257882 1257895 1257904 1257908 1257912
                        1257918 1257927 1257942 1257952 1257955 1257960 1257976 1258002
                        1258002 1258002 1258005 1258008 1258009 1258010 1258011 1258020
                        1258020 1258020 1258022 1258022 1258045 1258045 1258045 1258049
                        1258049 1258049 1258051 1258051 1258054 1258054 1258054 1258074
                        1258080 1258080 1258080 1258081 1258081 1258081 1258083 1258143
                        1258153 1258163 1258167 1258181 1258183 1258183 1258184 1258193
                        1258222 1258229 1258231 1258232 1258234 1258236 1258237 1258245
                        1258249 1258252 1258256 1258258 1258259 1258272 1258273 1258276
                        1258277 1258279 1258286 1258289 1258290 1258297 1258298 1258299
                        1258303 1258304 1258308 1258309 1258311 1258311 1258311 1258313
                        1258317 1258319 1258321 1258323 1258324 1258326 1258331 1258338
                        1258344 1258349 1258354 1258355 1258358 1258374 1258376 1258377
                        1258379 1258389 1258392 1258392 1258392 1258394 1258395 1258397
                        1258411 1258415 1258419 1258421 1258422 1258423 1258424 1258429
                        1258430 1258442 1258455 1258461 1258464 1258465 1258468 1258469
                        1258483 1258484 1258489 1258506 1258509 1258517 1258518 1258519
                        1258520 1258524 1258544 1258568 1258637 1258655 1258660 1258664
                        1258672 1258743 1258748 1258749 1258757 1258759 1258763 1258765
                        1258767 1258769 1258770 1258771 1258772 1258774 1258775 1258776
                        1258779 1258780 1258784 1258784 1258785 1258786 1258786 1258787
                        1258790 1258790 1258791 1258792 1258793 1258799 1258802 1258805
                        1258807 1258810 1258812 1258818 1258821 1258824 1258859 1258859
                        1258945 1258953 1258954 1258960 1259017 1259018 1259051 1259051
                        1259079 1259080 1259126 1259240 1259271 1259311 1259329 1259362
                        1259362 1259362 1259362 1259362 1259363 1259363 1259363 1259364
                        1259364 1259364 1259365 1259365 1259365 1259367 1259370 1259377
                        1259418 1259418 1259418 1259446 1259447 1259448 1259450 1259451
                        1259452 1259455 1259456 1259456 1259457 1259463 1259464 1259466
                        1259467 1259467 1259468 1259469 1259472 1259497 1259528 1259543
                        1259543 1259548 1259554 1259611 1259616 1259619 1259619 1259619
                        1259623 1259650 1259650 1259650 1259652 1259697 1259697 1259697
                        1259700 1259706 1259711 1259711 1259711 1259713 1259726 1259726
                        1259726 1259728 1259729 1259729 1259729 1259731 1259734 1259735
                        1259767 1259803 1259816 1259825 1259825 1259825 1259842 1259845
                        1259845 1259845 1259859 1259859 1259859 1259859 1259924 1259924
                        1259934 1259935 1259936 1259937 1259938 1259939 1259940 1259941
                        1259942 1259943 1259944 1259945 1259946 1259947 1259948 1259949
                        1259950 1259963 1259989 1260026 1260078 1260078 1260078 1260082
                        1260082 1260082 1260264 1260264 1260265 1260277 1260277 1260277
                        1260441 1260441 1260441 1260442 1260442 1260442 1260443 1260443
                        1260443 1260444 1260444 1260444 1260445 1260445 1260445 1260446
                        1260455 1260460 1260462 1260463 1260480 1260482 1260494 1260588
                        1260589 1260754 1260754 1260754 1260755 1260755 1260755 1260871
                        1260876 1260876 1261155 1261155 1261172 1261173 1261174 1261175
                        1261176 1261177 1261178 1261179 1261206 1261206 1261206 1261209
                        1261280 1261280 1261280 1261420 1261427 1261430 1261606 1261606
                        1261621 1261622 1261624 1261630 1261630 1261634 1261639 1261653
                        1261654 1261655 1261656 1261657 1261658 1261659 1261660 1261661
                        1261678 1261678 1261678 1261696 1261705 1261706 1261708 1261712
                        1261717 1261718 1261720 1261772 1261809 1261809 1261809 1261822
                        1261824 1261845 1261845 1261876 1261880 1261938 1261957 1261957
                        1261957 1261970 1261998 1262089 1262134 1262144 1262144 1262216
                        1262220 1262221 1262223 1262223 1262223 1262223 1262223 1262223
                        1262254 1262255 1262315 1262425 1262426 1262464 1262464 1262464
                        1262465 1262465 1262465 1262555 1262631 1262631 1262631 1262632
                        1262632 1262632 1262635 1262635 1262635 1262636 1262636 1262636
                        1262638 1262638 1262638 1262926 1263254 1263366 1263366 1263367
                        1263367 1263689 1263689 1263704 1263705 1263707 1263708 1263709
                        1263710 1263711 1263712 1263713 1263714 1263715 1263716 1264394
                        1264511 1264511 1264511 1264512 1264512 1264512 1264513 1264513
                        1264513 1264514 1264514 1264514 1264515 1264515 1264515 1265296
                        1265296 1265296 1265413 1265578 1265580 1265581 1265582 1265583
                        1265584 1265585 1265586 1265587 1265588 1265589 1265762 1266187
                        1266187 1266187 1266340 1266340 1266341 1266341 1266342 1266342
                        1266344 1266344 1266349 1266349 1266353 1266353 1266355 1266355
                        1266356 1266356 1266357 1266357 1267168 1267168 1267168 1267423
                        1267426 1267442 1267444 1267450 1267874 1268012 1268013 142461
                        391434 441356 441356 528882 544339 553466 614646 619225 831629
                        831629 867620 CVE-2013-0340 CVE-2013-0340 CVE-2014-2240 CVE-2014-2241
                        CVE-2017-14992 CVE-2017-8105 CVE-2017-8287 CVE-2017-9232 CVE-2019-11243
                        CVE-2019-15119 CVE-2019-15903 CVE-2019-15903 CVE-2019-20907 CVE-2019-20907
                        CVE-2019-9947 CVE-2019-9947 CVE-2020-15523 CVE-2020-15523 CVE-2020-15801
                        CVE-2020-15801 CVE-2021-21411 CVE-2022-1996 CVE-2022-25236 CVE-2022-25236
                        CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 CVE-2022-29154 CVE-2022-31022
                        CVE-2022-3821 CVE-2022-45748 CVE-2022-47930 CVE-2022-47930 CVE-2022-48622
                        CVE-2023-26154 CVE-2023-27043 CVE-2023-28746 CVE-2023-31315 CVE-2023-32198
                        CVE-2023-32324 CVE-2023-32360 CVE-2023-34241 CVE-2023-40403 CVE-2023-40574
                        CVE-2023-40575 CVE-2023-40576 CVE-2023-42818 CVE-2023-43010 CVE-2023-4504
                        CVE-2023-45142 CVE-2023-45229 CVE-2023-45230 CVE-2023-45288 CVE-2023-45288
                        CVE-2023-45288 CVE-2023-45853 CVE-2023-45853 CVE-2023-45853 CVE-2023-45866
                        CVE-2023-46839 CVE-2023-46840 CVE-2023-46841 CVE-2023-46842 CVE-2023-47108
                        CVE-2023-50387 CVE-2023-50782 CVE-2023-50782 CVE-2023-50868 CVE-2023-52425
                        CVE-2023-52425 CVE-2023-52425 CVE-2023-52425 CVE-2023-52426 CVE-2023-52426
                        CVE-2023-52489 CVE-2023-52581 CVE-2023-52668 CVE-2023-52688 CVE-2023-52859
                        CVE-2023-52885 CVE-2023-52886 CVE-2023-52887 CVE-2023-52889 CVE-2023-6597
                        CVE-2023-6917 CVE-2024-0397 CVE-2024-0397 CVE-2024-0450 CVE-2024-0450
                        CVE-2024-10041 CVE-2024-10041 CVE-2024-10220 CVE-2024-10389 CVE-2024-10524
                        CVE-2024-10846 CVE-2024-10846 CVE-2024-10963 CVE-2024-10963 CVE-2024-10975
                        CVE-2024-10975 CVE-2024-11053 CVE-2024-11053 CVE-2024-11218 CVE-2024-11218
                        CVE-2024-11218 CVE-2024-11498 CVE-2024-11595 CVE-2024-11596 CVE-2024-11614
                        CVE-2024-11741 CVE-2024-11741 CVE-2024-12084 CVE-2024-12084 CVE-2024-12084
                        CVE-2024-12085 CVE-2024-12085 CVE-2024-12085 CVE-2024-12086 CVE-2024-12086
                        CVE-2024-12086 CVE-2024-12087 CVE-2024-12087 CVE-2024-12087 CVE-2024-12088
                        CVE-2024-12088 CVE-2024-12088 CVE-2024-12133 CVE-2024-12133 CVE-2024-12224
                        CVE-2024-12224 CVE-2024-12678 CVE-2024-12747 CVE-2024-12747 CVE-2024-12747
                        CVE-2024-13176 CVE-2024-13176 CVE-2024-13176 CVE-2024-13484 CVE-2024-13484
                        CVE-2024-13978 CVE-2024-1725 CVE-2024-1931 CVE-2024-2004 CVE-2024-21820
                        CVE-2024-21853 CVE-2024-2193 CVE-2024-2201 CVE-2024-22031 CVE-2024-22211
                        CVE-2024-2236 CVE-2024-2236 CVE-2024-2236 CVE-2024-2312 CVE-2024-2379
                        CVE-2024-23918 CVE-2024-2398 CVE-2024-23984 CVE-2024-2410 CVE-2024-2466
                        CVE-2024-24806 CVE-2024-24968 CVE-2024-2511 CVE-2024-25131 CVE-2024-25133
                        CVE-2024-25621 CVE-2024-26134 CVE-2024-26306 CVE-2024-26458 CVE-2024-26461
                        CVE-2024-26462 CVE-2024-26590 CVE-2024-26631 CVE-2024-26637 CVE-2024-26668
                        CVE-2024-26669 CVE-2024-26677 CVE-2024-26682 CVE-2024-26683 CVE-2024-26735
                        CVE-2024-26808 CVE-2024-26809 CVE-2024-26812 CVE-2024-26835 CVE-2024-26837
                        CVE-2024-26849 CVE-2024-26851 CVE-2024-26976 CVE-2024-27010 CVE-2024-27011
                        CVE-2024-27024 CVE-2024-27049 CVE-2024-27050 CVE-2024-27079 CVE-2024-27403
                        CVE-2024-27433 CVE-2024-27437 CVE-2024-28085 CVE-2024-28085 CVE-2024-28182
                        CVE-2024-28397 CVE-2024-28757 CVE-2024-28757 CVE-2024-28757 CVE-2024-28892
                        CVE-2024-2961 CVE-2024-3019 CVE-2024-31068 CVE-2024-31076 CVE-2024-31142
                        CVE-2024-31143 CVE-2024-31145 CVE-2024-31146 CVE-2024-32039 CVE-2024-32040
                        CVE-2024-32041 CVE-2024-32458 CVE-2024-32459 CVE-2024-32460 CVE-2024-32650
                        CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661 CVE-2024-33599
                        CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 CVE-2024-33655 CVE-2024-34062
                        CVE-2024-34459 CVE-2024-35177 CVE-2024-35177 CVE-2024-35235 CVE-2024-35855
                        CVE-2024-35897 CVE-2024-35902 CVE-2024-35913 CVE-2024-35939 CVE-2024-35949
                        CVE-2024-36039 CVE-2024-36270 CVE-2024-36286 CVE-2024-36288 CVE-2024-36293
                        CVE-2024-36402 CVE-2024-36402 CVE-2024-36403 CVE-2024-36403 CVE-2024-36489
                        CVE-2024-36620 CVE-2024-36621 CVE-2024-36623 CVE-2024-36881 CVE-2024-36907
                        CVE-2024-36929 CVE-2024-36933 CVE-2024-36939 CVE-2024-36970 CVE-2024-36979
                        CVE-2024-37020 CVE-2024-3727 CVE-2024-3727 CVE-2024-37370 CVE-2024-37371
                        CVE-2024-37820 CVE-2024-3817 CVE-2024-38563 CVE-2024-38609 CVE-2024-38662
                        CVE-2024-38822 CVE-2024-38822 CVE-2024-38823 CVE-2024-38823 CVE-2024-38824
                        CVE-2024-38824 CVE-2024-38825 CVE-2024-38825 CVE-2024-38875 CVE-2024-39329
                        CVE-2024-39330 CVE-2024-39355 CVE-2024-39476 CVE-2024-39483 CVE-2024-39484
                        CVE-2024-39486 CVE-2024-39488 CVE-2024-39489 CVE-2024-39491 CVE-2024-39493
                        CVE-2024-39497 CVE-2024-39499 CVE-2024-39500 CVE-2024-39501 CVE-2024-39505
                        CVE-2024-39506 CVE-2024-39508 CVE-2024-39509 CVE-2024-39510 CVE-2024-39614
                        CVE-2024-4030 CVE-2024-4032 CVE-2024-4032 CVE-2024-40635 CVE-2024-40635
                        CVE-2024-40724 CVE-2024-40896 CVE-2024-40896 CVE-2024-40897 CVE-2024-40897
                        CVE-2024-40899 CVE-2024-40900 CVE-2024-40902 CVE-2024-40903 CVE-2024-40904
                        CVE-2024-40905 CVE-2024-40909 CVE-2024-40910 CVE-2024-40911 CVE-2024-40912
                        CVE-2024-40913 CVE-2024-40916 CVE-2024-40920 CVE-2024-40921 CVE-2024-40922
                        CVE-2024-40924 CVE-2024-40926 CVE-2024-40927 CVE-2024-40929 CVE-2024-40930
                        CVE-2024-40932 CVE-2024-40934 CVE-2024-40936 CVE-2024-40938 CVE-2024-40939
                        CVE-2024-40941 CVE-2024-40942 CVE-2024-40943 CVE-2024-40944 CVE-2024-40945
                        CVE-2024-40954 CVE-2024-40956 CVE-2024-40957 CVE-2024-40958 CVE-2024-40959
                        CVE-2024-40962 CVE-2024-40964 CVE-2024-40967 CVE-2024-40976 CVE-2024-40977
                        CVE-2024-40978 CVE-2024-40981 CVE-2024-40982 CVE-2024-40984 CVE-2024-40987
                        CVE-2024-40988 CVE-2024-40989 CVE-2024-40990 CVE-2024-40992 CVE-2024-40994
                        CVE-2024-40995 CVE-2024-40997 CVE-2024-41000 CVE-2024-41001 CVE-2024-41002
                        CVE-2024-41004 CVE-2024-41007 CVE-2024-41009 CVE-2024-41010 CVE-2024-41012
                        CVE-2024-41015 CVE-2024-41016 CVE-2024-41020 CVE-2024-41022 CVE-2024-41024
                        CVE-2024-41025 CVE-2024-41028 CVE-2024-41032 CVE-2024-41035 CVE-2024-41036
                        CVE-2024-41037 CVE-2024-41038 CVE-2024-41039 CVE-2024-41040 CVE-2024-41041
                        CVE-2024-41044 CVE-2024-41045 CVE-2024-41048 CVE-2024-41049 CVE-2024-41050
                        CVE-2024-41051 CVE-2024-41056 CVE-2024-41057 CVE-2024-41058 CVE-2024-41059
                        CVE-2024-41060 CVE-2024-41061 CVE-2024-41062 CVE-2024-41063 CVE-2024-41064
                        CVE-2024-41065 CVE-2024-41066 CVE-2024-41068 CVE-2024-41069 CVE-2024-41070
                        CVE-2024-41071 CVE-2024-41072 CVE-2024-41073 CVE-2024-41074 CVE-2024-41075
                        CVE-2024-41076 CVE-2024-41078 CVE-2024-41079 CVE-2024-41080 CVE-2024-41081
                        CVE-2024-41084 CVE-2024-41087 CVE-2024-41088 CVE-2024-41089 CVE-2024-41092
                        CVE-2024-41093 CVE-2024-41094 CVE-2024-41095 CVE-2024-41096 CVE-2024-41097
                        CVE-2024-41098 CVE-2024-41311 CVE-2024-41996 CVE-2024-41996 CVE-2024-42064
                        CVE-2024-42069 CVE-2024-42070 CVE-2024-42073 CVE-2024-42074 CVE-2024-42076
                        CVE-2024-42077 CVE-2024-42079 CVE-2024-42080 CVE-2024-42082 CVE-2024-42085
                        CVE-2024-42086 CVE-2024-42087 CVE-2024-42089 CVE-2024-42090 CVE-2024-42092
                        CVE-2024-42093 CVE-2024-42095 CVE-2024-42096 CVE-2024-42097 CVE-2024-42098
                        CVE-2024-42101 CVE-2024-42104 CVE-2024-42105 CVE-2024-42106 CVE-2024-42107
                        CVE-2024-42109 CVE-2024-42110 CVE-2024-42113 CVE-2024-42114 CVE-2024-42115
                        CVE-2024-42117 CVE-2024-42119 CVE-2024-42120 CVE-2024-42121 CVE-2024-42122
                        CVE-2024-42124 CVE-2024-42125 CVE-2024-42126 CVE-2024-42127 CVE-2024-42130
                        CVE-2024-42131 CVE-2024-42132 CVE-2024-42133 CVE-2024-42136 CVE-2024-42137
                        CVE-2024-42138 CVE-2024-42139 CVE-2024-42141 CVE-2024-42142 CVE-2024-42143
                        CVE-2024-42144 CVE-2024-42145 CVE-2024-42147 CVE-2024-42148 CVE-2024-42152
                        CVE-2024-42153 CVE-2024-42155 CVE-2024-42156 CVE-2024-42157 CVE-2024-42158
                        CVE-2024-42159 CVE-2024-42161 CVE-2024-42162 CVE-2024-42223 CVE-2024-42224
                        CVE-2024-42225 CVE-2024-42226 CVE-2024-42227 CVE-2024-42228 CVE-2024-42229
                        CVE-2024-42230 CVE-2024-42232 CVE-2024-42236 CVE-2024-42237 CVE-2024-42238
                        CVE-2024-42239 CVE-2024-42240 CVE-2024-42241 CVE-2024-42244 CVE-2024-42245
                        CVE-2024-42246 CVE-2024-42247 CVE-2024-42250 CVE-2024-42253 CVE-2024-42259
                        CVE-2024-42268 CVE-2024-42269 CVE-2024-42270 CVE-2024-42271 CVE-2024-42274
                        CVE-2024-42276 CVE-2024-42277 CVE-2024-42278 CVE-2024-42279 CVE-2024-42280
                        CVE-2024-42281 CVE-2024-42283 CVE-2024-42284 CVE-2024-42285 CVE-2024-42286
                        CVE-2024-42287 CVE-2024-42288 CVE-2024-42289 CVE-2024-42290 CVE-2024-42291
                        CVE-2024-42292 CVE-2024-42295 CVE-2024-42298 CVE-2024-42301 CVE-2024-42302
                        CVE-2024-42303 CVE-2024-42308 CVE-2024-42309 CVE-2024-42310 CVE-2024-42311
                        CVE-2024-42312 CVE-2024-42313 CVE-2024-42314 CVE-2024-42315 CVE-2024-42316
                        CVE-2024-42318 CVE-2024-42319 CVE-2024-42320 CVE-2024-42322 CVE-2024-43374
                        CVE-2024-43784 CVE-2024-43790 CVE-2024-43802 CVE-2024-43803 CVE-2024-43806
                        CVE-2024-43806 CVE-2024-43806 CVE-2024-43816 CVE-2024-43817 CVE-2024-43818
                        CVE-2024-43819 CVE-2024-43821 CVE-2024-43823 CVE-2024-43824 CVE-2024-43825
                        CVE-2024-43826 CVE-2024-43829 CVE-2024-43830 CVE-2024-43831 CVE-2024-43833
                        CVE-2024-43834 CVE-2024-43837 CVE-2024-43839 CVE-2024-43840 CVE-2024-43841
                        CVE-2024-43842 CVE-2024-43846 CVE-2024-43847 CVE-2024-43849 CVE-2024-43850
                        CVE-2024-43851 CVE-2024-43853 CVE-2024-43854 CVE-2024-43855 CVE-2024-43856
                        CVE-2024-43858 CVE-2024-43860 CVE-2024-43861 CVE-2024-43863 CVE-2024-43864
                        CVE-2024-43866 CVE-2024-43867 CVE-2024-43871 CVE-2024-43872 CVE-2024-43873
                        CVE-2024-43874 CVE-2024-43875 CVE-2024-43876 CVE-2024-43877 CVE-2024-43879
                        CVE-2024-43880 CVE-2024-43881 CVE-2024-43882 CVE-2024-43883 CVE-2024-43884
                        CVE-2024-43885 CVE-2024-43889 CVE-2024-43892 CVE-2024-43893 CVE-2024-43894
                        CVE-2024-43895 CVE-2024-43897 CVE-2024-43899 CVE-2024-43900 CVE-2024-43902
                        CVE-2024-43903 CVE-2024-43905 CVE-2024-43906 CVE-2024-43907 CVE-2024-43908
                        CVE-2024-43909 CVE-2024-43911 CVE-2024-43912 CVE-2024-4418 CVE-2024-4467
                        CVE-2024-44906 CVE-2024-44931 CVE-2024-44938 CVE-2024-44939 CVE-2024-45306
                        CVE-2024-45336 CVE-2024-45336 CVE-2024-45336 CVE-2024-45336 CVE-2024-45337
                        CVE-2024-45337 CVE-2024-45337 CVE-2024-45337 CVE-2024-45338 CVE-2024-45338
                        CVE-2024-45339 CVE-2024-45339 CVE-2024-45340 CVE-2024-45340 CVE-2024-45341
                        CVE-2024-45341 CVE-2024-45341 CVE-2024-45341 CVE-2024-45387 CVE-2024-45490
                        CVE-2024-45490 CVE-2024-45490 CVE-2024-45491 CVE-2024-45491 CVE-2024-45491
                        CVE-2024-45492 CVE-2024-45492 CVE-2024-45492 CVE-2024-45679 CVE-2024-45719
                        CVE-2024-45769 CVE-2024-45770 CVE-2024-45774 CVE-2024-45775 CVE-2024-45776
                        CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781
                        CVE-2024-45782 CVE-2024-45783 CVE-2024-45794 CVE-2024-4603 CVE-2024-4741
                        CVE-2024-47770 CVE-2024-47770 CVE-2024-47814 CVE-2024-48057 CVE-2024-49504
                        CVE-2024-50354 CVE-2024-50354 CVE-2024-50602 CVE-2024-50602 CVE-2024-50602
                        CVE-2024-50602 CVE-2024-50948 CVE-2024-51491 CVE-2024-51491 CVE-2024-51735
                        CVE-2024-51744 CVE-2024-51746 CVE-2024-52003 CVE-2024-52280 CVE-2024-52281
                        CVE-2024-52281 CVE-2024-52282 CVE-2024-52309 CVE-2024-52529 CVE-2024-52533
                        CVE-2024-52594 CVE-2024-52594 CVE-2024-52602 CVE-2024-52602 CVE-2024-52791
                        CVE-2024-52791 CVE-2024-52801 CVE-2024-52804 CVE-2024-52812 CVE-2024-53164
                        CVE-2024-53259 CVE-2024-53263 CVE-2024-53263 CVE-2024-53264 CVE-2024-53858
                        CVE-2024-53862 CVE-2024-54031 CVE-2024-54131 CVE-2024-54132 CVE-2024-54148
                        CVE-2024-55196 CVE-2024-5535 CVE-2024-55549 CVE-2024-5564 CVE-2024-5594
                        CVE-2024-55947 CVE-2024-56138 CVE-2024-56138 CVE-2024-56171 CVE-2024-56171
                        CVE-2024-56323 CVE-2024-56323 CVE-2024-56362 CVE-2024-56406 CVE-2024-56406
                        CVE-2024-56513 CVE-2024-56514 CVE-2024-56515 CVE-2024-56515 CVE-2024-56737
                        CVE-2024-56738 CVE-2024-56738 CVE-2024-57603 CVE-2024-57604 CVE-2024-58251
                        CVE-2024-58266 CVE-2024-6104 CVE-2024-6104 CVE-2024-6119 CVE-2024-6156
                        CVE-2024-6197 CVE-2024-6219 CVE-2024-6232 CVE-2024-6538 CVE-2024-6923
                        CVE-2024-6923 CVE-2024-7254 CVE-2024-7264 CVE-2024-7409 CVE-2024-7592
                        CVE-2024-8088 CVE-2024-8096 CVE-2024-8096 CVE-2024-8176 CVE-2024-8176
                        CVE-2024-8508 CVE-2024-8508 CVE-2024-8676 CVE-2024-9287 CVE-2024-9312
                        CVE-2024-9312 CVE-2024-9313 CVE-2024-9313 CVE-2024-9341 CVE-2024-9407
                        CVE-2024-9407 CVE-2024-9632 CVE-2024-9632 CVE-2024-9675 CVE-2024-9676
                        CVE-2024-9676 CVE-2024-9681 CVE-2024-9681 CVE-2024-9779 CVE-2024-9781
                        CVE-2025-0167 CVE-2025-0377 CVE-2025-0377 CVE-2025-0395 CVE-2025-0395
                        CVE-2025-0395 CVE-2025-0426 CVE-2025-0622 CVE-2025-0624 CVE-2025-0665
                        CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686
                        CVE-2025-0689 CVE-2025-0690 CVE-2025-0725 CVE-2025-0750 CVE-2025-0750
                        CVE-2025-0840 CVE-2025-0913 CVE-2025-0913 CVE-2025-0913 CVE-2025-0913
                        CVE-2025-0913 CVE-2025-0938 CVE-2025-10148 CVE-2025-10148 CVE-2025-10148
                        CVE-2025-10158 CVE-2025-10158 CVE-2025-10158 CVE-2025-10158 CVE-2025-10158
                        CVE-2025-10158 CVE-2025-10527 CVE-2025-10528 CVE-2025-10529 CVE-2025-10532
                        CVE-2025-10533 CVE-2025-10536 CVE-2025-10537 CVE-2025-10911 CVE-2025-10911
                        CVE-2025-10911 CVE-2025-10911 CVE-2025-11021 CVE-2025-11021 CVE-2025-11021
                        CVE-2025-11065 CVE-2025-11083 CVE-2025-1118 CVE-2025-11187 CVE-2025-11187
                        CVE-2025-11230 CVE-2025-11230 CVE-2025-1125 CVE-2025-11411 CVE-2025-11412
                        CVE-2025-11413 CVE-2025-11414 CVE-2025-11468 CVE-2025-1147 CVE-2025-1148
                        CVE-2025-1149 CVE-2025-11494 CVE-2025-11495 CVE-2025-1150 CVE-2025-1151
                        CVE-2025-1152 CVE-2025-1153 CVE-2025-11561 CVE-2025-11561 CVE-2025-11561
                        CVE-2025-11563 CVE-2025-11563 CVE-2025-11563 CVE-2025-11626 CVE-2025-11708
                        CVE-2025-11709 CVE-2025-11710 CVE-2025-11711 CVE-2025-11712 CVE-2025-11713
                        CVE-2025-11714 CVE-2025-11715 CVE-2025-11731 CVE-2025-1176 CVE-2025-1178
                        CVE-2025-1179 CVE-2025-1180 CVE-2025-1181 CVE-2025-1182 CVE-2025-11896
                        CVE-2025-11961 CVE-2025-11961 CVE-2025-12084 CVE-2025-1215 CVE-2025-1243
                        CVE-2025-12817 CVE-2025-12817 CVE-2025-12818 CVE-2025-12818 CVE-2025-1293
                        CVE-2025-1296 CVE-2025-1296 CVE-2025-13012 CVE-2025-13013 CVE-2025-13014
                        CVE-2025-13015 CVE-2025-13016 CVE-2025-13017 CVE-2025-13018 CVE-2025-13019
                        CVE-2025-13020 CVE-2025-13151 CVE-2025-13151 CVE-2025-13151 CVE-2025-13462
                        CVE-2025-13465 CVE-2025-13499 CVE-2025-13601 CVE-2025-13836 CVE-2025-13837
                        CVE-2025-1386 CVE-2025-13945 CVE-2025-13946 CVE-2025-14017 CVE-2025-14017
                        CVE-2025-14017 CVE-2025-14087 CVE-2025-14104 CVE-2025-14104 CVE-2025-14104
                        CVE-2025-1412 CVE-2025-14327 CVE-2025-14512 CVE-2025-14524 CVE-2025-14524
                        CVE-2025-14524 CVE-2025-14819 CVE-2025-14819 CVE-2025-14819 CVE-2025-14831
                        CVE-2025-14876 CVE-2025-14876 CVE-2025-15079 CVE-2025-15079 CVE-2025-15079
                        CVE-2025-15224 CVE-2025-15224 CVE-2025-15224 CVE-2025-15269 CVE-2025-15275
                        CVE-2025-15279 CVE-2025-15281 CVE-2025-15281 CVE-2025-15281 CVE-2025-15282
                        CVE-2025-15444 CVE-2025-15444 CVE-2025-15467 CVE-2025-15467 CVE-2025-15467
                        CVE-2025-15467 CVE-2025-15468 CVE-2025-15468 CVE-2025-15469 CVE-2025-1795
                        CVE-2025-20033 CVE-2025-20033 CVE-2025-20051 CVE-2025-20053 CVE-2025-20086
                        CVE-2025-20086 CVE-2025-20088 CVE-2025-20088 CVE-2025-20109 CVE-2025-20621
                        CVE-2025-20621 CVE-2025-21088 CVE-2025-21088 CVE-2025-21609 CVE-2025-21613
                        CVE-2025-21613 CVE-2025-21614 CVE-2025-21614 CVE-2025-21816 CVE-2025-22130
                        CVE-2025-22134 CVE-2025-22149 CVE-2025-22149 CVE-2025-22236 CVE-2025-22236
                        CVE-2025-22237 CVE-2025-22237 CVE-2025-22238 CVE-2025-22238 CVE-2025-22239
                        CVE-2025-22239 CVE-2025-22240 CVE-2025-22240 CVE-2025-22241 CVE-2025-22241
                        CVE-2025-22242 CVE-2025-22242 CVE-2025-22247 CVE-2025-22445 CVE-2025-22445
                        CVE-2025-22449 CVE-2025-22449 CVE-2025-22839 CVE-2025-22840 CVE-2025-22865
                        CVE-2025-22865 CVE-2025-22866 CVE-2025-22866 CVE-2025-22866 CVE-2025-22866
                        CVE-2025-22866 CVE-2025-22867 CVE-2025-22867 CVE-2025-22867 CVE-2025-22867
                        CVE-2025-22868 CVE-2025-22868 CVE-2025-22868 CVE-2025-22868 CVE-2025-22869
                        CVE-2025-22869 CVE-2025-22869 CVE-2025-22869 CVE-2025-22869 CVE-2025-22869
                        CVE-2025-22870 CVE-2025-22870 CVE-2025-22870 CVE-2025-22870 CVE-2025-22870
                        CVE-2025-22870 CVE-2025-22871 CVE-2025-22871 CVE-2025-22871 CVE-2025-22872
                        CVE-2025-22872 CVE-2025-22872 CVE-2025-22872 CVE-2025-22872 CVE-2025-22872
                        CVE-2025-22872 CVE-2025-22873 CVE-2025-22874 CVE-2025-22874 CVE-2025-22889
                        CVE-2025-22952 CVE-2025-23013 CVE-2025-23028 CVE-2025-23028 CVE-2025-23047
                        CVE-2025-23047 CVE-2025-23208 CVE-2025-23208 CVE-2025-23216 CVE-2025-23216
                        CVE-2025-23259 CVE-2025-23387 CVE-2025-23388 CVE-2025-23389 CVE-2025-23390
                        CVE-2025-24014 CVE-2025-24016 CVE-2025-24030 CVE-2025-24030 CVE-2025-2424
                        CVE-2025-24337 CVE-2025-24337 CVE-2025-24354 CVE-2025-24354 CVE-2025-24355
                        CVE-2025-24355 CVE-2025-24358 CVE-2025-24366 CVE-2025-24366 CVE-2025-24369
                        CVE-2025-24369 CVE-2025-24371 CVE-2025-24371 CVE-2025-24376 CVE-2025-24376
                        CVE-2025-24526 CVE-2025-24528 CVE-2025-24528 CVE-2025-2475 CVE-2025-24784
                        CVE-2025-24784 CVE-2025-24786 CVE-2025-24786 CVE-2025-24787 CVE-2025-24787
                        CVE-2025-24806 CVE-2025-24839 CVE-2025-24855 CVE-2025-24866 CVE-2025-24883
                        CVE-2025-24883 CVE-2025-24884 CVE-2025-24884 CVE-2025-24928 CVE-2025-24928
                        CVE-2025-24976 CVE-2025-25196 CVE-2025-25199 CVE-2025-25204 CVE-2025-25207
                        CVE-2025-25208 CVE-2025-25279 CVE-2025-25294 CVE-2025-2564 CVE-2025-26260
                        CVE-2025-26403 CVE-2025-27088 CVE-2025-27090 CVE-2025-27100 CVE-2025-27112
                        CVE-2025-27113 CVE-2025-27113 CVE-2025-27144 CVE-2025-27144 CVE-2025-27144
                        CVE-2025-27155 CVE-2025-27403 CVE-2025-27414 CVE-2025-27421 CVE-2025-27507
                        CVE-2025-27509 CVE-2025-27538 CVE-2025-27571 CVE-2025-27587 CVE-2025-27587
                        CVE-2025-27616 CVE-2025-27936 CVE-2025-28162 CVE-2025-28162 CVE-2025-28162
                        CVE-2025-28164 CVE-2025-28164 CVE-2025-28164 CVE-2025-29087 CVE-2025-29087
                        CVE-2025-29088 CVE-2025-29088 CVE-2025-30204 CVE-2025-30204 CVE-2025-30206
                        CVE-2025-30215 CVE-2025-31115 CVE-2025-31115 CVE-2025-31133 CVE-2025-31223
                        CVE-2025-31277 CVE-2025-31363 CVE-2025-31483 CVE-2025-31489 CVE-2025-3198
                        CVE-2025-32024 CVE-2025-32025 CVE-2025-32086 CVE-2025-32093 CVE-2025-32386
                        CVE-2025-32387 CVE-2025-32414 CVE-2025-32414 CVE-2025-32415 CVE-2025-32415
                        CVE-2025-32431 CVE-2025-32445 CVE-2025-32462 CVE-2025-32463 CVE-2025-32777
                        CVE-2025-32793 CVE-2025-32963 CVE-2025-3360 CVE-2025-3360 CVE-2025-3416
                        CVE-2025-3416 CVE-2025-3576 CVE-2025-35965 CVE-2025-37744 CVE-2025-37751
                        CVE-2025-37841 CVE-2025-37845 CVE-2025-37904 CVE-2025-37955 CVE-2025-3801
                        CVE-2025-38243 CVE-2025-38262 CVE-2025-38297 CVE-2025-38298 CVE-2025-38379
                        CVE-2025-38423 CVE-2025-38488 CVE-2025-38500 CVE-2025-38505 CVE-2025-38507
                        CVE-2025-38510 CVE-2025-38511 CVE-2025-38512 CVE-2025-38513 CVE-2025-38515
                        CVE-2025-38516 CVE-2025-38520 CVE-2025-38521 CVE-2025-38529 CVE-2025-38530
                        CVE-2025-38535 CVE-2025-38537 CVE-2025-38538 CVE-2025-38539 CVE-2025-38540
                        CVE-2025-38541 CVE-2025-38543 CVE-2025-38547 CVE-2025-38548 CVE-2025-38550
                        CVE-2025-38551 CVE-2025-38554 CVE-2025-38569 CVE-2025-38572 CVE-2025-38588
                        CVE-2025-38589 CVE-2025-38590 CVE-2025-38608 CVE-2025-38616 CVE-2025-38617
                        CVE-2025-38618 CVE-2025-38645 CVE-2025-38653 CVE-2025-38664 CVE-2025-38704
                        CVE-2025-38718 CVE-2025-3879 CVE-2025-39676 CVE-2025-39682 CVE-2025-39689
                        CVE-2025-39702 CVE-2025-39753 CVE-2025-39756 CVE-2025-39779 CVE-2025-39795
                        CVE-2025-39797 CVE-2025-39812 CVE-2025-39813 CVE-2025-39814 CVE-2025-39817
                        CVE-2025-39829 CVE-2025-39866 CVE-2025-39876 CVE-2025-39880 CVE-2025-39880
                        CVE-2025-39881 CVE-2025-39895 CVE-2025-39903 CVE-2025-39911 CVE-2025-39913
                        CVE-2025-39927 CVE-2025-39947 CVE-2025-39948 CVE-2025-39949 CVE-2025-39950
                        CVE-2025-39955 CVE-2025-39956 CVE-2025-39963 CVE-2025-39963 CVE-2025-39964
                        CVE-2025-39965 CVE-2025-39967 CVE-2025-39968 CVE-2025-39969 CVE-2025-39970
                        CVE-2025-39971 CVE-2025-39972 CVE-2025-39973 CVE-2025-39973 CVE-2025-39977
                        CVE-2025-39977 CVE-2025-39978 CVE-2025-39979 CVE-2025-39981 CVE-2025-39982
                        CVE-2025-39984 CVE-2025-39985 CVE-2025-39986 CVE-2025-39987 CVE-2025-39988
                        CVE-2025-39991 CVE-2025-39992 CVE-2025-39993 CVE-2025-39994 CVE-2025-39995
                        CVE-2025-39996 CVE-2025-39997 CVE-2025-40000 CVE-2025-40005 CVE-2025-40009
                        CVE-2025-40011 CVE-2025-40012 CVE-2025-40013 CVE-2025-40016 CVE-2025-40018
                        CVE-2025-40018 CVE-2025-40019 CVE-2025-40020 CVE-2025-40029 CVE-2025-40030
                        CVE-2025-40032 CVE-2025-40035 CVE-2025-40036 CVE-2025-40037 CVE-2025-40040
                        CVE-2025-40042 CVE-2025-40043 CVE-2025-40044 CVE-2025-40045 CVE-2025-40048
                        CVE-2025-40049 CVE-2025-40051 CVE-2025-40052 CVE-2025-40056 CVE-2025-40058
                        CVE-2025-40060 CVE-2025-40061 CVE-2025-40062 CVE-2025-40071 CVE-2025-40078
                        CVE-2025-40080 CVE-2025-40085 CVE-2025-40087 CVE-2025-40091 CVE-2025-40096
                        CVE-2025-40097 CVE-2025-40099 CVE-2025-40100 CVE-2025-40103 CVE-2025-40104
                        CVE-2025-40106 CVE-2025-40123 CVE-2025-40130 CVE-2025-40130 CVE-2025-40130
                        CVE-2025-40147 CVE-2025-40159 CVE-2025-40160 CVE-2025-40167 CVE-2025-40170
                        CVE-2025-40179 CVE-2025-40190 CVE-2025-40195 CVE-2025-40204 CVE-2025-40209
                        CVE-2025-40211 CVE-2025-40212 CVE-2025-40212 CVE-2025-40212 CVE-2025-40212
                        CVE-2025-40213 CVE-2025-40214 CVE-2025-40214 CVE-2025-40215 CVE-2025-40218
                        CVE-2025-40219 CVE-2025-40220 CVE-2025-40221 CVE-2025-40223 CVE-2025-40225
                        CVE-2025-40226 CVE-2025-40230 CVE-2025-40231 CVE-2025-40233 CVE-2025-40235
                        CVE-2025-40237 CVE-2025-40238 CVE-2025-40239 CVE-2025-40240 CVE-2025-40242
                        CVE-2025-40246 CVE-2025-40248 CVE-2025-40250 CVE-2025-40251 CVE-2025-40252
                        CVE-2025-40254 CVE-2025-40255 CVE-2025-40256 CVE-2025-40257 CVE-2025-40258
                        CVE-2025-40258 CVE-2025-40259 CVE-2025-40261 CVE-2025-40262 CVE-2025-40263
                        CVE-2025-40264 CVE-2025-40266 CVE-2025-40268 CVE-2025-40269 CVE-2025-40271
                        CVE-2025-40272 CVE-2025-40273 CVE-2025-40274 CVE-2025-40275 CVE-2025-40276
                        CVE-2025-40277 CVE-2025-40278 CVE-2025-40279 CVE-2025-40280 CVE-2025-40282
                        CVE-2025-40283 CVE-2025-40284 CVE-2025-40284 CVE-2025-40287 CVE-2025-40288
                        CVE-2025-40289 CVE-2025-40292 CVE-2025-40293 CVE-2025-40294 CVE-2025-40297
                        CVE-2025-40297 CVE-2025-40301 CVE-2025-40302 CVE-2025-40303 CVE-2025-40304
                        CVE-2025-40307 CVE-2025-40308 CVE-2025-40309 CVE-2025-40309 CVE-2025-40309
                        CVE-2025-40309 CVE-2025-40310 CVE-2025-40311 CVE-2025-40314 CVE-2025-40315
                        CVE-2025-40316 CVE-2025-40317 CVE-2025-40318 CVE-2025-40319 CVE-2025-40320
                        CVE-2025-40321 CVE-2025-40322 CVE-2025-40323 CVE-2025-40324 CVE-2025-40328
                        CVE-2025-40329 CVE-2025-40330 CVE-2025-40331 CVE-2025-40332 CVE-2025-40337
                        CVE-2025-40338 CVE-2025-40339 CVE-2025-40340 CVE-2025-40342 CVE-2025-40343
                        CVE-2025-40344 CVE-2025-40345 CVE-2025-40346 CVE-2025-40347 CVE-2025-40350
                        CVE-2025-40353 CVE-2025-40354 CVE-2025-40355 CVE-2025-40357 CVE-2025-40359
                        CVE-2025-40360 CVE-2025-40362 CVE-2025-40363 CVE-2025-40364 CVE-2025-40909
                        CVE-2025-40909 CVE-2025-40918 CVE-2025-41244 CVE-2025-4128 CVE-2025-41395
                        CVE-2025-41423 CVE-2025-4166 CVE-2025-4210 CVE-2025-43213 CVE-2025-43214
                        CVE-2025-43433 CVE-2025-43438 CVE-2025-43441 CVE-2025-43457 CVE-2025-43511
                        CVE-2025-4373 CVE-2025-4373 CVE-2025-4382 CVE-2025-43859 CVE-2025-43970
                        CVE-2025-43971 CVE-2025-43972 CVE-2025-43973 CVE-2025-44001 CVE-2025-44004
                        CVE-2025-4476 CVE-2025-44779 CVE-2025-4478 CVE-2025-45582 CVE-2025-4573
                        CVE-2025-4598 CVE-2025-4598 CVE-2025-4598 CVE-2025-4598 CVE-2025-46299
                        CVE-2025-46327 CVE-2025-46342 CVE-2025-46569 CVE-2025-46569 CVE-2025-46599
                        CVE-2025-46721 CVE-2025-4673 CVE-2025-4673 CVE-2025-4673 CVE-2025-4673
                        CVE-2025-4673 CVE-2025-4674 CVE-2025-46836 CVE-2025-47268 CVE-2025-47273
                        CVE-2025-47287 CVE-2025-47287 CVE-2025-47287 CVE-2025-47291 CVE-2025-47906
                        CVE-2025-47907 CVE-2025-47907 CVE-2025-47911 CVE-2025-47911 CVE-2025-47911
                        CVE-2025-47911 CVE-2025-47911 CVE-2025-47912 CVE-2025-47912 CVE-2025-47913
                        CVE-2025-47913 CVE-2025-47913 CVE-2025-47913 CVE-2025-47913 CVE-2025-47913
                        CVE-2025-47914 CVE-2025-47914 CVE-2025-47914 CVE-2025-47914 CVE-2025-47914
                        CVE-2025-47914 CVE-2025-47950 CVE-2025-4802 CVE-2025-4802 CVE-2025-48731
                        CVE-2025-4877 CVE-2025-4877 CVE-2025-4878 CVE-2025-4878 CVE-2025-49011
                        CVE-2025-49136 CVE-2025-49140 CVE-2025-49221 CVE-2025-4945 CVE-2025-4947
                        CVE-2025-4948 CVE-2025-4969 CVE-2025-49794 CVE-2025-49794 CVE-2025-49795
                        CVE-2025-49795 CVE-2025-49796 CVE-2025-49796 CVE-2025-5025 CVE-2025-50738
                        CVE-2025-50946 CVE-2025-50949 CVE-2025-5244 CVE-2025-5245 CVE-2025-52565
                        CVE-2025-5278 CVE-2025-5278 CVE-2025-52881 CVE-2025-52894 CVE-2025-52931
                        CVE-2025-5318 CVE-2025-5318 CVE-2025-5351 CVE-2025-5351 CVE-2025-53514
                        CVE-2025-53534 CVE-2025-53547 CVE-2025-5372 CVE-2025-5372 CVE-2025-53816
                        CVE-2025-53817 CVE-2025-53857 CVE-2025-53905 CVE-2025-53906 CVE-2025-53906
                        CVE-2025-53910 CVE-2025-53942 CVE-2025-5399 CVE-2025-54386 CVE-2025-54388
                        CVE-2025-54388 CVE-2025-54389 CVE-2025-54409 CVE-2025-54410 CVE-2025-54424
                        CVE-2025-54458 CVE-2025-54463 CVE-2025-54478 CVE-2025-54525 CVE-2025-54576
                        CVE-2025-54770 CVE-2025-54770 CVE-2025-54771 CVE-2025-54771 CVE-2025-54799
                        CVE-2025-54801 CVE-2025-54882 CVE-2025-54996 CVE-2025-54997 CVE-2025-54998
                        CVE-2025-54999 CVE-2025-55000 CVE-2025-55001 CVE-2025-55003 CVE-2025-55157
                        CVE-2025-55158 CVE-2025-55159 CVE-2025-55196 CVE-2025-55198 CVE-2025-55199
                        CVE-2025-55199 CVE-2025-56225 CVE-2025-5791 CVE-2025-58050 CVE-2025-58058
                        CVE-2025-58060 CVE-2025-58160 CVE-2025-58181 CVE-2025-58181 CVE-2025-58181
                        CVE-2025-58181 CVE-2025-58181 CVE-2025-58183 CVE-2025-58183 CVE-2025-58185
                        CVE-2025-58185 CVE-2025-58186 CVE-2025-58186 CVE-2025-58187 CVE-2025-58187
                        CVE-2025-58188 CVE-2025-58188 CVE-2025-58189 CVE-2025-58189 CVE-2025-58190
                        CVE-2025-58190 CVE-2025-58190 CVE-2025-58190 CVE-2025-58190 CVE-2025-58364
                        CVE-2025-58436 CVE-2025-59375 CVE-2025-59375 CVE-2025-59375 CVE-2025-59432
                        CVE-2025-59464 CVE-2025-59777 CVE-2025-59777 CVE-2025-5987 CVE-2025-5987
                        CVE-2025-5999 CVE-2025-6000 CVE-2025-6004 CVE-2025-6011 CVE-2025-6013
                        CVE-2025-6014 CVE-2025-6015 CVE-2025-6018 CVE-2025-6018 CVE-2025-6018
                        CVE-2025-6020 CVE-2025-6020 CVE-2025-6021 CVE-2025-6021 CVE-2025-6037
                        CVE-2025-6052 CVE-2025-6069 CVE-2025-6075 CVE-2025-61661 CVE-2025-61661
                        CVE-2025-61662 CVE-2025-61662 CVE-2025-61663 CVE-2025-61663 CVE-2025-61664
                        CVE-2025-61664 CVE-2025-6170 CVE-2025-6170 CVE-2025-61723 CVE-2025-61723
                        CVE-2025-61724 CVE-2025-61724 CVE-2025-61725 CVE-2025-61725 CVE-2025-61726
                        CVE-2025-61726 CVE-2025-61727 CVE-2025-61728 CVE-2025-61728 CVE-2025-61729
                        CVE-2025-61730 CVE-2025-61730 CVE-2025-61731 CVE-2025-61731 CVE-2025-61732
                        CVE-2025-61915 CVE-2025-61962 CVE-2025-62229 CVE-2025-62229 CVE-2025-62230
                        CVE-2025-62230 CVE-2025-62231 CVE-2025-62231 CVE-2025-62689 CVE-2025-62689
                        CVE-2025-62725 CVE-2025-62725 CVE-2025-64076 CVE-2025-64181 CVE-2025-64329
                        CVE-2025-64505 CVE-2025-64505 CVE-2025-64505 CVE-2025-64506 CVE-2025-64506
                        CVE-2025-64506 CVE-2025-64720 CVE-2025-64720 CVE-2025-64720 CVE-2025-65018
                        CVE-2025-65018 CVE-2025-65018 CVE-2025-65955 CVE-2025-66199 CVE-2025-66293
                        CVE-2025-66293 CVE-2025-66293 CVE-2025-66471 CVE-2025-66628 CVE-2025-67030
                        CVE-2025-67746 CVE-2025-68119 CVE-2025-68119 CVE-2025-68121 CVE-2025-68121
                        CVE-2025-68146 CVE-2025-68160 CVE-2025-68160 CVE-2025-68160 CVE-2025-68167
                        CVE-2025-68170 CVE-2025-68171 CVE-2025-68172 CVE-2025-68173 CVE-2025-68174
                        CVE-2025-68176 CVE-2025-68178 CVE-2025-68180 CVE-2025-68181 CVE-2025-68183
                        CVE-2025-68184 CVE-2025-68185 CVE-2025-68186 CVE-2025-68188 CVE-2025-68190
                        CVE-2025-68192 CVE-2025-68194 CVE-2025-68195 CVE-2025-68197 CVE-2025-68198
                        CVE-2025-68200 CVE-2025-68201 CVE-2025-68202 CVE-2025-68206 CVE-2025-68207
                        CVE-2025-68208 CVE-2025-68209 CVE-2025-68210 CVE-2025-68211 CVE-2025-68213
                        CVE-2025-68215 CVE-2025-68217 CVE-2025-68218 CVE-2025-68222 CVE-2025-68223
                        CVE-2025-68227 CVE-2025-68230 CVE-2025-68233 CVE-2025-68235 CVE-2025-68237
                        CVE-2025-68238 CVE-2025-68239 CVE-2025-68241 CVE-2025-68242 CVE-2025-68244
                        CVE-2025-68245 CVE-2025-68249 CVE-2025-68252 CVE-2025-68254 CVE-2025-68255
                        CVE-2025-68256 CVE-2025-68257 CVE-2025-68258 CVE-2025-68259 CVE-2025-68261
                        CVE-2025-68264 CVE-2025-68276 CVE-2025-68283 CVE-2025-68284 CVE-2025-68284
                        CVE-2025-68285 CVE-2025-68285 CVE-2025-68286 CVE-2025-68287 CVE-2025-68289
                        CVE-2025-68290 CVE-2025-68292 CVE-2025-68293 CVE-2025-68295 CVE-2025-68296
                        CVE-2025-68297 CVE-2025-68298 CVE-2025-68301 CVE-2025-68302 CVE-2025-68303
                        CVE-2025-68305 CVE-2025-68306 CVE-2025-68307 CVE-2025-68308 CVE-2025-68311
                        CVE-2025-68312 CVE-2025-68313 CVE-2025-68317 CVE-2025-68320 CVE-2025-68325
                        CVE-2025-68327 CVE-2025-68328 CVE-2025-68329 CVE-2025-68330 CVE-2025-68331
                        CVE-2025-68332 CVE-2025-68335 CVE-2025-68337 CVE-2025-68339 CVE-2025-68340
                        CVE-2025-68341 CVE-2025-68342 CVE-2025-68343 CVE-2025-68344 CVE-2025-68345
                        CVE-2025-68346 CVE-2025-68347 CVE-2025-68348 CVE-2025-68349 CVE-2025-68351
                        CVE-2025-68352 CVE-2025-68353 CVE-2025-68354 CVE-2025-68356 CVE-2025-68359
                        CVE-2025-68360 CVE-2025-68361 CVE-2025-68362 CVE-2025-68363 CVE-2025-68366
                        CVE-2025-68367 CVE-2025-68368 CVE-2025-68371 CVE-2025-68372 CVE-2025-68374
                        CVE-2025-68376 CVE-2025-68378 CVE-2025-68379 CVE-2025-68380 CVE-2025-68468
                        CVE-2025-68471 CVE-2025-68615 CVE-2025-68618 CVE-2025-68724 CVE-2025-68725
                        CVE-2025-68732 CVE-2025-68735 CVE-2025-68736 CVE-2025-68740 CVE-2025-68741
                        CVE-2025-68742 CVE-2025-68743 CVE-2025-68744 CVE-2025-68745 CVE-2025-68746
                        CVE-2025-68747 CVE-2025-68748 CVE-2025-68749 CVE-2025-68750 CVE-2025-68753
                        CVE-2025-68757 CVE-2025-68758 CVE-2025-68759 CVE-2025-68764 CVE-2025-68765
                        CVE-2025-68766 CVE-2025-68768 CVE-2025-68770 CVE-2025-68771 CVE-2025-68773
                        CVE-2025-68775 CVE-2025-68776 CVE-2025-68777 CVE-2025-68778 CVE-2025-68783
                        CVE-2025-68784 CVE-2025-68785 CVE-2025-68788 CVE-2025-68789 CVE-2025-68792
                        CVE-2025-68795 CVE-2025-68797 CVE-2025-68798 CVE-2025-68799 CVE-2025-68800
                        CVE-2025-68801 CVE-2025-68802 CVE-2025-68803 CVE-2025-68804 CVE-2025-68808
                        CVE-2025-68810 CVE-2025-68811 CVE-2025-68813 CVE-2025-68813 CVE-2025-68813
                        CVE-2025-68813 CVE-2025-68814 CVE-2025-68815 CVE-2025-68816 CVE-2025-68818
                        CVE-2025-68819 CVE-2025-68820 CVE-2025-68821 CVE-2025-68822 CVE-2025-68950
                        CVE-2025-68973 CVE-2025-69204 CVE-2025-69277 CVE-2025-69418 CVE-2025-69418
                        CVE-2025-69418 CVE-2025-69419 CVE-2025-69419 CVE-2025-69419 CVE-2025-69420
                        CVE-2025-69420 CVE-2025-69420 CVE-2025-69421 CVE-2025-69421 CVE-2025-69421
                        CVE-2025-6965 CVE-2025-6965 CVE-2025-69720 CVE-2025-69720 CVE-2025-70873
                        CVE-2025-70873 CVE-2025-70873 CVE-2025-71064 CVE-2025-71066 CVE-2025-71066
                        CVE-2025-71071 CVE-2025-71073 CVE-2025-71076 CVE-2025-71077 CVE-2025-71078
                        CVE-2025-71079 CVE-2025-71080 CVE-2025-71081 CVE-2025-71082 CVE-2025-71083
                        CVE-2025-71084 CVE-2025-71085 CVE-2025-71085 CVE-2025-71085 CVE-2025-71085
                        CVE-2025-71086 CVE-2025-71087 CVE-2025-71088 CVE-2025-71089 CVE-2025-71091
                        CVE-2025-71093 CVE-2025-71094 CVE-2025-71095 CVE-2025-71096 CVE-2025-71097
                        CVE-2025-71098 CVE-2025-71099 CVE-2025-71100 CVE-2025-71101 CVE-2025-71104
                        CVE-2025-71108 CVE-2025-71111 CVE-2025-71112 CVE-2025-71113 CVE-2025-71114
                        CVE-2025-71116 CVE-2025-71118 CVE-2025-71119 CVE-2025-71120 CVE-2025-71120
                        CVE-2025-71120 CVE-2025-71123 CVE-2025-71125 CVE-2025-71126 CVE-2025-71130
                        CVE-2025-71131 CVE-2025-71132 CVE-2025-71133 CVE-2025-71134 CVE-2025-71135
                        CVE-2025-71136 CVE-2025-71137 CVE-2025-71138 CVE-2025-71141 CVE-2025-71142
                        CVE-2025-71143 CVE-2025-71145 CVE-2025-71147 CVE-2025-71148 CVE-2025-71149
                        CVE-2025-71154 CVE-2025-71156 CVE-2025-71157 CVE-2025-71161 CVE-2025-71162
                        CVE-2025-71163 CVE-2025-71182 CVE-2025-71183 CVE-2025-71184 CVE-2025-71185
                        CVE-2025-71186 CVE-2025-71188 CVE-2025-71189 CVE-2025-71190 CVE-2025-71191
                        CVE-2025-71192 CVE-2025-71193 CVE-2025-71194 CVE-2025-71195 CVE-2025-71196
                        CVE-2025-71197 CVE-2025-71198 CVE-2025-71199 CVE-2025-71200 CVE-2025-71222
                        CVE-2025-71224 CVE-2025-71225 CVE-2025-71229 CVE-2025-71231 CVE-2025-71232
                        CVE-2025-71233 CVE-2025-71234 CVE-2025-71235 CVE-2025-71236 CVE-2025-7195
                        CVE-2025-7424 CVE-2025-7424 CVE-2025-7425 CVE-2025-7425 CVE-2025-7519
                        CVE-2025-7545 CVE-2025-7546 CVE-2025-7709 CVE-2025-7709 CVE-2025-7709
                        CVE-2025-8058 CVE-2025-8058 CVE-2025-8067 CVE-2025-8114 CVE-2025-8114
                        CVE-2025-8114 CVE-2025-8176 CVE-2025-8177 CVE-2025-8194 CVE-2025-8224
                        CVE-2025-8225 CVE-2025-8277 CVE-2025-8277 CVE-2025-8277 CVE-2025-8285
                        CVE-2025-8291 CVE-2025-8341 CVE-2025-8534 CVE-2025-8732 CVE-2025-8732
                        CVE-2025-8732 CVE-2025-8961 CVE-2025-9039 CVE-2025-9086 CVE-2025-9086
                        CVE-2025-9086 CVE-2025-9165 CVE-2025-9230 CVE-2025-9230 CVE-2025-9230
                        CVE-2025-9230 CVE-2025-9231 CVE-2025-9232 CVE-2025-9615 CVE-2025-9615
                        CVE-2025-9817 CVE-2025-9820 CVE-2025-9900 CVE-2026-0665 CVE-2026-0665
                        CVE-2026-0672 CVE-2026-0716 CVE-2026-0719 CVE-2026-0861 CVE-2026-0861
                        CVE-2026-0861 CVE-2026-0865 CVE-2026-0877 CVE-2026-0878 CVE-2026-0879
                        CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884 CVE-2026-0885
                        CVE-2026-0886 CVE-2026-0887 CVE-2026-0890 CVE-2026-0891 CVE-2026-0915
                        CVE-2026-0915 CVE-2026-0915 CVE-2026-0959 CVE-2026-0961 CVE-2026-0962
                        CVE-2026-0964 CVE-2026-0964 CVE-2026-0964 CVE-2026-0965 CVE-2026-0965
                        CVE-2026-0965 CVE-2026-0966 CVE-2026-0966 CVE-2026-0966 CVE-2026-0967
                        CVE-2026-0967 CVE-2026-0967 CVE-2026-0968 CVE-2026-0968 CVE-2026-0968
                        CVE-2026-0988 CVE-2026-0989 CVE-2026-0989 CVE-2026-0989 CVE-2026-0989
                        CVE-2026-0989 CVE-2026-0990 CVE-2026-0990 CVE-2026-0990 CVE-2026-0992
                        CVE-2026-0992 CVE-2026-0992 CVE-2026-11822 CVE-2026-11824 CVE-2026-1299
                        CVE-2026-1299 CVE-2026-1484 CVE-2026-1485 CVE-2026-1489 CVE-2026-1709
                        CVE-2026-1757 CVE-2026-1757 CVE-2026-1757 CVE-2026-1965 CVE-2026-1965
                        CVE-2026-1965 CVE-2026-1965 CVE-2026-1965 CVE-2026-2003 CVE-2026-2004
                        CVE-2026-2005 CVE-2026-2006 CVE-2026-20608 CVE-2026-20635 CVE-2026-20636
                        CVE-2026-20643 CVE-2026-20644 CVE-2026-20652 CVE-2026-20664 CVE-2026-20665
                        CVE-2026-20676 CVE-2026-20691 CVE-2026-21226 CVE-2026-21637 CVE-2026-21710
                        CVE-2026-21712 CVE-2026-21713 CVE-2026-21714 CVE-2026-21715 CVE-2026-21716
                        CVE-2026-21717 CVE-2026-2243 CVE-2026-22693 CVE-2026-22695 CVE-2026-22695
                        CVE-2026-22695 CVE-2026-22701 CVE-2026-22770 CVE-2026-22795 CVE-2026-22795
                        CVE-2026-22795 CVE-2026-22796 CVE-2026-22796 CVE-2026-22796 CVE-2026-22801
                        CVE-2026-22801 CVE-2026-22801 CVE-2026-22851 CVE-2026-22852 CVE-2026-22853
                        CVE-2026-22854 CVE-2026-22855 CVE-2026-22856 CVE-2026-22857 CVE-2026-22858
                        CVE-2026-22859 CVE-2026-2297 CVE-2026-22976 CVE-2026-22977 CVE-2026-22978
                        CVE-2026-22979 CVE-2026-22980 CVE-2026-22981 CVE-2026-22982 CVE-2026-22984
                        CVE-2026-22985 CVE-2026-22986 CVE-2026-22988 CVE-2026-22989 CVE-2026-22990
                        CVE-2026-22991 CVE-2026-22992 CVE-2026-22993 CVE-2026-22996 CVE-2026-22997
                        CVE-2026-22998 CVE-2026-22999 CVE-2026-22999 CVE-2026-22999 CVE-2026-23000
                        CVE-2026-23001 CVE-2026-23002 CVE-2026-23003 CVE-2026-23004 CVE-2026-23004
                        CVE-2026-23005 CVE-2026-23006 CVE-2026-23010 CVE-2026-23011 CVE-2026-23017
                        CVE-2026-23018 CVE-2026-23021 CVE-2026-23022 CVE-2026-23023 CVE-2026-23024
                        CVE-2026-23026 CVE-2026-23030 CVE-2026-23031 CVE-2026-23033 CVE-2026-23035
                        CVE-2026-23037 CVE-2026-23038 CVE-2026-23042 CVE-2026-23047 CVE-2026-23049
                        CVE-2026-23050 CVE-2026-23053 CVE-2026-23054 CVE-2026-23055 CVE-2026-23056
                        CVE-2026-23057 CVE-2026-23058 CVE-2026-23059 CVE-2026-23060 CVE-2026-23061
                        CVE-2026-23062 CVE-2026-23063 CVE-2026-23064 CVE-2026-23065 CVE-2026-23066
                        CVE-2026-23068 CVE-2026-23069 CVE-2026-23070 CVE-2026-23071 CVE-2026-23073
                        CVE-2026-23074 CVE-2026-23074 CVE-2026-23074 CVE-2026-23076 CVE-2026-23078
                        CVE-2026-23080 CVE-2026-23082 CVE-2026-23083 CVE-2026-23084 CVE-2026-23085
                        CVE-2026-23086 CVE-2026-23088 CVE-2026-23089 CVE-2026-23090 CVE-2026-23091
                        CVE-2026-23094 CVE-2026-23095 CVE-2026-23096 CVE-2026-23097 CVE-2026-23099
                        CVE-2026-23100 CVE-2026-23101 CVE-2026-23102 CVE-2026-23104 CVE-2026-23105
                        CVE-2026-23107 CVE-2026-23108 CVE-2026-23110 CVE-2026-23111 CVE-2026-23111
                        CVE-2026-23111 CVE-2026-23112 CVE-2026-23116 CVE-2026-23119 CVE-2026-23121
                        CVE-2026-23123 CVE-2026-23128 CVE-2026-23129 CVE-2026-23131 CVE-2026-23133
                        CVE-2026-23135 CVE-2026-23136 CVE-2026-23137 CVE-2026-23139 CVE-2026-23141
                        CVE-2026-23142 CVE-2026-23144 CVE-2026-23145 CVE-2026-23146 CVE-2026-23148
                        CVE-2026-23150 CVE-2026-23151 CVE-2026-23152 CVE-2026-23154 CVE-2026-23155
                        CVE-2026-23156 CVE-2026-23157 CVE-2026-23158 CVE-2026-23161 CVE-2026-23163
                        CVE-2026-23166 CVE-2026-23167 CVE-2026-23169 CVE-2026-23170 CVE-2026-23171
                        CVE-2026-23172 CVE-2026-23173 CVE-2026-23176 CVE-2026-23177 CVE-2026-23178
                        CVE-2026-23179 CVE-2026-23182 CVE-2026-23188 CVE-2026-23189 CVE-2026-23190
                        CVE-2026-23191 CVE-2026-23198 CVE-2026-23202 CVE-2026-23204 CVE-2026-23207
                        CVE-2026-23208 CVE-2026-23209 CVE-2026-23209 CVE-2026-23209 CVE-2026-23210
                        CVE-2026-23213 CVE-2026-23214 CVE-2026-23221 CVE-2026-23222 CVE-2026-23223
                        CVE-2026-23224 CVE-2026-23229 CVE-2026-23230 CVE-2026-23268 CVE-2026-23268
                        CVE-2026-23268 CVE-2026-23268 CVE-2026-23437 CVE-2026-23437 CVE-2026-23530
                        CVE-2026-23531 CVE-2026-23532 CVE-2026-23533 CVE-2026-23534 CVE-2026-23732
                        CVE-2026-23874 CVE-2026-23876 CVE-2026-23883 CVE-2026-23884 CVE-2026-23948
                        CVE-2026-23952 CVE-2026-24401 CVE-2026-2447 CVE-2026-24481 CVE-2026-24484
                        CVE-2026-24484 CVE-2026-24485 CVE-2026-24491 CVE-2026-24515 CVE-2026-24515
                        CVE-2026-24515 CVE-2026-24675 CVE-2026-24676 CVE-2026-24677 CVE-2026-24678
                        CVE-2026-24679 CVE-2026-24680 CVE-2026-24681 CVE-2026-24682 CVE-2026-24683
                        CVE-2026-24684 CVE-2026-24882 CVE-2026-25075 CVE-2026-25210 CVE-2026-25210
                        CVE-2026-25210 CVE-2026-25576 CVE-2026-25637 CVE-2026-25638 CVE-2026-25645
                        CVE-2026-25646 CVE-2026-25646 CVE-2026-25646 CVE-2026-25680 CVE-2026-25680
                        CVE-2026-25681 CVE-2026-25681 CVE-2026-25727 CVE-2026-25727 CVE-2026-25727
                        CVE-2026-25727 CVE-2026-25727 CVE-2026-25794 CVE-2026-25795 CVE-2026-25796
                        CVE-2026-25797 CVE-2026-25798 CVE-2026-25799 CVE-2026-25799 CVE-2026-25897
                        CVE-2026-25898 CVE-2026-25965 CVE-2026-25966 CVE-2026-25967 CVE-2026-25968
                        CVE-2026-25969 CVE-2026-25970 CVE-2026-25971 CVE-2026-25982 CVE-2026-25983
                        CVE-2026-25985 CVE-2026-25986 CVE-2026-25987 CVE-2026-25988 CVE-2026-25989
                        CVE-2026-26007 CVE-2026-26066 CVE-2026-26080 CVE-2026-26081 CVE-2026-26157
                        CVE-2026-26158 CVE-2026-26269 CVE-2026-26283 CVE-2026-26284 CVE-2026-2673
                        CVE-2026-26983 CVE-2026-26996 CVE-2026-27135 CVE-2026-27135 CVE-2026-27135
                        CVE-2026-27136 CVE-2026-27136 CVE-2026-27140 CVE-2026-27143 CVE-2026-27144
                        CVE-2026-27145 CVE-2026-27171 CVE-2026-27171 CVE-2026-27171 CVE-2026-27456
                        CVE-2026-27456 CVE-2026-2757 CVE-2026-2758 CVE-2026-2759 CVE-2026-2760
                        CVE-2026-2761 CVE-2026-2762 CVE-2026-2763 CVE-2026-2764 CVE-2026-2765
                        CVE-2026-2766 CVE-2026-2767 CVE-2026-2768 CVE-2026-2769 CVE-2026-2770
                        CVE-2026-2771 CVE-2026-2772 CVE-2026-2773 CVE-2026-2774 CVE-2026-2775
                        CVE-2026-2776 CVE-2026-2777 CVE-2026-2778 CVE-2026-2779 CVE-2026-27798
                        CVE-2026-27799 CVE-2026-2780 CVE-2026-2781 CVE-2026-2782 CVE-2026-2783
                        CVE-2026-2784 CVE-2026-2785 CVE-2026-2786 CVE-2026-2787 CVE-2026-2788
                        CVE-2026-2789 CVE-2026-2790 CVE-2026-2791 CVE-2026-2792 CVE-2026-2793
                        CVE-2026-28295 CVE-2026-28296 CVE-2026-28387 CVE-2026-28387 CVE-2026-28387
                        CVE-2026-28388 CVE-2026-28388 CVE-2026-28388 CVE-2026-28389 CVE-2026-28389
                        CVE-2026-28389 CVE-2026-28390 CVE-2026-28390 CVE-2026-28390 CVE-2026-28417
                        CVE-2026-28417 CVE-2026-28493 CVE-2026-28494 CVE-2026-28686 CVE-2026-28687
                        CVE-2026-28688 CVE-2026-28689 CVE-2026-28690 CVE-2026-28690 CVE-2026-28691
                        CVE-2026-28692 CVE-2026-28693 CVE-2026-28857 CVE-2026-28859 CVE-2026-28861
                        CVE-2026-28871 CVE-2026-29111 CVE-2026-29111 CVE-2026-29111 CVE-2026-2920
                        CVE-2026-2922 CVE-2026-29518 CVE-2026-29518 CVE-2026-29518 CVE-2026-30883
                        CVE-2026-30883 CVE-2026-30922 CVE-2026-30929 CVE-2026-30931 CVE-2026-30935
                        CVE-2026-30936 CVE-2026-30937 CVE-2026-31406 CVE-2026-31406 CVE-2026-31431
                        CVE-2026-31431 CVE-2026-3172 CVE-2026-31789 CVE-2026-31789 CVE-2026-31789
                        CVE-2026-31790 CVE-2026-31790 CVE-2026-31790 CVE-2026-31812 CVE-2026-3184
                        CVE-2026-3184 CVE-2026-31853 CVE-2026-3195 CVE-2026-31958 CVE-2026-3196
                        CVE-2026-31979 CVE-2026-32280 CVE-2026-32281 CVE-2026-32282 CVE-2026-32283
                        CVE-2026-32288 CVE-2026-32289 CVE-2026-32597 CVE-2026-32776 CVE-2026-32776
                        CVE-2026-32776 CVE-2026-32776 CVE-2026-32777 CVE-2026-32777 CVE-2026-32777
                        CVE-2026-32777 CVE-2026-32778 CVE-2026-32778 CVE-2026-32778 CVE-2026-32778
                        CVE-2026-32792 CVE-2026-33186 CVE-2026-33186 CVE-2026-33186 CVE-2026-33186
                        CVE-2026-33186 CVE-2026-33186 CVE-2026-33278 CVE-2026-33416 CVE-2026-33416
                        CVE-2026-33416 CVE-2026-33636 CVE-2026-33636 CVE-2026-33636 CVE-2026-33814
                        CVE-2026-33845 CVE-2026-33846 CVE-2026-34073 CVE-2026-34073 CVE-2026-34180
                        CVE-2026-34180 CVE-2026-34182 CVE-2026-34182 CVE-2026-34352 CVE-2026-34379
                        CVE-2026-34380 CVE-2026-3446 CVE-2026-34582 CVE-2026-34588 CVE-2026-34589
                        CVE-2026-34743 CVE-2026-34743 CVE-2026-34743 CVE-2026-34757 CVE-2026-34757
                        CVE-2026-34757 CVE-2026-3479 CVE-2026-34986 CVE-2026-35206 CVE-2026-35328
                        CVE-2026-35329 CVE-2026-35330 CVE-2026-35331 CVE-2026-35332 CVE-2026-35333
                        CVE-2026-35334 CVE-2026-35385 CVE-2026-35414 CVE-2026-35535 CVE-2026-3644
                        CVE-2026-3731 CVE-2026-3783 CVE-2026-3783 CVE-2026-3783 CVE-2026-3784
                        CVE-2026-3784 CVE-2026-3784 CVE-2026-3805 CVE-2026-3805 CVE-2026-3805
                        CVE-2026-3833 CVE-2026-3842 CVE-2026-39827 CVE-2026-39827 CVE-2026-39828
                        CVE-2026-39828 CVE-2026-39829 CVE-2026-39829 CVE-2026-39830 CVE-2026-39830
                        CVE-2026-39831 CVE-2026-39831 CVE-2026-39832 CVE-2026-39832 CVE-2026-39833
                        CVE-2026-39833 CVE-2026-39834 CVE-2026-39834 CVE-2026-39835 CVE-2026-39835
                        CVE-2026-40176 CVE-2026-40244 CVE-2026-40250 CVE-2026-40261 CVE-2026-40355
                        CVE-2026-40355 CVE-2026-40356 CVE-2026-40356 CVE-2026-40393 CVE-2026-4046
                        CVE-2026-4046 CVE-2026-4046 CVE-2026-4046 CVE-2026-40622 CVE-2026-40706
                        CVE-2026-41035 CVE-2026-41035 CVE-2026-41035 CVE-2026-41035 CVE-2026-41035
                        CVE-2026-41035 CVE-2026-4105 CVE-2026-4105 CVE-2026-4105 CVE-2026-41066
                        CVE-2026-41292 CVE-2026-41651 CVE-2026-42009 CVE-2026-42010 CVE-2026-42011
                        CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015 CVE-2026-4224
                        CVE-2026-42502 CVE-2026-42502 CVE-2026-42504 CVE-2026-42506 CVE-2026-42506
                        CVE-2026-42507 CVE-2026-42508 CVE-2026-42508 CVE-2026-42534 CVE-2026-4271
                        CVE-2026-42766 CVE-2026-42766 CVE-2026-42770 CVE-2026-42770 CVE-2026-42923
                        CVE-2026-42944 CVE-2026-42959 CVE-2026-42960 CVE-2026-43617 CVE-2026-43617
                        CVE-2026-43617 CVE-2026-43618 CVE-2026-43618 CVE-2026-43618 CVE-2026-43619
                        CVE-2026-43619 CVE-2026-43619 CVE-2026-43620 CVE-2026-43620 CVE-2026-43620
                        CVE-2026-4437 CVE-2026-4437 CVE-2026-4437 CVE-2026-4438 CVE-2026-4438
                        CVE-2026-4438 CVE-2026-44390 CVE-2026-44608 CVE-2026-44941 CVE-2026-44942
                        CVE-2026-4519 CVE-2026-45232 CVE-2026-45232 CVE-2026-45232 CVE-2026-45409
                        CVE-2026-45445 CVE-2026-45445 CVE-2026-45446 CVE-2026-45446 CVE-2026-45447
                        CVE-2026-45447 CVE-2026-46595 CVE-2026-46595 CVE-2026-46597 CVE-2026-46597
                        CVE-2026-46598 CVE-2026-46598 CVE-2026-4873 CVE-2026-4873 CVE-2026-4873
                        CVE-2026-4878 CVE-2026-4878 CVE-2026-4878 CVE-2026-5260 CVE-2026-5419
                        CVE-2026-5450 CVE-2026-5450 CVE-2026-5450 CVE-2026-5545 CVE-2026-5545
                        CVE-2026-5545 CVE-2026-5928 CVE-2026-5928 CVE-2026-5928 CVE-2026-5958
                        CVE-2026-5958 CVE-2026-6253 CVE-2026-6253 CVE-2026-6253 CVE-2026-6276
                        CVE-2026-6276 CVE-2026-6276 CVE-2026-6429 CVE-2026-6429 CVE-2026-6429
                        CVE-2026-7383 CVE-2026-7383 CVE-2026-9076 CVE-2026-9076 
-----------------------------------------------------------------

The container rancher/seedimage-builder was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 9
Released:    Mon Nov  3 11:23:57 2025
Summary:     Optional update for mcphost
Type:        feature
Severity:    moderate
References:  1229122,1236045,1236046,CVE-2024-45336,CVE-2024-45341
This update for mcphost fixes the following issues:

This adds mcphost in release 0.31.1.

-----------------------------------------------------------------
Advisory ID: 15
Released:    Thu Nov 13 18:37:58 2025
Summary:     Recommended update for aws-cli-cmd
Type:        recommended
Severity:    important
References:  1222620,1225946,1227106,1234100,1234101,1234102,1234103,1234104,1235475,1252390,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747
This update for aws-cli-cmd fixes the following issues:

- Disable security context for shared volume

  For sharing the home directory with the container the
  security context needs to be disabled to allow this
  shared mount. For details about this setting as well
  as approval on the approach please visit bsc#1252390

-----------------------------------------------------------------
Advisory ID: 16
Released:    Thu Nov 13 20:37:21 2025
Summary:     Recommended update for az-cli-cmd
Type:        recommended
Severity:    important
References:  1218424,1229122,1236217,1236801,1236839,1252390,1253140,CVE-2025-22866,CVE-2025-22867
This update for az-cli-cmd fixes the following issues:

Changes in az-cli-cmd:

Version 1.37.0:

  - Drop dependencies that do not appear needed. Not referenced in the
    sources of azure-cli upstream. (bsc#1253140)
  - Change the deriviation chain by adding the az-sdk container as a base

- Remove the executable script if it exists prior to generation of
  a new wrapper by flake-ctl. Otherwise flake-ctl complains about the
  existence of the script and we get an error during package update.

- Disable security context for shared volume
  For sharing the home directory with the container the
  security context needs to be disabled to allow this
  shared mount. For details about this setting as well
  as approval on the approach please visit bsc#1252390

-----------------------------------------------------------------
Advisory ID: 18
Released:    Fri Nov 14 19:18:17 2025
Summary:     Recommended update for scanner-databases
Type:        recommended
Severity:    moderate
References:  1221399,1222985,1227308,1229137,1229472,1230615,1232770,1233333,1234050,CVE-2024-28182
This update for scanner-databases fixes the following issues:

initial shipment.

-----------------------------------------------------------------
Advisory ID: 29
Released:    Wed Nov 19 10:37:50 2025
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1188441,1220724,1221239,1233517,1249584,CVE-2025-23013,CVE-2025-59375
This update for expat fixes the following issues:

- CVE-2025-59375: Fixed large dynamic memory allocations via a small document submitted for parsing (bsc#1249584)

-----------------------------------------------------------------
Advisory ID: 24
Released:    Wed Nov 19 10:40:24 2025
Summary:     Security update for libxslt
Type:        security
Severity:    important
References:  1199079,1220356,1227525,1250553,1251979,CVE-2025-10911,CVE-2025-11731
This update for libxslt fixes the following issues:

Changes in libxslt:

- CVE-2025-11731: Fixed type confusion in exsltFuncResultCompfunction leading to denial of service (bsc#1251979)
- CVE-2025-10911: Fixed use-after-free with key data stored cross-RVT (bsc#1250553)

-----------------------------------------------------------------
Advisory ID: 23
Released:    Wed Nov 19 10:40:24 2025
Summary:     Security update for tiff
Type:        security
Severity:    important
References:  1174091,1189495,1221854,1226447,1226448,1227378,1228780,1232579,1243503,1247106,1247108,1247581,1247582,1248117,1248330,1250413,831629,CVE-2019-20907,CVE-2019-9947,CVE-2020-15523,CVE-2020-15801,CVE-2022-25236,CVE-2023-52425,CVE-2024-0397,CVE-2024-0450,CVE-2024-13978,CVE-2024-4032,CVE-2024-50602,CVE-2024-6923,CVE-2025-8176,CVE-2025-8177,CVE-2025-8534,CVE-2025-8961,CVE-2025-9165,CVE-2025-9900
This update for tiff fixes the following issues:

tiff was updated to 4.7.1:

* Software configuration changes:

  * Define HAVE_JPEGTURBO_DUAL_MODE_8_12 and LERC_STATIC in tif_config.h.
  * CMake: define WORDS_BIGENDIAN via tif_config.h
  * doc/CMakeLists.txt: remove useless cmake_minimum_required()
  * CMake: fix build with LLVM/Clang 17 (fixes issue #651)
  * CMake: set CMP0074 new policy
  * Set LINKER_LANGUAGE for C targets with C deps
  * Export tiffxx cmake target (fixes issue #674)
  * autogen.sh: Enable verbose wget.
  * configure.ac: Syntax updates for Autoconf 2.71
  * autogen.sh: Re-implement based on autoreconf. Failure to update
    config.guess/config.sub does not return error (fixes issue #672)
  * CMake: fix CMake 4.0 warning when minimum required version is < 3.10.
  * CMake: Add build option tiff-static (fixes issue #709)
  Library changes:
  * Add TIFFOpenOptionsSetWarnAboutUnknownTags() for explicit control
    about emitting warnings for unknown tags. No longer emit warnings
    about unknown tags by default
  * tif_predict.c: speed-up decompression in some cases.

* Bug fixes:

  * tif_fax3: For fax group 3 data if no EOL is detected, reading is
    retried without synchronisation for EOLs. (fixes issue #54)
  * Updating TIFFMergeFieldInfo() with read_count=write_count=0 for
    FIELD_IGNORE. Updating TIFFMergeFieldInfo() with read_count=write_count=0 for
    FIELD_IGNORE. Improving handling when field_name = NULL. (fixes issue #532)
  * tiff.h: add COMPRESSION_JXL_DNG_1_7=52546 as used for JPEGXL compression in
    the DNG 1.7 specification
  * TIFFWriteDirectorySec: Increment string length for ASCII tags for codec tags
    defined with FIELD_xxx bits, as it is done for FIELD_CUSTOM tags. (fixes issue #648)
  * Do not error out on a tag whose tag count value is zero, just issue a warning.
    Fix parsing a private tag 0x80a6 (fixes issue #647)
  * TIFFDefaultTransferFunction(): give up beyond td_bitspersample = 24
    Fixes https://github.com/OSGeo/gdal/issues/10875)
  * tif_getimage.c: Remove unnecessary calls to TIFFRGBAImageOK() (fixes issue #175)
  * Fix writing a Predictor=3 file with non-native endianness
  * _TIFFVSetField(): fix potential use of unallocated memory (out-of-bounds
  * read / nullptr dereference) in case of out-of-memory situation when dealing with
    custom tags (fixes issue #663)
  * tif_fax3.c: Error out for CCITT fax encoding if SamplesPerPixel is not equal 1 and
    PlanarConfiguration = Contiguous (fixes issue #26)
  * tif_fax3.c: error out after a number of times end-of-line or unexpected bad code
    words have been reached. (fixes issue #670)
  * Fix memory leak in TIFFSetupStrips() (fixes issue #665)
  * tif_zip.c: Provide zlib allocation functions. Otherwise for zlib built with
    -DZ_SOLO inflating will fail.
  * Fix memory leak in _TIFFSetDefaultCompressionState. (fixes issue #676)
  * tif_predict.c: Don’t overwrite input buffer of TIFFWriteScanline() if 'prediction'
    is enabled. Use extra working buffer in PredictorEncodeRow(). (fixes issue #5)
  * tif_getimage.c: update some integer overflow checks (fixes issue #79)
  * tif_getimage.c: Fix buffer underflow crash for less raster rows at
    TIFFReadRGBAImageOriented() (fixes issue #704, bsc#1250413, CVE-2025-9900)
  * TIFFReadRGBAImage(): several fixes to avoid buffer overflows.
  * Correct passing arguments to TIFFCvtIEEEFloatToNative() and TIFFCvtIEEEDoubleToNative()
    if HAVE_IEEEFP is not defined. (fixes issue #699)
  * LZWDecode(): avoid nullptr dereference when trying to read again after EOI marker
    has been found with remaining output bytes (fixes issue #698)
  * TIFFSetSubDirectory(): check _TIFFCheckDirNumberAndOffset() return.
  * TIFFUnlinkDirectory() and TIFFWriteDirectorySec(): clear tif_rawcp when clearing
    tif_rawdata (fixes issue #711)
  * JPEGEncodeRaw(): error out if a previous scanline failed to be written, to avoid
    out-of-bounds access (fixes issue #714)
  * tif_jpeg: Fix bug in JPEGDecodeRaw() if JPEG_LIB_MK1_OR_12BIT is defined for 8/12bit
    dual mode, introduced in libjpeg-turbo 2.2, which was actually released as 3.0.
    Fixes issue #717
  * add assert for TIFFReadCustomDirectory infoarray check.
  * ppm2tiff: Fix bug in pack_words trailing bytes, where last two bytes of each line
    were written wrongly. (fixes issue #467)
  * fax2ps: fix regression of commit 28c38d648b64a66c3218778c4745225fe3e3a06d where
    TIFFTAG_FAXFILLFUNC is being used rather than an output buffer (fixes issue #649)
  * tiff2pdf: Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH (fixes issue #650)
  * tiff2pdf: check h_samp and v_samp for range 1 to 4 to avoid division by zero.
    Fixes issue #654
  * tiff2pdf: avoid null pointer dereference. (fixes issue #741)
  * Improve non-secure integer overflow check (comparison of division result with
    multiplicant) at compiler optimisation in tiffcp, rgb2ycbcr and tiff2rgba.
    Fixes issue #546
  * tiff2rgba: fix some 'a partial expression can generate an overflow before it is
    assigned to a broader type' warnings. (fixes issue #682)
  * tiffdither/tiffmedian: Don't skip the first line of the input image. (fixes issue #703)
  * tiffdither: avoid out-of-bounds read identified in issue #733
  * tiffmedian: error out if TIFFReadScanline() fails (fixes issue #707)
  * tiffmedian: close input file. (fixes issue #735)
  * thumbail: avoid potential out of bounds access (fixes issue #715)
  * tiffcrop: close open TIFF files and release allocated buffers before exiting in case
    of error to avoid memory leaks. (fixes issue #716)
  * tiffcrop: fix double-free and memory leak exposed by issue #721
  * tiffcrop: avoid buffer overflow. (fixes issue #740)
  * tiffcrop: avoid nullptr dereference. (fixes issue #734)
  * tiffdump: Fix coverity scan issue CID 1373365: Passing tainted expression *datamem
    to PrintData, which uses it as a divisor or modulus.
  * tiff2ps: check return of TIFFGetFiled() for TIFFTAG_STRIPBYTECOUNTS and
    TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer dereference. (fixes issue #718)
  * tiffcmp: fix memory leak when second file cannot be opened. (fixes issue #718 and issue #729)
  * tiffcp: fix setting compression level for lossless codecs. (fixes issue #730)
  * raw2tiff: close input file before exit (fixes issue #742)
  Tools changes:
  * tiffinfo: add a -W switch to warn about unknown tags.
  * tiffdither: process all pages in input TIFF file.

* Documentation:

  * TIFFRGBAImage.rst note added for incorrect saving of images with TIFF orientation
    from 5 (LeftTop) to 8 (LeftBottom) in the raster.
  * TIFFRGBAImage.rst note added about un-associated alpha handling (fixes issue #67)
  * Update 'Defining New TIFF Tags' description. (fixes issue #642)
  * Fix return type of TIFFReadEncodedTile()
  * Update the documentation to reflect deprecated typedefs.
  * TIFFWriteDirectory.rst: Clarify TIFFSetWriteOffset() only sets offset for image
    data and not for IFD data.
  * Update documentation on re-entrancy and thread safety.
  * Remove dead links to no more existing Awaresystems web-site.
  * Updating BigTIFF specification and some miscelaneous editions.
  * Replace some last links and remove last todos.
  * Added hints for correct allocation of TIFFYCbCrtoRGB structure and its
    associated buffers. (fixes issue #681)
  * Added chapter to 'Using the TIFF Library' with links to handling multi-page TIFF
    and custom directories. (fixes issue #43)
  * update TIFFOpen.rst with the return values of mapproc and unmapproc. (fixes issue #12)

Security issues fixed:

  * CVE-2025-8961: Fix segmentation fault via main function of tiffcrop utility [bsc#1248117]
  * CVE-2025-8534: Fix null pointer dereference in function PS_Lvl2page [bsc#1247582]
  * CVE-2025-9165: Fix local execution manipulation can lead to memory leak [bsc#1248330]
  * CVE-2024-13978: Fix null pointer dereference in tiff2pdf [bsc#1247581]
  * CVE-2025-8176: Fix heap use-after-free in tools/tiffmedian.c [bsc#1247108]
  * CVE-2025-8177: Fix possible buffer overflow in tools/thumbnail.c:setrow()  [bsc#1247106]

- Fix TIFFMergeFieldInfo() read_count=write_count=0 (bsc#1243503)


-----------------------------------------------------------------
Advisory ID: 26
Released:    Wed Nov 19 10:43:19 2025
Summary:     Recommended update for dracut
Type:        recommended
Severity:    important
References:  1229339,1233313,1237096,1238848,CVE-2024-21820,CVE-2024-21853,CVE-2024-23918,CVE-2024-23984,CVE-2024-24968,CVE-2024-31068,CVE-2024-36293,CVE-2024-37020,CVE-2024-39355
This update for dracut fixes the following issues:

- Additional fixes for PXE boot with filled-in NBFT (bsc#1238848):
    * fix (74nvmf): make sure autoconnect script is run at least once
    * fix (74nvmf): only set netroot if it's yet empty

-----------------------------------------------------------------
Advisory ID: 31
Released:    Wed Nov 19 10:45:59 2025
Summary:     Recommended update for x3270
Type:        recommended
Severity:    moderate
References:  1215628,1219823,1219826,1221164,1236136,CVE-2023-50387,CVE-2023-50868,CVE-2024-13176,CVE-2024-1931,CVE-2024-33655
This update for x3270 fixes the following issues:

Changes in x3270:

- Upgrade to version 4.4ga6

-----------------------------------------------------------------
Advisory ID: 30
Released:    Wed Nov 19 10:45:59 2025
Summary:     Security update for openexr
Type:        security
Severity:    moderate
References:  1221665,1221666,1221667,1221668,1227888,1228535,1233078,1253233,CVE-2024-10963,CVE-2024-2004,CVE-2024-2379,CVE-2024-2398,CVE-2024-2466,CVE-2024-6197,CVE-2024-7264,CVE-2025-64181
This update for openexr fixes the following issues:

- CVE-2025-64181: Fixed use of uninitialized memory in function generic_unpack() (bsc#1253233)

-----------------------------------------------------------------
Advisory ID: 32
Released:    Wed Nov 19 10:50:34 2025
Summary:     Recommended update for autofs
Type:        recommended
Severity:    important
References:  1221482,1221940,1222992,1223423,1223424,1223425,1228041,1236282,1250091,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602,CVE-2025-0395
This update for autofs fixes the following issues:

Changes in autofs:

- Modified NetworkManager-autofs: (bsc#1250091)
  * don't reload autofs.service on loopback interface changes
  * add --no-block option to request asynchronous behavior

-----------------------------------------------------------------
Advisory ID: 33
Released:    Wed Nov 19 11:14:36 2025
Summary:     Security update for ongres-scram
Type:        security
Severity:    important
References:  1208690,1217783,1217826,1222121,1226412,1226529,1230551,1230552,1250399,CVE-2023-6917,CVE-2024-3019,CVE-2024-45769,CVE-2024-45770,CVE-2025-59432
This update for ongres-scram fixes the following issues:

- CVE-2025-59432: Fixed timing attack vulnerability in SCRAM Authentication (bsc#1250399)

-----------------------------------------------------------------
Advisory ID: 39
Released:    Wed Nov 19 17:45:48 2025
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1211649,1211888,1216063,1219001,1220338,1222684,1229228,1232227,1232844,1233752,1234015,1234313,1234765,1249391,1250452,1251263,1253188,CVE-2025-10527,CVE-2025-10528,CVE-2025-10529,CVE-2025-10532,CVE-2025-10533,CVE-2025-10536,CVE-2025-10537,CVE-2025-11708,CVE-2025-11709,CVE-2025-11710,CVE-2025-11711,CVE-2025-11712,CVE-2025-11713,CVE-2025-11714,CVE-2025-11715,CVE-2025-13012,CVE-2025-13013,CVE-2025-13014,CVE-2025-13015,CVE-2025-13016,CVE-2025-13017,CVE-2025-13018,CVE-2025-13019,CVE-2025-13020
This update for MozillaFirefox fixes the following issues:

Changes in MozillaFirefox:

Firefox Extended Support Release 140.5.0 ESR:

* Fixed: Various security fixes (MFSA 2025-88 bsc#1253188):

  * CVE-2025-13012
    Race condition in the Graphics component
  * CVE-2025-13016
    Incorrect boundary conditions in the JavaScript: WebAssembly
    component
  * CVE-2025-13017
    Same-origin policy bypass in the DOM: Notifications component
  * CVE-2025-13018
    Mitigation bypass in the DOM: Security component
  * CVE-2025-13019
    Same-origin policy bypass in the DOM: Workers component
  * CVE-2025-13013
    Mitigation bypass in the DOM: Core & HTML component
  * CVE-2025-13020
    Use-after-free in the WebRTC: Audio/Video component
  * CVE-2025-13014
    Use-after-free in the Audio/Video component
  * CVE-2025-13015
    Spoofing issue in Firefox

- Firefox Extended Support Release 140.4.0 ESR
  * Fixed: Various security fixes.
  MFSA 2025-83 (bsc#1251263)
  * CVE-2025-11708
    Use-after-free in MediaTrackGraphImpl::GetInstance()
  * CVE-2025-11709
    Out of bounds read/write in a privileged process triggered by
    WebGL textures
  * CVE-2025-11710
    Cross-process information leaked due to malicious IPC
    messages
  * CVE-2025-11711
    Some non-writable Object properties could be modified
  * CVE-2025-11712
    An OBJECT tag type attribute overrode browser behavior on web
    resources without a content-type
  * CVE-2025-11713
    Potential user-assisted code execution in “Copy as cURL”
    command
  * CVE-2025-11714
    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR
    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
  * CVE-2025-11715
    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
    ESR 140.4, Firefox 144 and Thunderbird 144

- Firefox Extended Support Release 140.3.1 ESR (bsc#1250452)
  * Fixed: Improved reliability when HTTP/3 connections fail:
    Firefox no longer forces HTTP/2 during fallback, allowing the
    server to choose the protocol and preventing stalls on some
    sites.

Firefox Extended Support Release 140.3.0 ESR

* Fixed: Various security fixes (MFSA 2025-75 bsc#1249391)

  * CVE-2025-10527
    Sandbox escape due to use-after-free in the Graphics:
    Canvas2D component
  * CVE-2025-10528
    Sandbox escape due to undefined behavior, invalid pointer in
    the Graphics: Canvas2D component
  * CVE-2025-10529
    Same-origin policy bypass in the Layout component
  * CVE-2025-10532
    Incorrect boundary conditions in the JavaScript: GC component
  * CVE-2025-10533
    Integer overflow in the SVG component
  * CVE-2025-10536
    Information disclosure in the Networking: Cache component
  * CVE-2025-10537
    Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird
    ESR 140.3, Firefox 143 and Thunderbird 143

-----------------------------------------------------------------
Advisory ID: 40
Released:    Wed Nov 19 18:19:37 2025
Summary:     Recommended update for docker
Type:        recommended
Severity:    important
References:  1222584,1223849,1226492,1233289,1252290,CVE-2024-4418
This update for docker fixes the following issues:

Changes in docker:

- Enable SELinux in default daemon.json config (--selinux-enabled). This has no
  impact on non-SELinux systems (bsc#1252290)

-----------------------------------------------------------------
Advisory ID: 44
Released:    Thu Nov 20 14:59:55 2025
Summary:     Recommended update for nvidia-open-driver-G06-signed
Type:        recommended
Severity:    moderate
References:  1221289,1229930,1229931,1229932,1230093,1232528,1234068,1236589,1249235,1249814,1250536,CVE-2024-11053,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492,CVE-2024-8096,CVE-2024-9681,CVE-2025-0665
This update for nvidia-open-driver-G06-signed fixes the following issues:

Changes in nvidia-open-driver-G06-signed:

Update CUDA variant to 580.95.05.

Update to version 580.95.05 (boo#1250536).

Update non-CUDA variant to 580.82.07 (boo#1249235).

Update CUDA variant to 580.82.07.

-----------------------------------------------------------------
Advisory ID: 45
Released:    Thu Nov 20 17:06:27 2025
Summary:     Recommended update for wsl-firstboot
Type:        recommended
Severity:    moderate
References:  1224282,CVE-2022-47930,CVE-2024-10846,CVE-2024-11218,CVE-2024-11741,CVE-2024-13484,CVE-2024-1725,CVE-2024-34459,CVE-2024-35177,CVE-2024-36402,CVE-2024-36403,CVE-2024-3727,CVE-2024-45336,CVE-2024-45337,CVE-2024-45339,CVE-2024-45340,CVE-2024-45341,CVE-2024-47770,CVE-2024-50354,CVE-2024-51491,CVE-2024-52281,CVE-2024-52594,CVE-2024-52602,CVE-2024-52791,CVE-2024-52812,CVE-2024-53263,CVE-2024-56138,CVE-2024-56323,CVE-2024-56515,CVE-2024-57603,CVE-2024-57604,CVE-2024-9312,CVE-2024-9313,CVE-2025-0377,CVE-2025-0426,CVE-2025-0750,CVE-2025-1243,CVE-2025-1293,CVE-2025-1296,CVE-2025-1412,CVE-2025-20033,CVE-2025-20051,CVE-2025-20086,CVE-2025-20088,CVE-2025-20621,CVE-2025-21088,CVE-2025-22149,CVE-2025-22445,CVE-2025-22449,CVE-2025-22865,CVE-2025-22866,CVE-2025-22867,CVE-2025-22868,CVE-2025-22869,CVE-2025-22870,CVE-2025-22952,CVE-2025-23028,CVE-2025-23047,CVE-2025-23208,CVE-2025-23216,CVE-2025-23387,CVE-2025-23388,CVE-2025-23389,CVE-2025-24016,CVE-2025-24030,CVE-2025-24337,CVE-2025-2435
 4,CVE-2025-24355,CVE-2025-24366,CVE-2025-24369,CVE-2025-24371,CVE-2025-24376,CVE-2025-24526,CVE-2025-24784,CVE-2025-24786,CVE-2025-24787,CVE-2025-24806,CVE-2025-24883,CVE-2025-24884,CVE-2025-24976,CVE-2025-25196,CVE-2025-25199,CVE-2025-25204,CVE-2025-25279,CVE-2025-25294,CVE-2025-26260,CVE-2025-27088,CVE-2025-27090,CVE-2025-27100,CVE-2025-27112,CVE-2025-27144,CVE-2025-27155,CVE-2025-27403,CVE-2025-27414,CVE-2025-27421,CVE-2025-27507,CVE-2025-27509,CVE-2025-27616
This update for wsl-firstboot fixes the following issues:

Update to version 1.5.9+git20251110.c1fca4e:

  * Adding Leap/TW check to modules/registration
  * Changing date tag for modules/switch

Update to version 1.5.8+git20251110.828658c:

  * Adding 'or' for when ID == opensuse-tumbleweed so that wsl-config doesn't
    list 'switch' as an option in TW as well

Update to version 1.5.7+git20251108.7a67d02:

  * Adding a check for ID since we have Leap/SLE 16.0
    - Also will 'continue' when ID == opensuse-leap so that wsl-config
      doesn't list 'switch' as an option in Leap

Update to version 1.5.6+git20251104.86be8d4:

  * Adding 'sleep and clear' to sbin/wsl-firstboot
  * Adding skip check for SLE16.0 to modules/switch
  * Removing ability to skip initual user creation

-----------------------------------------------------------------
Advisory ID: 57
Released:    Wed Nov 26 15:30:14 2025
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1231185,1231328,1249191,1249348,1249367,1253757,CVE-2025-10148,CVE-2025-11563,CVE-2025-9086
This update for curl fixes the following issues:

- CVE-2025-9086: Fixed Out of bounds read for cookie path (bsc#1249191)
- CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes (bsc#1253757)
- CVE-2025-10148: Fixed predictable WebSocket mask (bsc#1249348)

Other fixes:
- tool_operate: fix return code when --retry is used but not
  triggered (bsc#1249367)

-----------------------------------------------------------------
Advisory ID: 60
Released:    Wed Nov 26 15:34:50 2025
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1221812,1227322,1229007,1233529,1235784,CVE-2024-4467,CVE-2024-7409
This update for cyrus-sasl fixes the following issues:

- Fixed Python3 error log upon importing pycurl (bsc#1233529)

-----------------------------------------------------------------
Advisory ID: 58
Released:    Wed Nov 26 18:04:24 2025
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1218644,1220523,1220690,1220693,1220696,1221365,1221751,1221752,1221753,1221760,1221763,1221786,1221787,1221821,1221822,1221824,1221827,1222548,1222899,1223306,1223336,1223428,1224388,1225291,1225551,1226463,1227138,1229465,1235786,1238472,1239206,1241166,1241637,1247222,1248630,1249161,1249226,1249302,1249317,1249397,1249398,1249495,1249512,1249608,1249735,1250202,1250379,1250400,1250455,1250491,1250704,1250721,1250749,1250946,1251176,1251177,1251232,1251233,1251804,1251809,1251819,1251930,1251967,1252033,1252035,1252039,1252044,1252047,1252051,1252052,1252056,1252060,1252062,1252064,1252065,1252067,1252069,1252070,1252072,1252074,1252075,1252076,1252078,1252079,1252081,1252082,1252083,1252253,1252265,1252267,1252270,1252330,1252333,1252336,1252346,1252348,1252349,1252678,1252679,1252688,1252725,1252734,1252772,1252774,1252780,1252785,1252787,1252789,1252797,1252819,1252822,1252826,1252841,1252848,1252849,1252850,1252851,1252854,1252858,1252862,1252865,1252866,1252873,1
 252902,1252909,1252915,1252918,1252921,1252939,CVE-2024-2511,CVE-2024-4603,CVE-2024-4741,CVE-2024-5535,CVE-2024-6119,CVE-2025-21816,CVE-2025-38653,CVE-2025-38718,CVE-2025-39676,CVE-2025-39702,CVE-2025-39756,CVE-2025-39779,CVE-2025-39797,CVE-2025-39812,CVE-2025-39866,CVE-2025-39876,CVE-2025-39881,CVE-2025-39895,CVE-2025-39903,CVE-2025-39911,CVE-2025-39947,CVE-2025-39948,CVE-2025-39949,CVE-2025-39950,CVE-2025-39955,CVE-2025-39956,CVE-2025-39963,CVE-2025-39965,CVE-2025-39967,CVE-2025-39968,CVE-2025-39969,CVE-2025-39970,CVE-2025-39971,CVE-2025-39972,CVE-2025-39973,CVE-2025-39978,CVE-2025-39979,CVE-2025-39981,CVE-2025-39982,CVE-2025-39984,CVE-2025-39985,CVE-2025-39986,CVE-2025-39987,CVE-2025-39988,CVE-2025-39991,CVE-2025-39992,CVE-2025-39993,CVE-2025-39994,CVE-2025-39995,CVE-2025-39996,CVE-2025-39997,CVE-2025-40000,CVE-2025-40005,CVE-2025-40009,CVE-2025-40011,CVE-2025-40012,CVE-2025-40013,CVE-2025-40016,CVE-2025-40018,CVE-2025-40019,CVE-2025-40020,CVE-2025-40029,CVE-2025-40032,CVE-2025-4
 0035,CVE-2025-40036,CVE-2025-40037,CVE-2025-40040,CVE-2025-40043,CVE-2025-40044,CVE-2025-40048,CVE-2025-40049,CVE-2025-40051,CVE-2025-40052,CVE-2025-40056,CVE-2025-40058,CVE-2025-40060,CVE-2025-40061,CVE-2025-40062,CVE-2025-40071,CVE-2025-40078,CVE-2025-40080,CVE-2025-40085,CVE-2025-40087,CVE-2025-40091,CVE-2025-40096,CVE-2025-40100,CVE-2025-40104,CVE-2025-40364

The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues

The following security issues were fixed:

- CVE-2025-21816: hrtimers: Force migrate away hrtimers queued after (bsc#1238472).
- CVE-2025-38653: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al (bsc#1248630).
- CVE-2025-38718: sctp: linearize cloned gso packets in sctp_rcv (bsc#1249161).
- CVE-2025-39676: scsi: qla4xxx: Prevent a potential error pointer dereference (bsc#1249302).
- CVE-2025-39702: ipv6: sr: Fix MAC comparison to be constant-time (bsc#1249317).
- CVE-2025-39756: fs: Prevent file descriptor table allocations exceeding INT_MAX (bsc#1249512).
- CVE-2025-39779: btrfs: subpage: keep TOWRITE tag until folio is cleaned (bsc#1249495).
- CVE-2025-39812: sctp: initialize more fields in sctp_v6_from_sk() (bsc#1250202).
- CVE-2025-39866: fs: writeback: fix use-after-free in __mark_inode_dirty() (bsc#1250455).
- CVE-2025-39876: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() (bsc#1250400).
- CVE-2025-39881: kernfs: Fix UAF in polling when open file is released (bsc#1250379).
- CVE-2025-39895: sched: Fix sched_numa_find_nth_cpu() if mask offline (bsc#1250721).
- CVE-2025-39903: of_numa: fix uninitialized memory nodes causing kernel panic (bsc#1250749).
- CVE-2025-39911: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path (bsc#1250704).
- CVE-2025-39947: net/mlx5e: Harden uplink netdev access against device unbind (bsc#1251232).
- CVE-2025-39948: ice: fix Rx page leak on multi-buffer frames (bsc#1251233).
- CVE-2025-39949: qed: Don't collect too many protection override GRC elements (bsc#1251177).
- CVE-2025-39950: net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR (bsc#1251176).
- CVE-2025-39955: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect() (bsc#1251804).
- CVE-2025-39956: igc: don't fail igc_probe() on LED setup error (bsc#1251809).
- CVE-2025-39963: io_uring: fix incorrect io_kiocb reference in io_link_skb (bsc#1251819).
- CVE-2025-39968: i40e: add max boundary check for VF filters (bsc#1252047).
- CVE-2025-39969: i40e: fix validation of VF state in get resources (bsc#1252044).
- CVE-2025-39970: i40e: fix input validation logic for action_meta (bsc#1252051).
- CVE-2025-39971: i40e: fix idx validation in config queues msg (bsc#1252052).
- CVE-2025-39972: i40e: fix idx validation in i40e_validate_queue_map (bsc#1252039).
- CVE-2025-39973: i40e: add validation for ring_len param (bsc#1252035).
- CVE-2025-39978: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() (bsc#1252069).
- CVE-2025-39979: net/mlx5: fs, add API for sharing HWS action by refcount (bsc#1252067).
- CVE-2025-39984: net: tun: Update napi->skb after XDP process (bsc#1252081).
- CVE-2025-39992: mm: swap: check for stable address space before operating on the VMA (bsc#1252076).
- CVE-2025-40000: wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() (bsc#1252062).
- CVE-2025-40005: spi: cadence-quadspi: Implement refcount to handle unbind during busy (bsc#1252349).
- CVE-2025-40012: net/smc: fix warning in smc_rx_splice() when calling get_page() (bsc#1252330).
- CVE-2025-40018: ipvs: Defer ip_vs_ftp unregister during netns cleanup (bsc#1252688).
- CVE-2025-40040: mm/ksm: fix flag-dropping behavior in ksm_madvise (bsc#1252780).
- CVE-2025-40051: vhost: vringh: Modify the return value check (bsc#1252858).
- CVE-2025-40056: vhost: vringh: Fix copy_to_iter return value check (bsc#1252826).
- CVE-2025-40060: coresight: trbe: Return NULL pointer for allocation failures (bsc#1252848).
- CVE-2025-40078: bpf: Explicitly check accesses to bpf_sock_addr (bsc#1252789).
- CVE-2025-40080: nbd: restrict sockets to TCP and UDP (bsc#1252774).
- CVE-2025-40100: btrfs: do not assert we found block group item when creating free space tree (bsc#1252918).

The following non security issues were fixed:

- add bug reference to existing hv_netvsc change (bsc#1252265)
- amd-pstate-ut: Reset amd-pstate driver mode after running selftests (bsc#1249226).
- cgroup/cpuset: Remove remote_partition_check() & make update_cpumasks_hier() handle remote partition (bsc#1241166).
- cpuset: Use new excpus for nocpu error check when enabling root partition (bsc#1241166).
- cpuset: fix failure to enable isolated partition when containing isolcpus (bsc#1241166).
- doc/README.SUSE: Correct the character used for TAINT_NO_SUPPORT
  The character was previously 'N', but upstream used it for TAINT_TEST,
  which prompted the change of TAINT_NO_SUPPORT to 'n'.
- dpll: zl3073x: Add firmware loading functionality (bsc#1252253).
- dpll: zl3073x: Add functions to access hardware registers (bsc#1252253).
- dpll: zl3073x: Add low-level flash functions (bsc#1252253).
- dpll: zl3073x: Add support to get fractional frequency offset (bsc#1252253).
- dpll: zl3073x: Add support to get phase offset on connected input pin (bsc#1252253).
- dpll: zl3073x: Add support to get/set esync on pins (bsc#1252253).
- dpll: zl3073x: Fix double free in zl3073x_devlink_flash_update() (bsc#1252253).
- dpll: zl3073x: Handle missing or corrupted flash configuration (bsc#1252253).
- dpll: zl3073x: Implement devlink flash callback (bsc#1252253).
- dpll: zl3073x: Increase maximum size of flash utility (bsc#1252253).
- dpll: zl3073x: Refactor DPLL initialization (bsc#1252253).
- drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() (git-fixes).
- drm/xe/guc: Prepare GuC register list and update ADS size for error capture (stable-fixes).
- ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd (bsc#1247222).
- ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation (bsc#1247222).
- ixgbevf: fix getting link speed data for E610 devices (bsc#1247222).
- ixgbevf: fix mailbox API compatibility by negotiating supported features (bsc#1247222).
- kbuild/modfinal: Link livepatches with module-common.o (bsc#1218644, bsc#1252270).
- kdb: Replace deprecated strcpy() with memmove() in vkdb_printf() (bsc#1252939).
- kernel-subpackage-spec: Do not doubly-sign modules (bsc#1251930).
- nvme-auth: update sc_c in host response (git-fixes bsc#1249397).
- perf hwmon_pmu: Fix uninitialized variable warning (perf-sle16-v6.13-userspace-update, git-fixes).
- phy: cadence: cdns-dphy: Update calibration wait time for startup state machine (git-fixes).
- powerpc/fadump: skip parameter area allocation when fadump is disabled (jsc#PED-9891 git-fixes).
- proc: fix missing pde_set_flags() for net proc files (bsc#1248630)
- proc: fix type confusion in pde_set_flags() (bsc#1248630)
- rpm/check-for-config-changes: ignore CONFIG_SCHED_PROXY_EXEC, too (bsc#1250946)
- scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU (bsc#1252267).
- x86/microcode/AMD: Limit Entrysign signature checking to known generations (bsc#1252725).
- x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID (bsc#1252734).
- x86/resctrl: Refactor resctrl_arch_rmid_read() (bsc#1252734).
- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (jsc#PED-348).

-----------------------------------------------------------------
Advisory ID: 63
Released:    Wed Nov 26 18:44:22 2025
Summary:     Recommended update for python-PyQt6, python-PyQt6-sip, python-sip6
Type:        recommended
Severity:    moderate
References:  1012628,1193454,1194869,1205462,1208783,1213123,1214285,1215199,1220066,1220252,1220877,1221326,1221630,1221645,1221652,1221857,1222254,1222335,1222350,1222364,1222372,1222387,1222433,1222434,1222625,1222633,1222634,1222808,1222967,1222973,1223053,1223074,1223191,1223395,1223635,1223720,1223731,1223742,1223763,1223767,1223777,1223803,1224105,1224415,1224485,1224496,1224510,1224535,1224631,1224636,1224690,1224694,1224700,1224711,1225475,1225582,1225607,1225718,1225751,1225814,1225832,1225838,1225903,1226031,1226127,1226502,1226530,1226588,1226604,1226743,1226751,1226765,1226798,1226801,1226834,1226874,1226885,1226920,1227149,1227182,1227383,1227437,1227492,1227493,1227494,1227618,1227620,1227623,1227627,1227634,1227706,1227722,1227724,1227725,1227728,1227729,1227732,1227733,1227734,1227747,1227750,1227754,1227758,1227760,1227761,1227764,1227766,1227770,1227771,1227772,1227774,1227781,1227784,1227785,1227787,1227790,1227791,1227792,1227796,1227798,1227799,1227802,1227808,1
 227810,1227811,1227812,1227815,1227816,1227818,1227820,1227823,1227824,1227826,1227828,1227829,1227830,1227832,1227833,1227834,1227839,1227840,1227846,1227849,1227851,1227853,1227863,1227864,1227865,1227867,1227869,1227870,1227883,1227884,1227891,1227893,1227929,1227950,1227957,1227981,1228020,1228021,1228192,1228235,1228236,1228247,1228321,1228409,1228410,1228426,1228427,1228429,1228446,1228447,1228449,1228450,1228452,1228456,1228457,1228458,1228459,1228460,1228462,1228463,1228466,1228468,1228469,1228470,1228472,1228479,1228480,1228481,1228482,1228483,1228484,1228485,1228486,1228487,1228489,1228491,1228492,1228493,1228494,1228495,1228496,1228499,1228500,1228501,1228502,1228503,1228505,1228508,1228509,1228510,1228511,1228513,1228515,1228516,1228518,1228520,1228525,1228527,1228530,1228531,1228539,1228561,1228563,1228564,1228565,1228567,1228568,1228572,1228576,1228579,1228580,1228581,1228582,1228584,1228586,1228588,1228590,1228591,1228599,1228615,1228616,1228617,1228625,1228626,122863
 3,1228635,1228636,1228640,1228643,1228644,1228646,1228649,1228650,1228654,1228655,1228656,1228658,1228660,1228662,1228665,1228666,1228667,1228672,1228673,1228674,1228677,1228680,1228687,1228705,1228706,1228707,1228708,1228709,1228710,1228718,1228720,1228721,1228722,1228723,1228724,1228726,1228727,1228733,1228737,1228743,1228748,1228754,1228756,1228757,1228758,1228764,1228766,1228779,1228801,1228849,1228850,1228857,1228959,1228964,1228966,1228967,1228971,1228973,1228977,1228978,1228979,1228986,1228988,1228989,1228991,1228992,1229005,1229024,1229025,1229042,1229045,1229046,1229054,1229056,1229086,1229134,1229136,1229154,1229156,1229160,1229167,1229168,1229169,1229170,1229171,1229172,1229173,1229174,1229239,1229240,1229241,1229243,1229244,1229245,1229246,1229247,1229248,1229249,1229250,1229251,1229252,1229253,1229254,1229255,1229256,1229287,1229290,1229291,1229292,1229294,1229296,1229297,1229298,1229299,1229301,1229303,1229304,1229305,1229307,1229309,1229312,1229313,1229314,1229315,122
 9316,1229317,1229318,1229319,1229320,1229327,1229341,1229342,1229344,1229345,1229346,1229347,1229349,1229350,1229351,1229353,1229354,1229355,1229356,1229357,1229358,1229359,1229360,1229365,1229366,1229369,1229370,1229373,1229374,1229379,1229381,1229382,1229383,1229386,1229388,1229390,1229391,1229392,1229395,1229398,1229399,1229400,1229402,1229403,1229404,1229407,1229409,1229410,1229411,1229413,1229414,1229417,1229444,1229451,1229452,1229455,1229456,1229480,1229481,1229482,1229484,1229485,1229486,1229487,1229488,1229489,1229490,1229493,1229495,1229496,1229497,1229500,1229503,1229707,1229739,1229743,1229746,1229747,1229752,1229754,1229755,1229756,1229759,1229761,1229767,1229781,1229784,1229785,1229787,1229788,1229789,1229792,1229820,1229827,1229830,1229837,1229940,1230056,1236878,CVE-2023-52489,CVE-2023-52581,CVE-2023-52668,CVE-2023-52688,CVE-2023-52859,CVE-2023-52885,CVE-2023-52886,CVE-2023-52887,CVE-2023-52889,CVE-2024-12133,CVE-2024-26590,CVE-2024-26631,CVE-2024-26637,CVE-2024-2666
 8,CVE-2024-26669,CVE-2024-26677,CVE-2024-26682,CVE-2024-26683,CVE-2024-26735,CVE-2024-26808,CVE-2024-26809,CVE-2024-26812,CVE-2024-26835,CVE-2024-26837,CVE-2024-26849,CVE-2024-26851,CVE-2024-26976,CVE-2024-27010,CVE-2024-27011,CVE-2024-27024,CVE-2024-27049,CVE-2024-27050,CVE-2024-27079,CVE-2024-27403,CVE-2024-27433,CVE-2024-27437,CVE-2024-31076,CVE-2024-35855,CVE-2024-35897,CVE-2024-35902,CVE-2024-35913,CVE-2024-35939,CVE-2024-35949,CVE-2024-36270,CVE-2024-36286,CVE-2024-36288,CVE-2024-36489,CVE-2024-36881,CVE-2024-36907,CVE-2024-36929,CVE-2024-36933,CVE-2024-36939,CVE-2024-36970,CVE-2024-36979,CVE-2024-38563,CVE-2024-38609,CVE-2024-38662,CVE-2024-39476,CVE-2024-39483,CVE-2024-39484,CVE-2024-39486,CVE-2024-39488,CVE-2024-39489,CVE-2024-39491,CVE-2024-39493,CVE-2024-39497,CVE-2024-39499,CVE-2024-39500,CVE-2024-39501,CVE-2024-39505,CVE-2024-39506,CVE-2024-39508,CVE-2024-39509,CVE-2024-39510,CVE-2024-40899,CVE-2024-40900,CVE-2024-40902,CVE-2024-40903,CVE-2024-40904,CVE-2024-40905,CVE-2
 024-40909,CVE-2024-40910,CVE-2024-40911,CVE-2024-40912,CVE-2024-40913,CVE-2024-40916,CVE-2024-40920,CVE-2024-40921,CVE-2024-40922,CVE-2024-40924,CVE-2024-40926,CVE-2024-40927,CVE-2024-40929,CVE-2024-40930,CVE-2024-40932,CVE-2024-40934,CVE-2024-40936,CVE-2024-40938,CVE-2024-40939,CVE-2024-40941,CVE-2024-40942,CVE-2024-40943,CVE-2024-40944,CVE-2024-40945,CVE-2024-40954,CVE-2024-40956,CVE-2024-40957,CVE-2024-40958,CVE-2024-40959,CVE-2024-40962,CVE-2024-40964,CVE-2024-40967,CVE-2024-40976,CVE-2024-40977,CVE-2024-40978,CVE-2024-40981,CVE-2024-40982,CVE-2024-40984,CVE-2024-40987,CVE-2024-40988,CVE-2024-40989,CVE-2024-40990,CVE-2024-40992,CVE-2024-40994,CVE-2024-40995,CVE-2024-40997,CVE-2024-41000,CVE-2024-41001,CVE-2024-41002,CVE-2024-41004,CVE-2024-41007,CVE-2024-41009,CVE-2024-41010,CVE-2024-41012,CVE-2024-41015,CVE-2024-41016,CVE-2024-41020,CVE-2024-41022,CVE-2024-41024,CVE-2024-41025,CVE-2024-41028,CVE-2024-41032,CVE-2024-41035,CVE-2024-41036,CVE-2024-41037,CVE-2024-41038,CVE-2024-410
 39,CVE-2024-41040,CVE-2024-41041,CVE-2024-41044,CVE-2024-41045,CVE-2024-41048,CVE-2024-41049,CVE-2024-41050,CVE-2024-41051,CVE-2024-41056,CVE-2024-41057,CVE-2024-41058,CVE-2024-41059,CVE-2024-41060,CVE-2024-41061,CVE-2024-41062,CVE-2024-41063,CVE-2024-41064,CVE-2024-41065,CVE-2024-41066,CVE-2024-41068,CVE-2024-41069,CVE-2024-41070,CVE-2024-41071,CVE-2024-41072,CVE-2024-41073,CVE-2024-41074,CVE-2024-41075,CVE-2024-41076,CVE-2024-41078,CVE-2024-41079,CVE-2024-41080,CVE-2024-41081,CVE-2024-41084,CVE-2024-41087,CVE-2024-41088,CVE-2024-41089,CVE-2024-41092,CVE-2024-41093,CVE-2024-41094,CVE-2024-41095,CVE-2024-41096,CVE-2024-41097,CVE-2024-41098,CVE-2024-42064,CVE-2024-42069,CVE-2024-42070,CVE-2024-42073,CVE-2024-42074,CVE-2024-42076,CVE-2024-42077,CVE-2024-42079,CVE-2024-42080,CVE-2024-42082,CVE-2024-42085,CVE-2024-42086,CVE-2024-42087,CVE-2024-42089,CVE-2024-42090,CVE-2024-42092,CVE-2024-42093,CVE-2024-42095,CVE-2024-42096,CVE-2024-42097,CVE-2024-42098,CVE-2024-42101,CVE-2024-42104,CVE-
 2024-42105,CVE-2024-42106,CVE-2024-42107,CVE-2024-42109,CVE-2024-42110,CVE-2024-42113,CVE-2024-42114,CVE-2024-42115,CVE-2024-42117,CVE-2024-42119,CVE-2024-42120,CVE-2024-42121,CVE-2024-42122,CVE-2024-42124,CVE-2024-42125,CVE-2024-42126,CVE-2024-42127,CVE-2024-42130,CVE-2024-42131,CVE-2024-42132,CVE-2024-42133,CVE-2024-42136,CVE-2024-42137,CVE-2024-42138,CVE-2024-42139,CVE-2024-42141,CVE-2024-42142,CVE-2024-42143,CVE-2024-42144,CVE-2024-42145,CVE-2024-42147,CVE-2024-42148,CVE-2024-42152,CVE-2024-42153,CVE-2024-42155,CVE-2024-42156,CVE-2024-42157,CVE-2024-42158,CVE-2024-42159,CVE-2024-42161,CVE-2024-42162,CVE-2024-42223,CVE-2024-42224,CVE-2024-42225,CVE-2024-42226,CVE-2024-42227,CVE-2024-42228,CVE-2024-42229,CVE-2024-42230,CVE-2024-42232,CVE-2024-42236,CVE-2024-42237,CVE-2024-42238,CVE-2024-42239,CVE-2024-42240,CVE-2024-42241,CVE-2024-42244,CVE-2024-42245,CVE-2024-42246,CVE-2024-42247,CVE-2024-42250,CVE-2024-42253,CVE-2024-42259,CVE-2024-42268,CVE-2024-42269,CVE-2024-42270,CVE-2024-42
 271,CVE-2024-42274,CVE-2024-42276,CVE-2024-42277,CVE-2024-42278,CVE-2024-42279,CVE-2024-42280,CVE-2024-42281,CVE-2024-42283,CVE-2024-42284,CVE-2024-42285,CVE-2024-42286,CVE-2024-42287,CVE-2024-42288,CVE-2024-42289,CVE-2024-42290,CVE-2024-42291,CVE-2024-42292,CVE-2024-42295,CVE-2024-42298,CVE-2024-42301,CVE-2024-42302,CVE-2024-42303,CVE-2024-42308,CVE-2024-42309,CVE-2024-42310,CVE-2024-42311,CVE-2024-42312,CVE-2024-42313,CVE-2024-42314,CVE-2024-42315,CVE-2024-42316,CVE-2024-42318,CVE-2024-42319,CVE-2024-42320,CVE-2024-42322,CVE-2024-43816,CVE-2024-43817,CVE-2024-43818,CVE-2024-43819,CVE-2024-43821,CVE-2024-43823,CVE-2024-43824,CVE-2024-43825,CVE-2024-43826,CVE-2024-43829,CVE-2024-43830,CVE-2024-43831,CVE-2024-43833,CVE-2024-43834,CVE-2024-43837,CVE-2024-43839,CVE-2024-43840,CVE-2024-43841,CVE-2024-43842,CVE-2024-43846,CVE-2024-43847,CVE-2024-43849,CVE-2024-43850,CVE-2024-43851,CVE-2024-43853,CVE-2024-43854,CVE-2024-43855,CVE-2024-43856,CVE-2024-43858,CVE-2024-43860,CVE-2024-43861,CVE
 -2024-43863,CVE-2024-43864,CVE-2024-43866,CVE-2024-43867,CVE-2024-43871,CVE-2024-43872,CVE-2024-43873,CVE-2024-43874,CVE-2024-43875,CVE-2024-43876,CVE-2024-43877,CVE-2024-43879,CVE-2024-43880,CVE-2024-43881,CVE-2024-43882,CVE-2024-43883,CVE-2024-43884,CVE-2024-43885,CVE-2024-43889,CVE-2024-43892,CVE-2024-43893,CVE-2024-43894,CVE-2024-43895,CVE-2024-43897,CVE-2024-43899,CVE-2024-43900,CVE-2024-43902,CVE-2024-43903,CVE-2024-43905,CVE-2024-43906,CVE-2024-43907,CVE-2024-43908,CVE-2024-43909,CVE-2024-43911,CVE-2024-43912,CVE-2024-44931,CVE-2024-44938,CVE-2024-44939
This update for python-PyQt6, python-PyQt6-sip, python-sip6 fixes the following issues:

Changes in python-PyQt6:

- Update to 6.9.1
  * The licensing information now conforms to PEP 639.
  * Enums that have a base type smaller than int are now properly specified and handled.
  * Fixed a regression that broke building against versions of Qt older than v6.5.
  * Fixed pyuic6 to handle QIcons created from QIcon.ThemeIcon.

Changes in python-PyQt6-sip:

- Update to 13.10.2
  * Match python3-sip6-devel 6.11.1
  * Changes WRT PEP 639. See python-sip6

Changes in python-sip6:

- Update to 6.12.0
- Convert to libalternatives on SLE-16-based and newer systems


-----------------------------------------------------------------
Advisory ID: 65
Released:    Thu Nov 27 11:11:16 2025
Summary:     Security update for xwayland
Type:        security
Severity:    important
References:  1223234,1229952,1230029,1237363,1237370,1237418,1251958,1251959,1251960,CVE-2024-32650,CVE-2024-43806,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113,CVE-2025-62229,CVE-2025-62230,CVE-2025-62231
This update for xwayland fixes the following issues:

- CVE-2025-62229: Fixed use-after-free in XPresentNotify structures creation (bsc#1251958).
- CVE-2025-62230: Fixed use-after-free in Xkb client resource removal (bsc#1251959).
- CVE-2025-62231: Fixed value overflow in Xkb extension XkbSetCompatMap() (bsc#1251960).

-----------------------------------------------------------------
Advisory ID: 67
Released:    Thu Nov 27 11:43:11 2025
Summary:     Recommended update for read-only-root-fs
Type:        recommended
Severity:    moderate
References:  1215484,1219041,1220357,1220905,1226141,1228182,1228690,1229109,1229539,1230093,1230322,1230516,1230642,1230944,1231605,1233667,1234022,1234881,1250133,CVE-2024-8096
This update for read-only-root-fs fixes the following issues:

- Add additional check in %post to prevent generating the btrfs
  /etc subvolume during a KIWI run (bsc#1250133)

-----------------------------------------------------------------
Advisory ID: 73
Released:    Thu Nov 27 16:46:11 2025
Summary:     Recommended update for mdadm
Type:        recommended
Severity:    moderate
References:  1200723,1204968,1207266,1213873,1218110,1221906,1226414,1226415,1228091,1228184,1228223,1228809,1229518,1229997,1241474,1243443,1246806,1248097,1253060,CVE-2022-3821,CVE-2024-40897
This update for mdadm fixes the following issues:

- Version update 4.4+29.gf8bb524b.
- Fix race condition between mdcheck_start.service and mdcheck_continue.service
  (bsc#1243443, bsc#1248097).
- mdadm_env.sh ignoring MDADM_RAIDDEVICES if MDADM_SCAN is set (bsc#1229997).
- Split off the Software RAID HOWTO into a -doc package.
- Upstream bug fixes for mdadm (bsc#1253060).
- _service: switch to tar_scm for better interoperabity with SLFO.
- Fix systemd unit file handling in spec file (bnc#1207266).
- Stop emitting %release into program binaries (bnc#1246806).
- Add MAILFROM address to email envelope, avoid smtp auth errors (bsc#1241474).

-----------------------------------------------------------------
Advisory ID: 74
Released:    Thu Nov 27 16:52:25 2025
Summary:     Recommended update for libnxz
Type:        recommended
Severity:    moderate
References:  1220770,1220771,1220772,1227186,1227187,CVE-2024-26458,CVE-2024-26461,CVE-2024-26462,CVE-2024-37370,CVE-2024-37371
This update for libnxz fixes the following issues:

Update to version 0.64+git4.2f1ae54:

  * lib/nx_crc : Fix compile error with gcc15
  * Changed README.md instructions to substitute zlib

-----------------------------------------------------------------
Advisory ID: 77
Released:    Thu Nov 27 20:50:12 2025
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    important
References:  1215377,1231055,1238591,1239625,1239637,1252425,CVE-2023-40403,CVE-2024-55549,CVE-2025-24855
This update for gpgme fixes the following issues:

- Treat empty DISPLAY variable as unset (bsc#1252425, bsc#1231055)
    * To avoid gpgme constructing an invalid gpg command line when
      the DISPLAY variable is empty it can be treated as unset.
    * Reported upstream: dev.gnupg.org/T7919

-----------------------------------------------------------------
Advisory ID: 91
Released:    Tue Dec  2 14:51:41 2025
Summary:     Security update for python-cbor2
Type:        security
Severity:    important
References:  1220096,1227316,1230778,1253746,CVE-2024-26134,CVE-2024-7254,CVE-2025-64076
This update for python-cbor2 fixes the following issues:

- CVE-2025-64076: Fixed bug in decode_definite_long_string() that causes incorrect chunk length calculation (bsc#1253746).


Already fixed in release 5.6.3:

- CVE-2024-26134: Fixed potential crash when hashing a CBORTag (bsc#1220096).

-----------------------------------------------------------------
Advisory ID: 92
Released:    Tue Dec  2 15:31:03 2025
Summary:     Recommended update for afterburn
Type:        recommended
Severity:    important
References:  1224262,1231472,1250471,CVE-2024-26306
This update for afterburn fixes the following issues:

- Update to version 5.9.0.git21.a73f509:
  * docs/release-notes: update for release 5.10.0
  * cargo: update dependencies
  * microsoft/azure: Add XML attribute alias for serde-xml-rs Fedora compat
  * docs/release-notes: Add entry for Azure SharedConfig XML parsing fix
  * microsoft/azure: Fix SharedConfig parsing of XML attributes
  * microsoft/azure: Mock goalstate.SharedConfig output in tests
  * providers/azure: switch SSH key retrieval from certs endpoint to IMDS
    as azure stopped providing keys in the old one (bsc#1250471)
  * build(deps): bump the build group with 8 updates
  * build(deps): bump slab from 0.4.10 to 0.4.11
  * build(deps): bump actions/checkout from 4 to 5
  * upcloud: implement UpCloud provider
  * build(deps): bump the build group with 4 updates


- Update to version 5.9.0:
  * cargo: Afterburn release 5.9.0
  * docs/release-notes: update for release 5.9.0
  * cargo: update dependencies
  * Add TMT test structure and basic smoke test
  * build(deps): bump openssl from 0.10.72 to 0.10.73
  * build(deps): bump reqwest from 0.12.15 to 0.12.18
  * docs/release-notes: Update changelog entry
  * dracut: Return 255 in module-setup
  * oraclecloud: add release note and move base URL to constant
  * oraclecloud: implement oraclecloud provider
  * build(deps): bump nix from 0.29.0 to 0.30.1
  * build(deps): bump zbus from 5.7.0 to 5.7.1
  * build(deps): bump serde-xml-rs from 0.6.0 to 0.8.1
  * build(deps): bump ipnetwork from 0.20.0 to 0.21.1
  * build(deps): bump clap from 4.5.38 to 4.5.39

-----------------------------------------------------------------
Advisory ID: 94
Released:    Thu Dec  4 09:53:01 2025
Summary:     Recommended update for samba
Type:        recommended
Severity:    moderate
References:  1194818,1236619,1249179,CVE-2025-24528
This update for samba fixes the following issues:

- Update [printers] location to /var/samba/spool (bsc#1249179).
- Update to version 4.22.6:
    * macOS Finder client DFS broken on 4.22.0;
    * Samba 4.22 breaks Time Machine;
    * Spotlight search restriction for shares incomplete and
      default search searches in too many attributes;
    * rpcd_mdssvc may crash because name mangling is not initialized;
    * Only increment lease epoch if a lease was granted;
    * samba-4.21 fails to join AD when multiple DCs are returned;
    * 'net ads group' failed to list domain groups;
    * vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for fsync_send;
    * CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set;

-----------------------------------------------------------------
Advisory ID: 95
Released:    Fri Dec  5 00:52:53 2025
Summary:     Recommended update for libpulp
Type:        recommended
Severity:    important
References:  1159034,1194818,1218609,1220117,1221831,1223605,1224285,1225197,1225598,1229476,1231208,1231230,1231499,1231698,1243787,1249417,1250436,CVE-2024-28085,CVE-2024-6104,CVE-2024-9341,CVE-2024-9407,CVE-2024-9675,CVE-2024-9676
This update for libpulp fixes the following issues:

- Fix dlopen and dlmopen search paths (bsc#1250436).
- Fix ld.so.conf being modified in SLE-16.
- Fix `ldconfig` constructing ld.so.cache in the new snapshot (bsc#1249417).
- Improve `ulp <command> --help` (bsc#1243787).
- Add support to glibc 2.42.

-----------------------------------------------------------------
Advisory ID: 97
Released:    Tue Dec  9 17:19:43 2025
Summary:     Recommended update for libX11
Type:        recommended
Severity:    important
References:  1225070,1226660,1227590,1227593,1227594,1227595,1234015,1236886,1252250,CVE-2024-28397,CVE-2024-36039,CVE-2024-38875,CVE-2024-39329,CVE-2024-39330,CVE-2024-39614
This update for libX11 fixes the following issues:

- Fix: Barcode scanner input gets jumbled when ibus is running and
  an application written in certain frameworks has focus (bsc#1252250)

-----------------------------------------------------------------
Advisory ID: 99
Released:    Wed Dec 10 12:57:25 2025
Summary:     Recommended update for re2c
Type:        recommended
Severity:    important
References:  1010996,1199079,1229003,1234798,1240009,1240343,1252224,441356,CVE-2024-10389,CVE-2024-10975,CVE-2024-45794,CVE-2024-48057,CVE-2024-51735,CVE-2024-51746
This update for re2c fixes the following issues:

- Fix the %licence tag for re2c (bsc#1252224)

-----------------------------------------------------------------
Advisory ID: 98
Released:    Fri Dec 12 16:58:27 2025
Summary:     Security update for binutils
Type:        security
Severity:    important
References:  1217885,1228086,1231476,1231792,1232063,1236632,1236976,1236977,1236978,1236982,1236999,1237000,1237001,1237003,1237005,1237018,1237019,1237020,1237021,1237042,1237695,1239632,1240870,1240919,1243756,1243760,1246481,1246486,1247105,1247114,1247117,1250632,1251275,1251276,1251277,1251794,1251795,CVE-2024-9781,CVE-2025-0840,CVE-2025-11083,CVE-2025-11412,CVE-2025-11413,CVE-2025-11414,CVE-2025-1147,CVE-2025-1148,CVE-2025-1149,CVE-2025-11494,CVE-2025-11495,CVE-2025-1150,CVE-2025-1151,CVE-2025-1152,CVE-2025-1153,CVE-2025-1176,CVE-2025-1178,CVE-2025-1179,CVE-2025-1180,CVE-2025-1181,CVE-2025-1182,CVE-2025-3198,CVE-2025-5244,CVE-2025-5245,CVE-2025-7545,CVE-2025-7546,CVE-2025-8224,CVE-2025-8225
This update for binutils fixes the following issues:

Changes in binutils:

- Update to current 2.45 branch at 94cb1c075 to include fix
  for PR33584 (a problem related to LTO vs fortran COMMON
  blocks).

- Do not enable '-z gcs=implicit' on aarch64 for old codestreams.

Update to version 2.45:

  * New versioned release of libsframe.so.2
  * s390: tools now support SFrame format 2; recognize 'z17' as CPU
    name [bsc#1247105, jsc#IBM-1485]
  * sframe sections are now of ELF section type SHT_GNU_SFRAME.
  * sframe secions generated by the assembler have
    SFRAME_F_FDE_FUNC_START_PCREL set.
  * riscv: Support more extensions: standard: Zicfiss v1.0, Zicfilp v1.0,
    Zcmp v1.0, Zcmt v1.0, Smrnmi v1.0, S[sm]dbltrp v1.0, S[sm]ctr v1.0,
    ssqosid v1.0, ssnpm v1.0, smnpm v1.0, smmpm v1.0, sspm v1.0, supm v1.0,
    sha v1.0, zce v1.0, smcdeleg v1.0, ssccfg v1.0, svvptc v1.0, zilsd v1.0,
    zclsd v1.0, smrnmi v1.0;
    vendor: CORE-V, xcvbitmanip v1.0 and xcvsimd v1.0;
    SiFive, xsfvqmaccdod v1.0, xsfvqmaccqoqv1.0 and xsfvfnrclipxfqf v1.0;
    T-Head: xtheadvdot v1.0;
    MIPS: xmipscbop v1.0, xmipscmov v1.0, xmipsexectl v1.0, xmipslsp v1.0.
  * Support RISC-V privileged version 1.13, profiles 20/22/23, and
    .bfloat16 directive.
  * x86: Add support for these ISAs: Intel Diamond Rapids AMX, MOVRS,
    AVX10.2 (including SM4), MSR_IMM; Zhaoxin PadLock PHE2, RNG2, GMI, XMODX.
    Drop support for  AVX10.2 256 bit rounding.
  * arm: Add support for most of Armv9.6, enabled by -march=armv9.6-a and
    extensions '+cmpbr', '+f8f16mm', '+f8f32mm', '+fprcvt', '+lsfe', '+lsui',
    '+occmo', '+pops', '+sme2p2', '+ssve-aes', '+sve-aes', '+sve-aes2',
    '+sve-bfscale', '+sve-f16f32mm' and '+sve2p2'.
  * Predefined symbols 'GAS(version)' and, on non-release builds, 'GAS(date)'
    are now being made available.
  * Add .errif and .warnif directives.
  * linker:
    - Add --image-base=<ADDR> option to the ELF linker to behave the same
      as -Ttext-segment for compatibility with LLD.
    - Add support for mixed LTO and non-LTO codes in relocatable output.
    - s390: linker generates .eh_frame and/or .sframe for linker
      generated .plt sections by default (can be disabled
      by --no-ld-generated-unwind-info).
    - riscv: add new PLT formats, and GNU property merge rules for zicfiss
      and zicfilp extensions.
- gold is no longer included

- Contains fixes for these non-CVEs (not security bugs per upstreams
  SECURITY.md):

  * bsc#1236632 aka CVE-2025-0840 aka PR32560
  * bsc#1236977 aka CVE-2025-1149 aka PR32576
  * bsc#1236978 aka CVE-2025-1148 aka PR32576
  * bsc#1236999 aka CVE-2025-1176 aka PR32636
  * bsc#1237000 aka CVE-2025-1153 aka PR32603
  * bsc#1237001 aka CVE-2025-1152 aka PR32576
  * bsc#1237003 aka CVE-2025-1151 aka PR32576
  * bsc#1237005 aka CVE-2025-1150 aka PR32576
  * bsc#1237018 aka CVE-2025-1178 aka PR32638
  * bsc#1237019 aka CVE-2025-1181 aka PR32643
  * bsc#1237020 aka CVE-2025-1180 aka PR32642
  * bsc#1237021 aka CVE-2025-1179 aka PR32640
  * bsc#1237042 aka CVE-2025-1182 aka PR32644
  * bsc#1240870 aka CVE-2025-3198 aka PR32716
  * bsc#1243756 aka CVE-2025-5244 aka PR32858
  * bsc#1243760 aka CVE-2025-5245 aka PR32829
  * bsc#1246481 aka CVE-2025-7545 aka PR33049
  * bsc#1246486 aka CVE-2025-7546 aka PR33050
  * bsc#1247114 aka CVE-2025-8224 aka PR32109
  * bsc#1247117 aka CVE-2025-8225 no PR
  * bsc#1236976 aka CVE-2025-1147 aka PR32556
  * bsc#1250632 aka CVE-2025-11083 aka PR33457
  * bsc#1251275 aka CVE-2025-11412 aka PR33452
  * bsc#1251276 aka CVE-2025-11413 aka PR33456
  * bsc#1251277 aka CVE-2025-11414 aka PR33450
  * bsc#1251794 aka CVE-2025-11494 aka PR33499
  * bsc#1251795 aka CVE-2025-11495 aka PR33502
  binutils-2.43-branch.diff.gz

-----------------------------------------------------------------
Advisory ID: 106
Released:    Mon Dec 15 13:52:50 2025
Summary:     Security update for grub2
Type:        security
Severity:    important
References:  1216320,1229122,1234959,1236045,1236046,1236801,1238572,1240550,1245636,1245738,1245953,1246231,1247242,1249088,1249385,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2024-45336,CVE-2024-45341,CVE-2024-56738,CVE-2025-22866,CVE-2025-22870,CVE-2025-22871,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664
This update for grub2 fixes the following issues:

Changes in grub2:

- CVE-2025-54771: Fixed grub_file_close() does not properly controls the fs refcount (bsc#1252931)
- CVE-2025-54770: Fixed missing unregister call for net_set_vlan command may lead to use-after-free  (bsc#1252930)
- CVE-2025-61662: Fixed missing unregister call for gettext command may lead to use-after-free (bsc#1252933)
- CVE-2025-61663: Fixed missing unregister call for normal commands may lead to use-after-free (bsc#1252934)
- CVE-2025-61664: Fixed missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935)
- CVE-2025-61661: Fixed out-of-bounds write in grub_usb_get_string() function (bsc#1252932)

- Bump upstream SBAT generation to 6

- Fix 'sparse file not allowed' error after grub2-reboot (bsc#1245738)
- Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385)
- turn off page flipping for i386-pc using VBE video backend (bsc#1245636)
- Fix boot hangs in setting up serial console when ACPI SPCR table is present
  and redirection is disabled (bsc#1249088)
- Fix timeout when loading initrd via http after PPC CAS reboot (bsc#1245953)
- Skip mount point in grub_find_device function (bsc#1246231)

- CVE-2024-56738: Fixed side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959)

-----------------------------------------------------------------
Advisory ID: 107
Released:    Mon Dec 15 19:16:15 2025
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1225771,1250232,1250233,1250234,CVE-2024-5564,CVE-2025-9230,CVE-2025-9231,CVE-2025-9232
This update for openssl-3 fixes the following issues:

- CVE-2025-9230: Fixed out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232)
- CVE-2025-9231: Fixedk timing side-channel in SM2 algorithm on 64 bit ARM (bsc#1250233)
- CVE-2025-9232: Fixed out-of-bounds read in HTTP client no_proxy handling (bsc#1250234)

-----------------------------------------------------------------
Advisory ID: 108
Released:    Tue Dec 16 12:13:33 2025
Summary:     Recommended update for openldap2_6
Type:        recommended
Severity:    moderate
References:  1027519,1214718,1218851,1219080,1219559,1219561,1219885,1221289,1221332,1221334,1221984,1222302,1222453,1225953,1227355,1228574,1228575,1229930,1229931,1229932,1232579,1232601,1239618,CVE-2013-0340,CVE-2019-15903,CVE-2023-28746,CVE-2023-46839,CVE-2023-46840,CVE-2023-46841,CVE-2023-46842,CVE-2023-52425,CVE-2023-52426,CVE-2024-2193,CVE-2024-2201,CVE-2024-28757,CVE-2024-31142,CVE-2024-31143,CVE-2024-31145,CVE-2024-31146,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492,CVE-2024-50602,CVE-2024-8176
This update for openldap2_6 fixes the following issues:

Changes in openldap2_6:

- Add limited support for libldap-2.4 library compatibility (jsc#PED-13833)

-----------------------------------------------------------------
Advisory ID: 109
Released:    Tue Dec 16 15:14:02 2025
Summary:     Recommended update for freetype2
Type:        recommended
Severity:    moderate
References:  1233593,1233594,1233773,CVE-2024-10524,CVE-2024-11595,CVE-2024-11596
This update for freetype2 fixes the following issues:

Changes in freetype2:

- update to 2.13.3:
- Do not build the ft2demos flavor in SLE16 where Qt5 will not be
  available

-----------------------------------------------------------------
Advisory ID: 117
Released:    Mon Dec 22 11:29:06 2025
Summary:     Recommended update for wicked2nm
Type:        recommended
Severity:    moderate
References:  1218609,1220117,1221831,1223605,1225598,1231141,CVE-2024-28085
This update for wicked2nm fixes the following issues:

- Update to v1.4.0
    * Activate only connections if present in the current system
    * Improve error output, exit codes and add flag to disable user hints
    * Add support for autoip-fallback

-----------------------------------------------------------------
Advisory ID: 119
Released:    Fri Jan  2 17:58:16 2026
Summary:     Security update for sssd
Type:        security
Severity:    important
References:  1218345,1231833,1240310,1240311,1240997,1244325,1251827,CVE-2025-11561
This update for sssd fixes the following issues:

- CVE-2025-11561: Fixed default Kerberos configuration allowing privilege
  escalation on AD-joined Linux systems (bsc#1244325)

-----------------------------------------------------------------
Advisory ID: 120
Released:    Wed Jan  7 10:12:50 2026
Summary:     Recommended update for patterns-sap
Type:        recommended
Severity:    critical
References:  1224285,1232425,1232579,1250279,1254650,CVE-2024-50602
This update for patterns-sap fixes the following issues:

- remove package 'golang-github-prometheus-prometheus' from pattern
  'trento_server' and 'monitoring' (bsc#1254650)
- fix pattern name used in Provides/Obsoletes of SLE15 pattern 'sap_server' (bsc#1250279)

-----------------------------------------------------------------
Advisory ID: 122
Released:    Wed Jan  7 12:23:24 2026
Summary:     Recommended update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, objectweb-asm, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn
Type:        recommended
Severity:    moderate
References:  1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802
This update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn fixes the following issues:

Changes in maven-parent:

- Upgrade to Apache Maven parent POM version 45

  * New features and improvements

    + Use a standard tag template for releases

  * Bug Fixes

    + Use spotless / palantirJavaFormat - 2.56.0 for all JDKs

  * Build

    + Allow manually executing release-drafter

- Upgrade to Apache Maven parent POM version 44

  * Breaking changes

    + Move snapshot repositories in a profile
    + Check test code by checkstyle

  * New features and improvements

    + Move snapshot repositories in a profile
    + Introduce property maven.site.path.suffix to allow override
      site path
    + Use v@{project.version} as tag template for releases
    + import KEYS history from svn
    + Add licenseText to modello
    + Update site descriptor to 2.0
    + Check test code by checkstyle
    + Add issues templates
    + Accept all line endings with spotless
    + Enable automatic formatter when not on CI

  * Bug Fixes

    + Fix asf.yaml syntax
    + Skip render empty taglist report

Changes in maven-invoker:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-filtering:

- Bogus dependency on plexus-xml
  (https://github.com/apache/maven-filtering/issues/286)

- Upgrade to version 3.4.0

  * Changes

    + Bump apache/maven-gh-actions-shared from 3 to 4
    + Bump org.apache.maven.shared:maven-shared-components from 41
    + MSHARED-1412: Allow to customize Interpolator used by filter

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-file-management:

- Update to upstream version 3.2.0

  * New features and improvements

    + Enable GitHub Issues
    + Add Release Drafter
    + MSHARED-1203: no longer need to shell out to create a symbolic
      link
    + Java 7 can detect symbolic links

  * Maintenance

    + Update site descriptor
    + Skip generating of xml reader and writer for FileSet
    + Use version of modello-maven-plugin from parent
    + Add PR Automation and Stale actions
    + MSHARED-1448: Refresh download page
    + remove duplicate tests and unneeded code
    + fix JUnit dependencies
    + MSHARED-1265: use JUnit assumptions
    + MSHARED-1203: use JUnit @TempDir
    + MSHARED-1264: Convert to JUnit5
    + Add GitHub Actions setup and Dependabot

  * Dependency updates

    + Bump commons-io:commons-io from 2.18.0 to 2.19.0
    + Bump org.apache.maven.shared:maven-shared-components from 43
      to 44
    + MSHARED-1380: Bump commons-io:commons-io from 2.17.0 to 2.18.0
    + MSHARED-1381: Bump
      org.apache.maven.shared:maven-shared-components from 42 to 43
    + MSHARED-1380: Bump commons-io:commons-io from 2.16.1 to 2.17.0
    + MSHARED-1380: Bump commons-io:commons-io from 2.13.0 to 2.16.1
    + MSHARED-1381: Upgrade parent pom to 42
    + Bump apache/maven-gh-actions-shared from 3 to 4
    + Bump org.junit:junit-bom from 5.10.1 to 5.10.2
    + Bump org.junit:junit-bom from 5.10.0 to 5.10.1
    + Bump org.junit:junit-bom from 5.9.3 to 5.10.0
    + MSHARED-1266: upgrade commons-io 2.11.0 --> 2.13.0
    + update to parent pom 39

Changes in maven-doxia-sitetools:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-doxia:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-dependency-tree:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-dependency-analyzer:

- Upgrade to upstream version 1.16.0

  * New features and improvements

    + Enable GitHub Issues

  * Bug Fixes

    + MSHARED-47: Don't flag xml-apis:xml-apis as undeclared

  * Maintenance

    + Remove unneeded suppression

  * Dependency updates

    + Bump org.apache.maven.shared:maven-shared-components from 43
      to 44
    + Bump org.ow2.asm:asm from 9.7.1 to 9.8
    + Bump org.assertj:assertj-bom from 3.27.2 to 3.27.3
    + Bump org.assertj:assertj-bom from 3.26.3 to 3.27.2

Changes in maven-artifact-transfer:

    + allow building against maven 4.x and maven-resolver 2.x

Changes in maven-archiver:

- Upgrade to maven-archiver 3.6.5

  * New features and improvements

    + add Java-Version entry to default MANIFEST.MF

  * Bug Fixes

    + avoid negative entry time: upgrade plexus-archiver
    + don't limit outputTimestamp to zip (MS DOS) range

  * Documentation updates

    + remove extra newline in code blocks
    + reformat descriptor description to match usual
      Modello-generated ones
    + document Java-Version entry added in #298

  * Maintenance

    + Update site descriptor to 2.0.0

  * Dependency updates

    + Bump org.assertj:assertj-core from 3.27.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1

- Upgrade to maven-archiver 3.6.4

  * New features and improvements

    + improve Reproducible Builds javadoc
    + Fall back on SOURCE_DATE_EPOCH if it exists

  * Bug Fixes

    + Treat empty Automatic-Module-Name as no Automatic-Module-Name
      at all

  * Maintenance

    + Enable GitHub Issues

  * Dependency updates

    + Bump org.apache.maven.shared:maven-shared-components
      from 43 to 45
    + Bump org.codehaus.plexus:plexus-interpolation
      from 1.27 to 1.28
    + Bump org.assertj:assertj-core from 3.26.0 to 3.27.3

Changes in xom:

- Make build recipe compatible with POSIX sh. Use %autosetup.

Changes in maven-plugin-tools:

- Upgrade to upstream version 3.15.2

  * Documentation updates

    + Fix run-on sentence
    + Update document to use Guice constructor injection
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'

  * Maintenance

    + Update site descriptors to 2.0
    + Add support for Maven 4
      PluginDescriptor.getRequiredJavaVersion() method
    + Cleanups dependencies
    + Use injection instead of Component annotation
    + Begin converting this plugin to Guice constructor injection
    + refactor: Replace Plexus AbstractLogEnabled with SLF4J
    + Use properties for versions in components.xml
    + JDK 25 build fix
    + MPLUGIN-543: Update to Parent 44
    + Add release drafter
    + Add PR Automation action

  * Dependency updates
    + Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
    + Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
    + Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
    + Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
    + Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
      2.9.0
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
    + Bump asmVersion from 9.7.1 to 9.9
    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump maven3Version from 3.9.9 to 3.9.11
    + Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
    + Bump org.apache.maven:maven-parent from 44 to 45
    + Bump antVersion from 1.10.14 to 1.10.15

Changes in maven-plugin-tools:

- Upgrade to upstream version 3.15.2

  * Documentation updates

    + Fix run-on sentence
    + Update document to use Guice constructor injection
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'

  * Maintenance

    + Update site descriptors to 2.0
    + Add support for Maven 4
      PluginDescriptor.getRequiredJavaVersion() method
    + Cleanups dependencies
    + Use injection instead of Component annotation
    + Begin converting this plugin to Guice constructor injection
    + refactor: Replace Plexus AbstractLogEnabled with SLF4J
    + Use properties for versions in components.xml
    + JDK 25 build fix
    + MPLUGIN-543: Update to Parent 44
    + Add release drafter
    + Add PR Automation action

  * Dependency updates

    + Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
    + Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
    + Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
    + Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
    + Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
      2.9.0
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
    + Bump asmVersion from 9.7.1 to 9.9
    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump maven3Version from 3.9.9 to 3.9.11
    + Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
    + Bump org.apache.maven:maven-parent from 44 to 45
    + Bump antVersion from 1.10.14 to 1.10.15

Changes in maven-plugin-tools:

- Add the maven-plugin-report-plugin to the _multibuild file

- Initial packaging of the maven-plugin-report-plugin 3.15.2

Changes in maven-plugin-tools:

- Upgrade to upstream version 3.15.2

  * Documentation updates

    + Fix run-on sentence
    + Update document to use Guice constructor injection
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'

  * Maintenance

    + Update site descriptors to 2.0
    + Add support for Maven 4
      PluginDescriptor.getRequiredJavaVersion() method
    + Cleanups dependencies
    + Use injection instead of Component annotation
    + Begin converting this plugin to Guice constructor injection
    + refactor: Replace Plexus AbstractLogEnabled with SLF4J
    + Use properties for versions in components.xml
    + JDK 25 build fix
    + MPLUGIN-543: Update to Parent 44
    + Add release drafter
    + Add PR Automation action

  * Dependency updates

    + Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
    + Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
    + Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
    + Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
    + Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
      2.9.0
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
    + Bump asmVersion from 9.7.1 to 9.9
    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump maven3Version from 3.9.9 to 3.9.11
    + Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
    + Bump org.apache.maven:maven-parent from 44 to 45
    + Bump antVersion from 1.10.14 to 1.10.15

Changes in plexus-xml:

- Update to upstream version 3.0.2

  * Dependency updates

    + Bump org.codehaus.plexus:plexus from 19 to 20
    + Bump org.codehaus.plexus:plexus from 18 to 19
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2

  * Maintenance

    + Cleanup tests and drop dependency to plexus-utils

Changes in plexus-velocity:

- Update to version 2.3.0

  * New features and improvements

    + Use internal Nullable annotation, allow drop sisu-inject from
      runtime dependencies

  * Maintenance

    + Add LICENSE file to project, fix build badge
    + Enhance site information
    + Use plexus-testing instead of direct sisu InjectedTest

  * Dependency updates

    + Override version of commons-lang3 to avoid reporting of
      security issues
    + Bump org.codehaus.plexus:plexus from 20 to 24
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M3
      to 0.9.0.M4

- Update to version 2.2.1

  * Dependency updates

    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.apache.velocity:velocity-engine-core from 2.3 to 2.4
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2 to
      0.9.0.M3
    + Bump org.codehaus.plexus:plexus from 19 to 20
    + Bump org.codehaus.plexus:plexus from 18 to 19
    + Bump org.codehaus.plexus:plexus from 17 to 18
    + Bump org.codehaus.plexus:plexus from 16 to 17
    + Bump release-drafter/release-drafter from 5 to 6

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-sec-dispatcher:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in velocity-engine:

- Version 2.4.1:

  * Fixes

    + Finding the topmost method when introspecting a class should
      stop at the first static or accessible method found (Fixes
      VELOCITY-983)
    + Direct evaluation of VTL code via RuntimeInstance.evaluate()
      should update the current rendering template information for
      local velocimacros to be visible in string literals
      interpolation (Fixes VELOCITY-944)

Changes in plexus-languages:

- Upgrade to upstream version 1.5.0

  * New features and improvements

    + Read only first 8 bytes of class in JavaClassfileVersion
    + Bump org.ow2.asm:asm from 9.6 to 9.7 - JDK 23 support
    + Bump org.ow2.asm:asm from 9.7 to 9.7.1 - JDK 24 support
    + Bump org.ow2.asm:asm from 9.7.1 to 9.8

  * Maintenance

    + Project cleanups
    + Rename resources of test data
    + Bump release-drafter/release-drafter from 5 to 6
    + Reuse plexus-pom action for CI
    + Disable deploy job on GitHub
    + Added CI for JDK 24-ea

Changes in plexus-io:

- Upgrade to version 3.5.1

  * New features and improvements

    + Fix performance problem by caching unix group and user names

  * Dependency updates

    + Bump org.codehaus.plexus:plexus-testing from 1.3.0 to 1.4.0
    + Bump org.codehaus.plexus:plexus from 16 to 18
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
      to 0.9.0.M3
    + Bump org.codehaus.plexus:plexus-xml from 3.0.0 to 3.0.1
    + Bump org.codehaus.plexus:plexus-utils from 4.0.0 to 4.0.1
    + Bump commons-io:commons-io from 2.15.1 to 2.16.1

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-interpolation:

- Upgrade to version 1.28

  * New features and improvements

    + Fix #16: StringSearchInterpolator does not cache answers.
    + Add FeedbackingValueSource
    + Pass delimiter information to ValueSource
    + Apply spotless re-formatting

Changes in plexus-interactivity:

- Upgrade to version 1.4

  * Changes

    + Bump org.jline:jline-reader from 3.25.1 to 3.29.0
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
      to 0.9.0.M3
    + Apply spotless re-formatting
    + Bump org.codehaus.plexus:plexus from 16 to 20
    + Bump release-drafter/release-drafter from 5 to 6

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-i18n:

- Upgrade to 1.0.0

  * no changelog provided by upstream

Changes in plexus-compiler:

- Upgrade to upstream release 2.15.0

  * New features and improvements

    + Allow to override useUnsharedTable compiler argument
    + Lazy providers and better error reporting
    + Only use '-release' parameter with javac 9+
    + Correctly determine the version of the underlying javac tool
    + Use a TreeSet instead of HashSet to get consistent ordering
      of results

  * Bug Fixes

    + Cleanup dependencies
    + Path.relativize() may throw exception if source and build
      directories are on different Windows drives
    + Fix ECJ not using annotation processor when defined via
      processorpath
    + Report 'Error occurred during initialization of VM' as error

  * Maintenance

    + Bump project version to 2.15.0-SNAPSHOT
    + Use LocalRepositoryManager for resolving artifacts paths in
      tests

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-classworlds:

- Upgrade to version 2.9.9

  * New features and improvements

    + refine ConfigurationParser

  * Dependency updates

    + Bump org.codehaus.plexus:plexus from 19 to 20
    + Bump org.codehaus.plexus:plexus from 18 to 19
    + Bump org.codehaus.plexus:plexus from 17 to 18
    + Bump org.apache.maven.plugins:maven-dependency-plugin from
      3.7.1 to 3.8.1
    + Bump org.apache.maven.plugins:maven-dependency-plugin from
      3.7.0 to 3.7.1
    + Bump org.apache.maven.plugins:maven-dependency-plugin from
      3.6.1 to 3.7.0

  * Maintenance

    + Apply spotless re-formatting
    + Align site.xml with used schema (2.0.0)
    + Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.2
    + Bump org.apache.logging.log4j:log4j-api from 2.20.0 to 2.23.1
    + Bump org.apache.ant:ant from 1.10.13 to 1.10.14
    + Bump org.codehaus.plexus:plexus from 16 to 17

Changes in plexus-cipher:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-build-api:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven:

    + Set Guice class loading to CHILD: avoid using terminally
      deprecated methods. Default Guice class loading uses a
      terminally deprecated JDK memory-access classes.

- Upgrade to upstream version 3.9.11

  * New features and improvements

    + Augment version range resolution used repositories

  * Bug Fixes

    + Deduplicate filtered dependency graph
    + Move ensure in boundaries of project lock

  * Maintenance

    + [MNGSITE-393] - remove references to Maven 2
    + Update CONTRIBUTING after GitHub issues enabled
    + Enable Github Issues
    + [MNG-8763] - Remove name from site bannerLeft

  * Build

    + Pin GitHub action versions by hash
    + Build the project by JDK 21 as default
    + Use Maven 3.9.10 for build on GitHub

- Upgrade to upstream version 3.9.10

  * Bug

    + MNG-8096: Inconsistent dependency resolution behaviour for
      concurrent multi-module build can cause failures
    + MNG-8169: MINGW support requires
      --add-opens java.base/java.lang=ALL-UNNAMED
    + MNG-8170: Maven 3.9.8 contains weird native library for Jansi
      on Windows/arm64
    + MNG-8211: Maven should fail builds that use CI Friendly
      versions but have no values set
    + MNG-8248: WARNING: A restricted method in java.lang.System has
      been called
    + MNG-8256: ProjectDependencyGraph bug: in case of filtering,
      non-direct module links are lost
    + MNG-8315: Failure of mvn.cmd if a .mvn directory is located at
      drive root
    + MNG-8396: Maven takes forever to resume
    + MNG-8711: 'Duplicate artifact' in LifecycleDependencyResolver

  * Improvement

    + MNG-8370: Introduce maven.repo.local.head
    + MNG-8399: JDK 24+ issues warning about usage of
      sun.misc.Unsafe
    + MNG-8707: Add methods to remove compile and test source roots
    + MNG-8712: improve dependency version explanation: it's a
      requirement, not always effective version
    + MNG-8717: Remove maven-plugin-plugin:addPluginArtifactMetadata
      from default binding
    + MNG-8722: Use a single standalone version of asm
    + MNG-8731: Use https for xsi:schemaLocation in generated
      descriptors
    + MNG-8734: Simplify scripting like 'get project version' cases

  * Task

    + MNG-8728: Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 and use
      Java 24 on CI

- Link also the objectweb-asm/asm to the lib directory

    + MNG-8177: Warning

Changes in maven-resolver:

- Update to upstream version 1.9.24

  * New features and improvements

    + Metadata type out of coordinates
    + RFC9457 implementation
    + Intern context strings

  * Maintenance

    + Align plexus-util version with Maven
    + Align guice version with Maven
    + Enable Github Issues (1.9.x branch)

- Build also maven-resolver-supplier package in separate spec file

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

- Update to upstream version 1.9.23

  * Bug

    + MRESOLVER-659: NPE in trusted checksum post processor if

  * Improvement

    + MRESOLVER-680: Disable checksum by default for .sigstore.json
      as well
    + MRESOLVER-703: HTTP transport should expose config for max
      redirects

- Upgrade to upstream version 1.9.22

  * Bug

    + MRESOLVER-572: Resolver-Supplier unusable in OSGi runtimes
    + MRESOLVER-574: Invalid Cookie set under proxy conditions
    + MRESOLVER-586: In typical setups, DefaultArtifact copies the
      same maps over and over again
    + MRESOLVER-587: Memory consumption improvements

  * New Feature

    + MRESOLVER-571: Import o.e.aether packages with the exact same
      version in OSGi metadata

  * Improvement

    + MRESOLVER-570: Remove excessive strictness of OSGi dependency
      metadata

  * Task

    + MRESOLVER-576: Allow co-release of Resolver 1.x and 2.x

- Upgrade to upstream version 1.9.20

  * Bug

    + MRESOLVER-483: PreorderNodeListGenerator bug: may print
      trailing ':'
    + MRESOLVER-522: File locking threads not entering critical
      region were 'oversleeping'
    + MRESOLVER-547: BF collector always copies artifacts, even
      when it should not

  * Improvement

    + MRESOLVER-536: Skip setting last modified time when FS does
      not support it

- Add dependency on plexus-xml where relevant

  * this will be needed for smooth upgrade to plexus-utils 4.0.0

- Upgrade to upstream version 1.9.18

  * Bug

    + MRESOLVER-372: Sporadic AccessDeniedEx on Windows
    + MRESOLVER-441: Undo FileUtils changes that altered non-Windows
      execution path

  * Improvement

    + MRESOLVER-396: Native transport should retry on HTTP 429
      (Retry-After)

  * Task

    + MRESOLVER-397: Deprecate Guice modules
    + MRESOLVER-405: Get rid of component name string literals, make
      them constants and reusable
    + MRESOLVER-433: Expose configuration for inhibiting
      Expect-Continue handshake in 1.x
    + MRESOLVER-435: Refresh download page
    + MRESOLVER-437: Resolver should not override given HTTP
      transport default use of expect-continue handshake

- Upgrade to upstream version 1.9.15

  * Bug

    + MRESOLVER-373: Remove lock upgrading code
    + MRESOLVER-375: Several key aspects are broken in provided and
      trusted checksum feature
    + MRESOLVER-376: StackOverflowError at
      BfDependencyCollector.processDependency
    + MRESOLVER-380: Lock diagnostic: attempted lock step is
      recorded, but on failed attempt is not removed
    + MRESOLVER-393: Transport HTTP does not retain last modified as
      sent by remote end

  * Improvement

    + MRESOLVER-220: Modify signaling for unsupported operations
    + MRESOLVER-382: Define local outgoing (bind) address
    + MRESOLVER-385: Reduce default value for
      aether.connector.http.connectionMaxTtl

  * Task

    + MRESOLVER-378: Update parent POM to 40
    + MRESOLVER-381: Undo MRESOLVER-373 as it was fixed by other
      means
    + MRESOLVER-386: Make all injected ctors public, deprecate all
      def ctors
    + MRESOLVER-388: Transport HTTP old codec proper override

- Upgrade to upstream version 1.9.12

  * Bug

    + [MRESOLVER-371] Unjustified WARNING log added by
      MRESOLVER-364
    + [MRESOLVER-361] Unreliable TCP and retries on upload
    + [MRESOLVER-357] ConflictResolver STANDARD verbosity
      misbehaves
    + [MRESOLVER-352] Duplicate METADATA_DOWNLOADING event is
      being sent

  * Improvement

    + [MRESOLVER-360] disable checksum by default for .sigstore
      in addition to .asc

  * New Feature

    + [MRESOLVER-370] Lock factory should dump lock states on
      failure
    + [MRESOLVER-353] Make aether.checksums.algorithms settable
      per remote repository

  * Task

    + [MRESOLVER-366] Upgrade build plugins
    + [MRESOLVER-364] Revert MRESOLVER-132
    + [MRESOLVER-359] Make build be explicit about build time
      requirements
    + [MRESOLVER-356] Remove Guava (is unused)
    + [MRESOLVER-354] Document expected checksums

- Upgrade to upstream version 1.9.8

  * Bug

    + [MRESOLVER-345] Conflict resolution in verbose mode is
      sensitive to version ordering
    + [MRESOLVER-348] SslConfig httpSecurityMode change is not
      detected
    + [MRESOLVER-339] Preemptive Auth broken when default ports used
    + [MRESOLVER-325] [REGRESSION] Suddenly seeing I/O errors under
      windows aborting the build
    + [MRESOLVER-330] Static name mapper is unusable with file-lock
      factory
    + [MRESOLVER-314] Getting 'IllegalArgumentException: Comparison
      method violates its general contract!'
    + [MRESOLVER-316] DF collector enters endless loop when
      collecting org.webjars.npm:musquette:1.1.1
    + [MRESOLVER-298] javax.inject should be provided or optional
    + [MRESOLVER-305] Evaluate blocked repositories also when
      retrieving metadata
    + [MRESOLVER-309] PrefixesRemoteRepositoryFilterSource aborts
      the build while it should not
    + [MRESOLVER-313] Artifact file permissions are 0600 and not
      implicitly set by umask
    + [MRESOLVER-296] FileProcessor.write( File, InputStream ) is
      defunct
    + [MRESOLVER-292] Documented and used param names mismatch
    + [MRESOLVER-294] Fix JapiCmp configuration and document it
    + [MRESOLVER-285] File locking on Windows knows to misbehave
    + [MRESOLVER-246] m-deploy-p will create hashes for hashes
    + [MRESOLVER-265] Discrepancy between produced and recognized
      checksums
    + [MRESOLVER-241] Resolver checksum calculation should be driven
      by layout
    + [MRESOLVER-242] When no remote checksums provided by layout,
      transfer inevitably fails/warns
    + [MRESOLVER-250] Usage of descriptors map in DataPool prevents
      gargabe collection

  * New Feature

    + [MRESOLVER-32] Support parallel artifact/metadata uploads
    + [MRESOLVER-319] Support parallel deploy
    + [MRESOLVER-297] Chained LRM
    + [MRESOLVER-167] Support forcing specific repositories for
      artifacts
    + [MRESOLVER-268] Apply artifact checksum verification for any
      resolved artifact
    + [MRESOLVER-274] Introduce Remote Repository Filter feature
    + [MRESOLVER-275] Introduce trusted checksums source
    + [MRESOLVER-276] Resolver post-processor
    + [MRESOLVER-278] BREAKING: Introduce RepositorySystem shutdown
      hooks
    + [MRESOLVER-236] Make it possible to resolve .asc on a 'fail'
      respository.

  * Improvement

    + [MRESOLVER-346] Too eager locking
    + [MRESOLVER-347] Better connection pool configuration (reuse,
      max TTL, maxPerRoute)
    + [MRESOLVER-349] Adapter when locking should 'give up and
      retry'
    + [MRESOLVER-350] Get rid of commons-lang dependency
    + [MRESOLVER-327] Make tranport-http obey system properties
      regarding proxy settings
    + [MRESOLVER-340] Make WebDAV 'dance' disabled by default
    + [MRESOLVER-341] Add option for preemptive PUT Auth
    + [MRESOLVER-315] Implement preemptive authentication feature
      for transport-http
    + [MRESOLVER-328] The transport-http should be able to ignore
      cert errors
    + [MRESOLVER-337] Real cause when artifact not found with
      repository filtering
    + [MRESOLVER-287] Get rid of deprecated finalize methods
    + [MRESOLVER-317] Improvements for BF collector
    + [MRESOLVER-318] Cleanup redundant code and centralize executor
      handling
    + [MRESOLVER-303] Make checksum detection reusable
    + [MRESOLVER-290] Improve file handling resolver wide
    + [MRESOLVER-7] Download dependency POMs in parallel in BF
      collector
    + [MRESOLVER-266] Simplify adapter creation and align
      configuration for it
    + [MRESOLVER-269] Allow more compact storage of provided
      checksums
    + [MRESOLVER-273] Create more compact File locking layout/mapper
    + [MRESOLVER-284] BREAKING: Some Sisu parameters needs to be
      bound
    + [MRESOLVER-286] Improve basic connector closed state handling
    + [MRESOLVER-240] Using breadth-first approach to resolve Maven
      dependencies
    + [MRESOLVER-247] Avoid unnecessary dependency resolution by a
      Skip solution based on BFS
    + [MRESOLVER-248] Make DF and BF collector implementations
      coexist

  * Task

    + [MRESOLVER-326] Resolver transport-http should retry on
      failures
    + [MRESOLVER-331] Make DefaultTrackingFileManager write directly
      to tracking files
    + [MRESOLVER-333] Distinguish better resolver errors for
      artifact availability
    + [MRESOLVER-320] Investigate slower resolving speeds as
      reported by users
    + [MRESOLVER-291] Undo MRESOLVER-284
    + [MRESOLVER-279] Simplify and improve trusted checksum sources
    + [MRESOLVER-281] Update configurations page with new elements
    + [MRESOLVER-282] Drop PartialFile
    + [MRESOLVER-230] Make supported checksum algorithms extensible
    + [MRESOLVER-231] Extend “smart checksum” feature
    + [MRESOLVER-234] Introduce “provided” checksums feature
    + [MRESOLVER-237] Make all checksum mismatches handled same
    + [MRESOLVER-239] Update and sanitize dependencies
    + [MRESOLVER-244] Deprecate FileTransformer API
    + [MRESOLVER-245] Isolate Hazelcast tests

  * Dependency upgrade

    + [MRESOLVER-311] Upgrade Parent to 39
    + [MRESOLVER-293] Update dependencies, align with Maven
    + [MRESOLVER-272] Update parent POM to 37, remove plugin version
      overrides, update bnd
    + [MRESOLVER-280] Upgrade invoker, install, deploy, require
      maven 3.8.4+
    + [MRESOLVER-251] Upgrade Redisson to 3.17.5
    + [MRESOLVER-249] Update Hazelcast to 5.1.1 in
      named-locks-hazelcast module

- Add an alias for the wagon connector

- Build against the standalone JavaEE modules unconditionally

- Remove the javax.annotation:javax.annotation-api dependency on
  distribution versions that do not incorporate the JavaEE modules

- Add the glassfish-annotation-api jar to the build classpath

- Upgrade to upstream version 1.7.3

  * Bug

    + [MRESOLVER-96] - Dependency Injection fails after upgrading
      to Maven 3.6.2
    + [MRESOLVER-153] - resolver-status.properties file is corrupted
      due to concurrent writes
    + [MRESOLVER-171] - Resolver fails when compiled on Java 9+ an
      run on Java 8 due to JDK API breakage
    + [MRESOLVER-189] - Using semaphore-redisson followed by
      rwlock-redisson on many parallel build of the same project
      triggers redisson error

  * New Feature

    + [MRESOLVER-90] - HTML content in POM: Maven should validate
      content before storing in local repo
    + [MRESOLVER-145] - Introduce more SyncContext implementations

  * Improvement

    + [MRESOLVER-103] - Replace deprecated HttpClient classes
    + [MRESOLVER-104] - maven-resolver-demo-maven-plugin uses
      reserved artifactId
    + [MRESOLVER-147] - Upgrade to Java 8
    + [MRESOLVER-148] - Use vanilla Guice 4 instead of forked
      Guice 3
    + [MRESOLVER-156] - Active dependency management for Google
      Guice/Guava
    + [MRESOLVER-168] - add DEBUG message when downloading an
      artifact from repositories
    + [MRESOLVER-193] - Properly type lock key names in Redis
    + [MRESOLVER-197] - Minors improvements (umbrella)
    + [MRESOLVER-204] - Add a SessionData#computeIfAbsent method
    + [MRESOLVER-214] - Remove clirr configuration

  * Task

    + [MRESOLVER-141] - Review index-based access to collections
    + [MRESOLVER-151] - Enforce a checksum policy to be provided
      explicitly
    + [MRESOLVER-152] - Perform null checks when interface
      contracts require it
    + [MRESOLVER-154] - Move SyncContextFactory interface to SPI
      module
    + [MRESOLVER-155] - Make TrackingFileManager member of
      DefaultUpdateCheckManager
    + [MRESOLVER-158] - Simplify SimpleDigest class
    + [MRESOLVER-159] - Mark singleton components as Sisu Singletons
    + [MRESOLVER-160] - Deprecate ServiceLocator
    + [MRESOLVER-162] - Restore binary compatibility broken by
      MRESOLVER-154
    + [MRESOLVER-170] - Deprecate org.eclipse.aether.spi.log
    + [MRESOLVER-172] - Make TrackingFileManager shared singleton
      component
    + [MRESOLVER-173] - Drop deprecated AetherModule
    + [MRESOLVER-174] - Use all bindings in UTs and tests
    + [MRESOLVER-175] - Drop SyncContextFactory delegates in favor
      of a selector approach
    + [MRESOLVER-177] - Move pre-/post-processing of metadata from
      ResolveTask to DefaultMetadataResolver
    + [MRESOLVER-183] - Don't require optional dependencies for
      Redisson
    + [MRESOLVER-184] - Destroy Redisson semaphores if not used
      anymore
    + [MRESOLVER-186] - Update Maven version in Resolver Demo
      Snippets
    + [MRESOLVER-188] - Improve documentation on using the named
      locks with redis/hazelcast (umbrella)
    + [MRESOLVER-190] - [Regression] Revert MRESOLVER-184
    + [MRESOLVER-191] - Document how to analyze lock issues
    + [MRESOLVER-196] - Document named locks configuration options
    + [MRESOLVER-219] - Implement NamedLock with advisory file
      locking
    + [MRESOLVER-227] - Refactor NamedLockFactorySelector to a
      managed component
    + [MRESOLVER-232] - Make SimpleNamedLockFactorySelector logic
      reusable

  * Sub-task

    + [MRESOLVER-198] - Replace assert by simpler but equivalent
      calls
    + [MRESOLVER-199] - Java 8 improvements
    + [MRESOLVER-200] - Simplify conditions with the same result
      and avoid extra validations
    + [MRESOLVER-201] - Make variables final whenever possible
    + [MRESOLVER-202] - Use isEmpty() instead length() <= 0

  * Dependency upgrade

    + [MRESOLVER-185] - Upgrade Redisson to 3.15.6

  * Change of API and incompatible with maven-resolver < 1.7

- Upgrade to upstream version 1.6.3

  * Bug

    + [MRESOLVER-153] - resolver-status.properties file is corrupted
      due to concurrent writes
    + [MRESOLVER-171] - Resolver fails when compiled on Java 9+ and
      run on Java 8 due to JDK API breakage

  * Improvement

    + [MRESOLVER-168] - add DEBUG message when downloading an
      artifact from repositories

  * Task
    + [MRESOLVER-177] - Move pre-/post-processing of metadata from
      ResolveTask to DefaultMetadataResolver

  * Needed for maven 3.8.4

- Do not build/run the tests against the legacy guava20 package

- Upgrade to upstream version 1.6.2


  * Sub-task

    + [MRESOLVER-139] - Make SimpleDigest use SHA-1 or MD5 only
    + [MRESOLVER-140] - Default to SHA-1 and MD5 hashing algorithms

  * Bug

    + [MRESOLVER-25] - Resume support is broken under high
      concurrency
    + [MRESOLVER-114] - ArtifactNotFoundExceptions when building in
      parallel
    + [MRESOLVER-129] - Exclusion has no setters
    + [MRESOLVER-137] - Make OSGi bundles reproducible
    + [MRESOLVER-138] - MRESOLVER-56 introduces severe performance
      regression

  * New Feature

    + [MRESOLVER-109] - AndDependencySelector should override
      toString
    + [MRESOLVER-115] - Make checksum algorithms configurable
    + [MRESOLVER-123] - Provide a global locking sync context by
      default
    + [MRESOLVER-131] - Introduce a Redisson-based
      SyncContextFactory
    + [MRESOLVER-165] - Add support for mirror selector on
      external:http:*
    + [MRESOLVER-166] - Add support for blocked
      repositories/mirrors

  * Improvement

    + [MRESOLVER-56] - Support SHA-256 and SHA-512 as checksums
    + [MRESOLVER-116] - Add page with all supported configuration
      options
    + [MRESOLVER-125] - Use type conversions returning primitives
    + [MRESOLVER-127] - Don't use boolean for property
      'aether.updateCheckManager.sessionState'
    + [MRESOLVER-136] - Migrate from maven-bundle-plugin to
      bnd-maven-plugin

  * Task

    + [MRESOLVER-119] - Turn log messages to SLF4J placeholders
    + [MRESOLVER-130] - Move GlobalSyncContextFactory to a separate
      module
    + [MRESOLVER-132] - Remove synchronization in
      TrackingFileManager

  * Dependency upgrade

    + [MRESOLVER-105] - Update Plexus Components
    + [MRESOLVER-106] - Update HttpComponents
    + [MRESOLVER-107] - Update Wagon Provider API to 3.4.0
    + [MRESOLVER-108] - Update mockito-core to 2.28.2
    + [MRESOLVER-117] - Upgrade SLF4J to 1.7.30
    + [MRESOLVER-118] - Upgrade Sisu Components to 0.3.4

  * Needed for maven 3.8.x

- Set buildshell to bash for '<<<'.

- Upgrade to upstream version 1.4.2

  * Bug:

    + MRESOLVER-38 – SOE/OOME in DefaultDependencyNode.accept

  * Improvements:

    + MRESOLVER-93 – PathRecordingDependencyVisitor to handle 3 cycles
    + MRESOLVER-102 – make build Reproducible

- Upgrade to upstream version 1.4.1

  * Task

    + [MRESOLVER-92] - Revert MRESOLVER-7

  * Bug

    + [MRESOLVER-86] - ResolveArtifactMojo from resolver example
      uses plugin repositories to resolve dependencies

  * New Feature

    + [MRESOLVER-10] - New 'TransitiveDependencyManager'
      supporting transitive dependency management
    + [MRESOLVER-33] - New 'DefaultDependencyManager' managing
      dependencies on all levels supporting transitive dependency
      management

  * Improvement

    + [MRESOLVER-7] - Download dependency POMs in parallel
    + [MRESOLVER-84] - Add support for 'release' qualifier
    + [MRESOLVER-87] - Refresh examples to use maven-resolver
      artifacts for demo
    + [MRESOLVER-88] - Code style cleanup to use Java 7 features

- Initial packaging of maven-resolver 1.3.1
- Generate and customize the ant build files

Changes in maven-resolver:

- Update to upstream version 1.9.24

  * New features and improvements

    + Metadata type out of coordinates
    + RFC9457 implementation
    + Intern context strings

  * Maintenance

    + Align plexus-util version with Maven
    + Align guice version with Maven
    + Enable Github Issues (1.9.x branch)

- Build also maven-resolver-supplier package in separate spec file

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

- Update to upstream version 1.9.23

  * Bug

    + MRESOLVER-659: NPE in trusted checksum post processor if

  * Improvement

    + MRESOLVER-680: Disable checksum by default for .sigstore.json
      as well
    + MRESOLVER-703: HTTP transport should expose config for max
      redirects

Changes in xmvn:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in objectweb-asm:

- Upgrade to version 9.9

  * new Opcodes.V26 constant for Java 26
  * new mapInvokeDynamicMethodName method in Remapper. Old method
    deprecated. New Remapper constructor, with an api parameter.
  * bug fixes

    + 318028: Textifier misinterprets ACC_SUPER of inner classes as
      ACC_SYNCHRONIZED
    + 318032: FIPS 140-3 and SerialVersionUIDAdder's SHA-1 Use
    + 318034: Many ASM contents lack API detection.


- Upgrade to version 9.8

  * new Opcodes.V25 constant for Java 25
  * bug fixes

    + Fix one more copy operation on DUP2
    + 318015: Valid bytecode for jvm, but failed to pass the
      CheckClassAdapter.
    + `ASMifier` should print calls to `valueOf` instead of
      deprecated constructors of primitive wrappers

Changes in plexus-archiver:

- Upgrade to upstream version 4.10.2

  * New features and improvements

    + Utilize VT if possible

  * Bug Fixes

    + check minimum timestamp: avoid negative Zip 5455 Extended
      Timestamp

  * Maintenance

    + Cleanups of using deprecated methods
    + symLinks:Enhance the compatibility of regen.sh
    + Apply spotless re-formatting 

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4 

Changes in maven-surefire:

- Upgrade to 3.5.4

  * New features and improvements

    + Name the shutdown hook
    + Implement fail-fast behavior for JUnit Platform provider
    + Create a single LauncherSession for invocations of
      JUnitPlatformProvider

  * Bug Fixes

    * SUREFIRE-2298: fix xml output with junit 5 nested classes
      (fix integration with Cucumber and Archunit)

  * Maintenance

    + feat: enable prevent branch protection rules
    + Get rid of plexus-annotations
    + Remove maven-changes-plugin
    + Enable GitHub Issues

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

- Upgrade to 3.5.3

  * Bug

    + SUREFIRE-1643: JUnit 5 in parallel execution mode confuses
      Surefire reports
    + SUREFIRE-1737: Disabling the JUnit5Xml30StatelessReporter has
      no effect
    + SUREFIRE-1751: Surefire report shows flaky tests as failures
    + SUREFIRE-2289: FailsafeSummary.toRunResult throws a raw
      exception

Changes in maven-compiler-plugin:

- Upgrade to upstream release 3.14.1

  * New features and improvements

    + Improve DeltaList behavior for large projects
    + Allow to not use --module-version for the Java compiler

  * Bug Fixes

    + Add generatedSourcesPath back to the maven project
    + MCOMPILER-538: Do not add target/generated-sources/annotations
     to the source roots

  * Dependency updates

    + Enforce asm version used here, to not depend on brittle
      transitive
    + Bump mavenVersion from 3.9.9 to 3.9.11
    + Bump org.apache.maven.plugins:maven-plugins from 43 to 45
    + Bump org.codehaus.plexus:plexus-java from 1.4.0 to 1.5.0

Changes in maven-javadoc-plugin:

- Upgrade to upstream version 3.12.0

  * Breaking changes

    + remove fix mojo
    + detectOfflineLinks is now false per default for all jar mojo
      issue #1258

  * Bug Fixes

    + Fix legacyMode
    + Fix package {...} does not exist in legacyMode
    + Ensure UTF-8 charset is used to avoid
      IllegalArgumentException: Null charset name
    + Remove Javadoc 1.4+ / -1.1 switch related warning

  * Maintenance

    + protect 3.8.x branch
    + feat: enable prevent branch protection rules


- Upgrade to upstream version 3.11.3

  * Removed

    + Remove workaround for long patched CVE in javadoc

  * New features and improvements

    + Issue #369 Support --no-fonts option per default for jdk 23+

  * Bug Fixes

    + Make the legacyMode consistent (Filter out all of the
      module-info.java files in legacy mode, do not use
      --source-path in legacy mode)
    + MJAVADOC-826: Don't try to modify project source roots

  * Documentation updates

    + Correct javadoc-no-fork description on index-page
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + (doc) Close links tag in links parameter javadoc example

  * Maintenance

    + Be consistent about data encoding when copying files
    + Clean up JavadocUtilTest
    + Use Java 7 relativization instead of hand-rolled code
    + Rephrase source code fix interactive messages for clarity
    + Reduce non-debug logging
    + Delete duplicate @throws clause
    + Use Java 7 relativization instead of our hand-rolled code
    + Clean up comments and argument names
    + Issue #378 Cleanup of code related to old non supported Java
      version
    + Cure deprecation warning
    + MJAVADOC-773: deprecate toRelative
    + Issue #373 Fix JDK 23 build
    + Fix aggregate Javadoc typo
    + Enable GH issues
    + MJAVADOC-825: Prefer NullPointerExceptions for null arguments

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-assembly-plugin:

Update to version 3.7.1

  * Bug

    + MASSEMBLY-1020: Cannot invoke 'java.io.File.isFile()' because
      'this.inputFile' is null
    + MASSEMBLY-1021: Nullpointer in assembly:single when upgrading
      to 3.7.0
    + MASSEMBLY-1022: Unresolved artifacts should be not processed

- Changes of 3.7.0

  * Bug

    + MASSEMBLY-967: maven-assembly-plugin doesn't add target/class
      artifacts in generated jarfat but META-INF/MANIFEST.MF seems
      to be correct
    + MASSEMBLY-994: Items from unpacked dependency are not refreshed
    + MASSEMBLY-998: Transitive dependencies are not properly
      excluded as of 3.1.1
    + MASSEMBLY-1008: Assembly plugin handles scopes wrongly
    + MASSEMBLY-1018: Fix examples about useStrictFiltering

  * New Feature

    + MASSEMBLY-992: Facility to define assembly descriptor in body
      of POM

  * Improvement

    + MASSEMBLY-1007: Upgrade maven-plugin parent to 41
    + MASSEMBLY-1016: clarify and fix plugin system requirements
      history
    + MASSEMBLY-1017: Don't use deprecated methods in code

  * Task

    + MASSEMBLY-991: XSDs for 2.2.0 missing from Maven Project Web
      Site
    + MASSEMBLY-1000: ITs - cleanups, refresh plugins versions
    + MASSEMBLY-1003: Remove unused remoteRepositories
    + MASSEMBLY-1004: Remove ignored and deprecated parameter -
      useJvmChmod
    + MASSEMBLY-1010: Use IOUtils from commons-io instead of plexus
    + MASSEMBLY-1013: Code cleanups

Changes in maven-bundle-plugin:

- remove patch that is fixed in maven-archiver

Changes in maven-dependency-plugin:

- Upgrade to version 3.9.0

  * New features and improvements

    + Use Resolver API in go-offline for dependencies resolving
    + Use Resolver API in go-offline for plugins resolving
    + Fixes #1522, add render-dependencies mojo
    + Use Resolver API in resolve-plugin
    + MDEP-964: unconditionally ignore dependencies known to be
      loaded by reflection
    + Update maven-dependency-analyzer to support Java24
    + MDEP-972: copy-dependencies: copy signatures alongside
      artifacts
    + MDEP-776: Warn when multiple dependencies have the same file
      name
    + MDEP-966: Migrate AnalyzeDepMgt to Sisu
    + MDEP-957: By default, don't report slf4j-simple as unused

  * Bug Fixes

    + ProjectBuildingRequest should not be modified
    + Fix: markersDirectory is not working when unpack goal is
      executed from command line
    + Fix broken link for analyze-exclusions-mojo on usage-page
    + MDEP-839: Avoid extra blank lines in file
    + Update collect URL
    + MDEP-689: Fixes ignored dependency filtering in go-offline
      goal
    + MDEP-960: Repair silent logging

  * Documentation updates

    + MDEP-933: Document dependency tree output formats
    + Add additional comment to clarify the minimal supported
      version of outputing dependency tree in JSON fromat.
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + Unix file separators

  * Maintenance

    + Simplify usage of RepositoryManager and DependencyResolver
    + Use Resolver API in copy and unpack
    + Update site descriptor to 2.0.0
    + Enable prevent branch protection rules
    + Fix [MDEP-931: Replace PrintWriter with Writer in
      AbstractSerializing Visitor and subclasses
    + Cleanups dependencies
    + Copy edit parameter descriptions
    + Small Javadoc clarifications
    + MDEP-967: Change info to debug logging in
      AbstractFromConfigurationMojo
    + fix: remove duplicate maven-resolver-api and
      maven-resolver-util dependencies in pom.xml
    + Enable GH issues
    + Remove redundant/unneeded code
    + Add PR Automation and Stale actions
    + Keep files in temporary directory to be deleted after test
    + Drop unnecessary call
    + Avoid deprecated ArtifactFactory
    + MDEP-966: Convert remaining Mojos to Guice injection
    + MDEP-966: Convert Analyze Mojos to Guice constructor injection
    + MDEP-966: Prefer Guice injection
    + MDEP-966: Migrate TreeMojo/CopyMojo/AnalyzeExclusionsMojo/
      /UnpackMojo/CopyDependenciesMojo from Plexus to Sisu Guice
    + MDEP-966: @component --> @Inject for DisplayAncestorsMojo
    + Fixing flaky test in TestCopyDependenciesMojo
    + MNG-2961: Remove workaround for fixed bug

  * Build

    + Build by Maven 4

  * Dependency updates

    + Bump Maven in dependencies to 3.9.11
    + Bump commons-io:commons-io from 2.16.1 to 2.20.0
    + Bump jettyVersion from 9.4.56.v20240826 to 9.4.58.v20250814
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.apache.maven.plugins:maven-plugins from 43 to 45
    + Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump org.jsoup:jsoup from 1.18.1 to 1.21.2
    + MDEP-963: Bump
      org.apache.maven.shared:maven-dependency-analyzer from 1.15.0
      to 1.15.1

Changes in maven-invoker-plugin:

- Upgrade to upstream version 3.9.1

  * Documentation updates

    + Add note about cloneProjectsTo being required for filtering

  * Maintenance

    + Use constant 3.6.3 in prerequisites/maven as minimal Maven
      version
    + Enable GH Issues
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + Switch to Guice constructor injection
    + Specify UTF-8 when reading build log
    + Make utility class static

  * Build

    + Enable build by Maven 4 on GitHub

  * Dependency updates

    + Bump commons-beanutils:commons-beanutils from 1.9.4 to 1.11.0
    + Bump commons-codec:commons-codec from 1.17.1 to 1.18.0
    + Bump commons-io:commons-io from 2.18.0 to 2.19.0
    + Bump mavenVersion from 3.6.3 to 3.9.10
    + Bump org.apache.groovy:groovy-bom from 4.0.24 to 4.0.27
    + Bump org.apache.maven.plugins:maven-plugins from 43 to 45
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.3
    + Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28

Changes in plexus-archiver:

- Upgrade to upstream version 4.10.2

  * New features and improvements

    + Utilize VT if possible

  * Bug Fixes

    + check minimum timestamp: avoid negative Zip 5455 Extended
      Timestamp

  * Maintenance

    + Cleanups of using deprecated methods
    + symLinks:Enhance the compatibility of regen.sh
    + Apply spotless re-formatting

-----------------------------------------------------------------
Advisory ID: 123
Released:    Thu Jan  8 10:27:55 2026
Summary:     Recommended update for elemental-register, elemental-toolkit, elemental-system-agent, elemental
Type:        recommended
Severity:    moderate
References:  1231284,1231714,1239623,1240623,CVE-2024-41311,CVE-2024-8508
This update for elemental-register, elemental-toolkit, elemental-system-agent, elemental fixes the following issues:

Changes in elemental-register:

- Upgrade to v1.8.0:
  Add policycoreutils-python-utils (bsc#1240623)
  Include an empty /etc/machine-id file (bsc#1239623)

-----------------------------------------------------------------
Advisory ID: 126
Released:    Sun Jan 11 17:27:45 2026
Summary:     Recommended update for lz4
Type:        recommended
Severity:    moderate
References:  1207377,1218474,1228142,1230679,1241453,1241551,CVE-2022-45748,CVE-2024-40724,CVE-2024-45679,CVE-2025-32414,CVE-2025-32415
This update for lz4 fixes the following issues:

- align rpm changelog with sle15 and do not ignore test suite result

-----------------------------------------------------------------
Advisory ID: 130
Released:    Mon Jan 12 12:14:46 2026
Summary:     Security update for libmicrohttpd
Type:        security
Severity:    important
References:  1231565,1238700,1239335,1253177,1253178,CVE-2024-9632,CVE-2025-22869,CVE-2025-22870,CVE-2025-59777,CVE-2025-62689
This update for libmicrohttpd fixes the following issues:

- CVE-2025-62689: Fixed heap-based buffer overflow through
  a specially crafted packet (bsc#1253178)
- CVE-2025-59777: Fixed NULL pointer dereference through
  a specially crafted packet (bsc#1253177)

-----------------------------------------------------------------
Advisory ID: 131
Released:    Mon Jan 12 12:14:46 2026
Summary:     Security update for libpng16
Type:        security
Severity:    important
References:  1231565,1254157,1254158,1254159,1254160,1254480,CVE-2024-9632,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293
This update for libpng16 fixes the following issues:

- CVE-2025-64505: heap buffer over-read in `png_do_quantize` when processing PNG files malformed palette indices
  (bsc#1254157).
- CVE-2025-64506: heap buffer over-read in `png_write_image_8bit` when processing 8-bit input with `convert_to_8bit`
  enabled (bsc#1254158).
- CVE-2025-64720: out-of-bounds read in `png_image_read_composite` when processing palette images with
  `PNG_FLAG_OPTIMIZE_ALPHA` enabled (bsc#1254159).
- CVE-2025-65018: heap buffer overflow in `png_image_finish_read` when processing specially crafted 16-bit interlaced
  PNGs with 8-bit output format (bsc#1254160).
- CVE-2025-66293: out-of-bounds read of the `png_sRGB_base` array when processing palette PNG images with partial
  transparency and gamma correction (bsc#1254480).

-----------------------------------------------------------------
Advisory ID: 138
Released:    Wed Jan 14 11:23:16 2026
Summary:     Security update for gpg2
Type:        security
Severity:    important
References:  1229122,1232528,1244156,1244157,1255715,1256244,1256246,1256390,CVE-2024-9681,CVE-2025-0913,CVE-2025-4673,CVE-2025-68973
This update for gpg2 fixes the following issues:

- CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715).

Other security fixes:

- gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246).
- gpg: Error out on unverified output for non-detached signatures (bsc#1256244).
- gpg: Deprecate the option --not-dash-escaped (bsc#1256390).

-----------------------------------------------------------------
Advisory ID: 141
Released:    Wed Jan 14 11:56:00 2026
Summary:     Security update for haproxy
Type:        security
Severity:    moderate
References:  1233668,1241020,1241078,1250983,CVE-2024-52804,CVE-2025-11230,CVE-2025-29087,CVE-2025-29088
This update for haproxy fixes the following issues:

- CVE-2025-11230: issue in the mjson JSON decoder leads to excessive resource consumption when processing numbers with
  large exponents (bsc#1250983).

-----------------------------------------------------------------
Advisory ID: 140
Released:    Wed Jan 14 12:01:44 2026
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1233282,1236217,1244156,1244157,1244158,1255731,1255732,1255733,1255734,1256105,CVE-2024-52533,CVE-2025-0913,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-22874,CVE-2025-4673
This update for curl fixes the following issues:

This update for curl fixes the following issues:

- CVE-2025-14017: broken TLS options for threaded LDAPS (bsc#1256105).
- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).

-----------------------------------------------------------------
Advisory ID: 145
Released:    Thu Jan 15 16:02:36 2026
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    important
References:  1217538,1236177,1237496,1241190,1242938,1246743,1247470,CVE-2025-4598
This update for apparmor fixes the following issues:

Changes in apparmor:

- allow writing /tmp/doveconf.* in more dovecot profiles

update to AppArmor 4.1.2:

  - several fixes (including boo#1246743)
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.2
    for the detailed upstream changelog

- more dovecot 2.4 permissions (boo#1247470)

-----------------------------------------------------------------
Advisory ID: 147
Released:    Thu Jan 15 17:28:43 2026
Summary:     Recommended update for suse-migration-services
Type:        recommended
Severity:    important
References:  1200528,1217070,1221400,1224323,1228553,1234812,1250003,1253963,CVE-2022-1996,CVE-2023-45142,CVE-2023-45288,CVE-2023-47108,CVE-2024-40896
This update for suse-migration-services fixes the following issues:


- Bump to version: 2.1.29
    * Fix mount_system unit
    * Run ssh precheck only for SLE16 target
      The check for the ssh default settings change should
      only be performed for migrations to SLE16
    * Only generate wicked xml if service is the active network
    * Fix unit link check and no use of path.join
    * Fixed migration live image package requires
    * Update setup_host_network service
    * Fix backup processing
    * Fix log handler setup
    * Drop and backup /etc/sysconfig/network
    * Skip migration if wicked is not the default network config service
    * Add package_installed method
    * Backup drop_path data
    * Check if package exists prior drop
    * Fixed use of suse version macros
    * drop README_QA.rst
    * Update conditional requires per review
    * Consolidate project documentation
    * Fixed spec file regarding wicked2nm
- Bump to version: 2.1.28
    * Fix update_version helper
    * Fix mount_system
    * Fix order of reboot service
    * Improve dracut logging
    * Drop wicked component after nm migration
    * Move script package to the main migration provider
    * Add DropComponents class
    * Fixed spec file:
        + suse-migration-container-pam-config.service was not installed
    * Create systemd.link files for biosdevname (bsc#1253963)
    * Create lib file for common network-prereq tasks
    * update PAM configurations to use pam_unix.so
      SLE16 no longer provides compat links for pam_unix_*.so. Fix the
      configuration for tools that are still using those compat links so
      they don't break after migration (PED-13640)
    * Omit cio_ignore kernel commandline on zkvm (bsc#1250003)
- Bump to version: 2.1.27
    * Refactor mount_system service
    * Fix order of reboot service
    * Add support for wicked2nm in container workflow
    * Fix unit test for solver test case
    * Fixes for btrfs_snapshot_pre_migration

-----------------------------------------------------------------
Advisory ID: 146
Released:    Thu Jan 15 17:28:43 2026
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1231698,1240366,1256340,CVE-2024-9676,CVE-2025-14327,CVE-2025-27587,CVE-2026-0877,CVE-2026-0878,CVE-2026-0879,CVE-2026-0880,CVE-2026-0882,CVE-2026-0883,CVE-2026-0884,CVE-2026-0885,CVE-2026-0886,CVE-2026-0887,CVE-2026-0890,CVE-2026-0891
This update for MozillaFirefox fixes the following issues:

Update to Firefox Extended Support Release 140.7.0 ESR (bsc#1256340).

- MFSA 2026-03 (bsc#1256340)

  * CVE-2026-0877: Mitigation bypass in the DOM: Security component
  * CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
  * CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component
  * CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component
  * CVE-2026-0882: Use-after-free in the IPC component
  * CVE-2025-14327: Spoofing issue in the Downloads Panel component
  * CVE-2026-0883: Information disclosure in the Networking component
  * CVE-2026-0884: Use-after-free in the JavaScript Engine component
  * CVE-2026-0885: Use-after-free in the JavaScript: GC component
  * CVE-2026-0886: Incorrect boundary conditions in the Graphics component
  * CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component
  * CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component
  * CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147

-----------------------------------------------------------------
Advisory ID: 151
Released:    Sat Jan 17 14:20:26 2026
Summary:     Security update for docker
Type:        security
Severity:    critical
References:  1244509,1247367,1247594,1248373,1250508,CVE-2024-10220,CVE-2024-36620,CVE-2024-36621,CVE-2024-36623,CVE-2024-37820,CVE-2024-43784,CVE-2024-45719,CVE-2024-50948,CVE-2024-52003,CVE-2024-52280,CVE-2024-52282,CVE-2024-52309,CVE-2024-52529,CVE-2024-52801,CVE-2024-53259,CVE-2024-53264,CVE-2024-53858,CVE-2024-53862,CVE-2024-54131,CVE-2024-54132,CVE-2024-6156,CVE-2024-6219,CVE-2024-6538,CVE-2024-8676,CVE-2025-54388,CVE-2025-6020
This update for docker fixes the following issues:

Changes in docker:

- Update to Docker 28.5.1-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2851>

- Update to Docker 28.5.0-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2850>

- Update to docker-buildx v0.29.0. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.29.0>

- Remove git-core recommends on SLE. Most SLE systems have
  installRecommends=yes by default and thus end up installing git with Docker.
  bsc#1250508

  This feature is mostly intended for developers ('docker build git://') so
  most users already have the dependency installed, and the error when git is
  missing is fairly straightforward (so they can easily figure out what they
  need to install).

- Update to docker-buildx v0.28.0. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.28.0>

- Update to Docker 28.4.0-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2840>
  * Fixes a nil pointer panic in 'docker push'. bsc#1248373

- Update warnings and errors related to 'docker buildx ...' so that they
  reference our openSUSE docker-buildx packages.

- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
  injection enabled. PED-12534 PED-8905 bsc#1247594

  As docker-buildx does not support our SUSEConnect secret injection (and some
  users depend 'docker build' working transparently), patch the docker CLI so
  that 'docker build' will no longer automatically call 'docker buildx build',
  effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
  manually use 'docker buildx ...' commands or set DOCKER_BUILDKIT=1 in order
  to opt-in to using docker-buildx.

  Users can silence the 'docker build' warning by setting DOCKER_BUILDKIT=0
  explicitly.

  In order to inject SCC credentials with docker-buildx, users should use

    RUN --mount=type=secret,id=SCCcredentials zypper -n ...

  in their Dockerfiles, and

    docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .

  when doing their builds.

- Update to Docker 28.3.3-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2833>
  CVE-2025-54388 bsc#1247367

- Update to docker-buildx v0.26.1. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.26.1>

- Update to docker-buildx v0.26.0. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.26.0>

-----------------------------------------------------------------
Advisory ID: 162
Released:    Thu Jan 22 09:15:08 2026
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    important
References:  1231185,1231328,1241802,1250655,1250664,1253679,1254264,1254928,CVE-2025-22872
This update for suse-module-tools fixes the following issues:

- Update to version 16.0.64:
  * udev rules: write block queue attributes only if necessary (bsc#1254928)
- Update to version 16.0.63:
    * 80-hotplug-cpu-mem.rules: remount tmpfs on 'online' uevents (bsc#1254264)
    * udev: use systemd service to remount tmpfs (bsc#1253679)
- Update to version 16.0.62:
    * spec file: remove %udev_rules_update call (bsc#1250664)
- Update to version 16.0.61:
    * weak-modules2: skip livepatch dir when checking for unresolved symbols (bsc#1250655)

-----------------------------------------------------------------
Advisory ID: 164
Released:    Thu Jan 22 11:13:12 2026
Summary:     Security update for libpcap
Type:        security
Severity:    low
References:  1233078,1239749,1255765,CVE-2024-10963,CVE-2024-40635,CVE-2025-11961
This update for libpcap fixes the following issues:

- CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds
  read and write (bsc#1255765).

-----------------------------------------------------------------
Advisory ID: 166
Released:    Thu Jan 22 13:53:33 2026
Summary:     Security update for go1.24
Type:        security
Severity:    important
References:  1234068,1236217,1243313,1256816,1256817,1256818,1256819,1256820,1256821,CVE-2024-11053,CVE-2025-47273,CVE-2025-61726,CVE-2025-61728,CVE-2025-61730,CVE-2025-61731,CVE-2025-68119,CVE-2025-68121
This update for go1.24 fixes the following issues:

Update to go1.24.12 (released 2026-01-15) (bsc#1236217)

Security fixes:

 - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
 - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
 - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
 - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
 - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
 - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).

Other fixes:

  * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
  * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes
  * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
  * go#76796 runtime: race detector crash on ppc64le
  * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range

-----------------------------------------------------------------
Advisory ID: 170
Released:    Thu Jan 22 14:47:27 2026
Summary:     Security update for python313
Type:        security
Severity:    moderate
References:  1242987,1244680,1244705,1247249,1251305,1252974,1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837,CVE-2025-6069,CVE-2025-6075,CVE-2025-8194,CVE-2025-8291
This update for python313 fixes the following issues:

- Update to 3.13.11:

- Security
    - CVE-2025-12084: cpython: Fixed quadratic algorithm in
      xml.dom.minidom leading to denial of service (bsc#1254997)
    - CVE-2025-13836: Fixed default Content-Lenght read amount
      from HTTP response (bsc#1254400)
    - CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
    - CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory
      (EOCD) not checked by the 'zipfile' module (bsc#1251305)
    - gh-137836: Add support of the “plaintext” element, RAWTEXT
      elements “xmp”, “iframe”, “noembed” and “noframes”, and
      optionally RAWTEXT element “noscript” in
      html.parser.HTMLParser.
    - gh-136063: email.message: ensure linear complexity for
      legacy HTTP parameters parsing. Patch by Bénédikt Tran.
    - CVE-2025-6075: Fixed performance issues caused by user-controller
      os.path.expandvars() (bsc#1252974)
- Library
    - gh-140797: Revert changes to the undocumented re.Scanner
      class. Capturing groups are still allowed for backward
      compatibility, although using them can lead to incorrect
      result. They will be forbidden in future Python versions.
    - gh-142206: The resource tracker in the multiprocessing
      module now uses the original communication protocol, as in
      Python 3.14.0 and below, by default. This avoids issues
      with upgrading Python while it is running. (Note that such
      ‘in-place’ upgrades are not tested.) The tracker remains
      compatible with subprocesses that use new protocol (that
      is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- Core and Builtins
    - gh-142218: Fix crash when inserting into a split table
      dictionary with a non str key that matches an existing key.


- Update to 3.13.10:

- Tools/Demos
    - gh-141442: The iOS testbed now correctly handles test
      arguments that contain spaces.
- Tests
    - gh-140482: Preserve and restore the state of stty echo as
      part of the test environment.
    - gh-140082: Update python -m test to set FORCE_COLOR=1 when
      being run with color enabled so that unittest which is run
      by it with redirected output will output in color.
    - gh-136442: Use exitcode 1 instead of 5 if
      unittest.TestCase.setUpClass() raises an exception
- Library
    - gh-74389: When the stdin being used by a subprocess.Popen
      instance is closed, this is now ignored in
      subprocess.Popen.communicate() instead of leaving the class
      in an inconsistent state.
    - gh-87512: Fix subprocess.Popen.communicate() timeout
      handling on Windows when writing large input. Previously,
      the timeout was ignored during stdin writing, causing the
      method to block indefinitely if the child process did not
      consume input quickly. The stdin write is now performed in
      a background thread, allowing the timeout to be properly
      enforced.
    - gh-141473: When subprocess.Popen.communicate() was called
      with input and a timeout and is called for a second time
      after a TimeoutExpired exception before the process has
      died, it should no longer hang.
    - gh-59000: Fix pdb breakpoint resolution for class methods
      when the module defining the class is not imported.
    - gh-141570: Support file-like object raising OSError from
      fileno() in color detection (_colorize.can_colorize()).
      This can occur when sys.stdout is redirected.
    - gh-141659: Fix bad file descriptor errors from
      _posixsubprocess on AIX.
    - gh-141497: ipaddress: ensure that the methods
      IPv4Network.hosts() and IPv6Network.hosts() always return
      an iterator.
    - gh-140938: The statistics.stdev() and statistics.pstdev()
      functions now raise a ValueError when the input contains an
      infinity or a NaN.
    - gh-124111: Updated Tcl threading configuration in _tkinter
      to assume that threads are always available in Tcl 9 and
      later.
    - gh-137109: The os.fork and related forking APIs will no
      longer warn in the common case where Linux or macOS
      platform APIs return the number of threads in a process and
      find the answer to be 1 even when a os.register_at_fork()
      after_in_parent= callback (re)starts a thread.
    - gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
      when reading files with standalone carriage return (\r)
      line endings.
    - gh-141311: Fix assertion failure in io.BytesIO.readinto()
      and undefined behavior arising when read position is above
      capcity in io.BytesIO.
    - gh-141141: Fix a thread safety issue with
      base64.b85decode(). Contributed by Benel Tayar.
    - gh-140911: collections: Ensure that the methods
      UserString.rindex() and UserString.index() accept
      collections.UserString instances as the sub argument.
    - gh-140797: The undocumented re.Scanner class now forbids
      regular expressions containing capturing groups in its
      lexicon patterns. Patterns using capturing groups could
      previously lead to crashes with segmentation fault. Use
      non-capturing groups (?:…) instead.
    - gh-140815: faulthandler now detects if a frame or a code
      object is invalid or freed. Patch by Victor Stinner.
    - gh-100218: Correctly set errno when socket.if_nametoindex()
      or socket.if_indextoname() raise an OSError. Patch by
      Bénédikt Tran.
    - gh-140875: Fix handling of unclosed character references
      (named and numerical) followed by the end of file in
      html.parser.HTMLParser with convert_charrefs=False.
    - gh-140734: multiprocessing: fix off-by-one error when
      checking the length of a temporary socket file path. Patch
      by Bénédikt Tran.
    - gh-140874: Bump the version of pip bundled in ensurepip to
      version 25.3
    - gh-140691: In urllib.request, when opening a FTP URL fails
      because a data connection cannot be made, the control
      connection’s socket is now closed to avoid
      a ResourceWarning.
    - gh-103847: Fix hang when cancelling process created by
      asyncio.create_subprocess_exec() or
      asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
    - gh-140590: Fix arguments checking for the
      functools.partial.__setstate__() that may lead to internal
      state corruption and crash. Patch by Sergey Miryanov.
    - gh-140634: Fix a reference counting bug in
      os.sched_param.__reduce__().
    - gh-140633: Ignore AttributeError when setting a module’s
      __file__ attribute when loading an extension module
      packaged as Apple Framework.
    - gh-140593: xml.parsers.expat: Fix a memory leak that could
      affect users with ElementDeclHandler() set to a custom
      element declaration handler. Patch by Sebastian Pipping.
    - gh-140607: Inside io.RawIOBase.read(), validate that the
      count of bytes returned by io.RawIOBase.readinto() is valid
      (inside the provided buffer).
    - gh-138162: Fix logging.LoggerAdapter with merge_extra=True
      and without the extra argument.
    - gh-140474: Fix memory leak in array.array when creating
      arrays from an empty str and the u type code.
    - gh-140272: Fix memory leak in the clear() method of the
      dbm.gnu database.
    - gh-140041: Fix import of ctypes on Android and Cygwin when
      ABI flags are present.
    - gh-139905: Add suggestion to error message for
      typing.Generic subclasses when cls.__parameters__ is
      missing due to a parent class failing to call
      super().__init_subclass__() in its __init_subclass__.
    - gh-139845: Fix to not print KeyboardInterrupt twice in
      default asyncio REPL.
    - gh-139783: Fix inspect.getsourcelines() for the case when
      a decorator is followed by a comment or an empty line.
    - gh-70765: http.server: fix default handling of HTTP/0.9
      requests in BaseHTTPRequestHandler. Previously,
      BaseHTTPRequestHandler.parse_request() incorrectly waited
      for headers in the request although those are not supported
      in HTTP/0.9. Patch by Bénédikt Tran.
    - gh-139391: Fix an issue when, on non-Windows platforms, it
      was not possible to gracefully exit a python -m asyncio
      process suspended by Ctrl+Z and later resumed by fg other
      than with kill.
    - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
      'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
      chars as they were treated as part of multi-character
      sequences.
    - gh-139246: fix: paste zero-width in default repl width is
      wrong.
    - gh-90949: Add SetAllocTrackerActivationThreshold() and
      SetAllocTrackerMaximumAmplification() to xmlparser objects
      to prevent use of disproportional amounts of dynamic memory
      from within an Expat parser. Patch by Bénédikt Tran.
    - gh-139065: Fix trailing space before a wrapped long word if
      the line length is exactly width in textwrap.
    - gh-138993: Dedent credits text.
    - gh-138859: Fix generic type parameterization raising
      a TypeError when omitting a ParamSpec that has a default
      which is not a list of types.
    - gh-138775: Use of python -m with base64 has been fixed to
      detect input from a terminal so that it properly notices
      EOF.
    - gh-98896: Fix a failure in multiprocessing resource_tracker
      when SharedMemory names contain colons. Patch by Rani
      Pinchuk.
    - gh-75989: tarfile.TarFile.extractall() and
      tarfile.TarFile.extract() now overwrite symlinks when
      extracting hardlinks. (Contributed by Alexander Enrique
      Urieles Nieto in gh-75989.)
    - gh-83424: Allows creating a ctypes.CDLL without name when
      passing a handle as an argument.
    - gh-136234: Fix asyncio.WriteTransport.writelines() to be
      robust to connection failure, by using the same behavior as
      write().
    - gh-136057: Fixed the bug in pdb and bdb where next and step
      can’t go over the line if a loop exists in the line.
    - gh-135307: email: Fix exception in set_content() when
      encoding text and max_line_length is set to 0 or None
      (unlimited).
    - gh-134453: Fixed subprocess.Popen.communicate() input=
      handling of memoryview instances that were non-byte shaped
      on POSIX platforms. Those are now properly cast to a byte
      shaped view instead of truncating the input. Windows
      platforms did not have this bug.
    - gh-102431: Clarify constraints for “logical” arguments in
      methods of decimal.Context.
- IDLE
    - gh-96491: Deduplicate version number in IDLE shell title
      bar after saving to a file.
- Documentation
    - gh-141994: xml.sax.handler: Make Documentation of
      xml.sax.handler.feature_external_ges warn of opening up to
      external entity attacks. Patch by Sebastian Pipping.
    - gh-140578: Remove outdated sencence in the documentation
      for multiprocessing, that implied that
      concurrent.futures.ThreadPoolExecutor did not exist.
- Core and Builtins
    - gh-142048: Fix quadratically increasing garbage collection
      delays in free-threaded build.
    - gh-141930: When importing a module, use Python’s regular
      file object to ensure that writes to .pyc files are
      complete or an appropriate error is raised.
    - gh-120158: Fix inconsistent state when enabling or
      disabling monitoring events too many times.
    - gh-141579: Fix sys.activate_stack_trampoline() to properly
      support the perf_jit backend. Patch by Pablo Galindo.
    - gh-141312: Fix the assertion failure in the __setstate__
      method of the range iterator when a non-integer argument is
      passed. Patch by Sergey Miryanov.
    - gh-140939: Fix memory leak when bytearray or bytes is
      formated with the
      %*b format with a large width that results in
      %a MemoryError.
    - gh-140530: Fix a reference leak when raise exc from cause
      fails. Patch by Bénédikt Tran.
    - gh-140576: Fixed crash in tokenize.generate_tokens() in
      case of specific incorrect input. Patch by Mikhail Efimov.
    - gh-140551: Fixed crash in dict if dict.clear() is called at
      the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
    - gh-140471: Fix potential buffer overflow in ast.AST node
      initialization when encountering malformed _fields
      containing non-str.
    - gh-140406: Fix memory leak when an object’s __hash__()
      method returns an object that isn’t an int.
    - gh-140306: Fix memory leaks in cross-interpreter channel
      operations and shared namespace handling.
    - gh-140301: Fix memory leak of PyConfig in subinterpreters.
    - gh-140000: Fix potential memory leak when a reference cycle
      exists between an instance of typing.TypeAliasType,
      typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple
      and its __name__ attribute. Patch by Mikhail Efimov.
    - gh-139748: Fix reference leaks in error branches of
      functions accepting path strings or bytes such as compile()
      and os.system(). Patch by Bénédikt Tran.
    - gh-139516: Fix lambda colon erroneously start format spec
      in f-string in tokenizer.
    - gh-139640: Fix swallowing some syntax warnings in different
      modules if they accidentally have the same message and are
      emitted from the same line. Fix duplicated warnings in the
      finally block.
    - gh-137400: Fix a crash in the free threading build when
      disabling profiling or tracing across all threads with
      PyEval_SetProfileAllThreads() or
      PyEval_SetTraceAllThreads() or their Python equivalents
      threading.settrace_all_threads() and
      threading.setprofile_all_threads().
    - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
      match old pre-3.13 REPL behavior.
- C API
    - gh-140042: Removed the sqlite3_shutdown call that could
      cause closing connections for sqlite when used with
      multiple sub interpreters.
    - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API
      3.11 and older: don’t treat Py_NotImplemented as immortal.
      Patch by Victor Stinner.

- Update to 3.13.9:

  - Library
    - gh-139783: Fix inspect.getsourcelines() for the case when a
      decorator is followed by a comment or an empty line.

- Update to 3.13.8:

  - Tools/Demos
    - gh-139330: SBOM generation tool didn’t cross-check the version
      and checksum values against the Modules/expat/refresh.sh script,
      leading to the values becoming out-of-date during routine
      updates.
    - gh-137873: The iOS test runner has been simplified, resolving
      some issues that have been observed using the runner in GitHub
      Actions and Azure Pipelines test environments.
  - Tests
    - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
      --verbose option anymore. Patch by Victor Stinner.
  - Security
    - gh-139400: xml.parsers.expat: Make sure that parent Expat
      parsers are only garbage-collected once they are no longer
      referenced by subparsers created by
      ExternalEntityParserCreate(). Patch by Sebastian Pipping.
    - gh-139283: sqlite3: correctly handle maximum number of rows to
      fetch in Cursor.fetchmany and reject negative values for
      Cursor.arraysize. Patch by Bénédikt Tran.
    - gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
      according to the HTML5 standard: ] ]> and ]] > no longer end the
      CDATA section. Add private method _set_support_cdata() which can
      be used to specify how to parse <[CDATA[ — as a CDATA section in
      foreign content (SVG or MathML) or as a bogus comment in the
      HTML namespace.
  - Library
    - gh-139312: Upgrade bundled libexpat to 2.7.3
    - gh-139289: Do a real lazy-import on rlcompleter in pdb and
      restore the existing completer after importing rlcompleter.
    - gh-139210: Fix use-after-free when reporting unknown event in
      xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
    - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in
      subprocess.
    - gh-112729: Fix crash when calling _interpreters.create when the
      process is out of memory.
    - gh-139076: Fix a bug in the pydoc module that was hiding
      functions in a Python module if they were implemented in an
      extension module and the module did not have __all__.
    - gh-138998: Update bundled libexpat to 2.7.2
    - gh-130567: Fix possible crash in locale.strxfrm() due to a
      platform bug on macOS.
    - gh-138779: Support device numbers larger than 2**63-1 for the
      st_rdev field of the os.stat_result structure.
    - gh-128636: Fix crash in PyREPL when os.environ is overwritten
      with an invalid value for mac
    - gh-88375: Fix normalization of the robots.txt rules and URLs in
      the urllib.robotparser module. No longer ignore trailing ?.
      Distinguish raw special characters ?, = and & from the
      percent-encoded ones.
    - gh-138515: email is added to Emscripten build.
    - gh-111788: Fix parsing errors in the urllib.robotparser module.
      Don’t fail trying to parse weird paths. Don’t fail trying to
      decode non-UTF-8 robots.txt files.
    - gh-138432: zoneinfo.reset_tzpath() will now convert any
      os.PathLike objects it receives into strings before adding them
      to TZPATH. It will raise TypeError if anything other than a
      string is found after this conversion. If given an os.PathLike
      object that represents a relative path, it will now raise
      ValueError instead of TypeError, and present a more informative
      error message.
    - gh-138008: Fix segmentation faults in the ctypes module due to
      invalid argtypes. Patch by Dung Nguyen.
    - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other
      platforms).
    - gh-138204: Forbid expansion of shared anonymous memory maps on
      Linux, which caused a bus error.
    - gh-138010: Fix an issue where defining a class with a
      @warnings.deprecated-decorated base class may not invoke the
      correct __init_subclass__() method in cases involving multiple
      inheritance. Patch by Brian Schubert.
    - gh-138133: Prevent infinite traceback loop when sending CTRL^C
      to Python through strace.
    - gh-134869: Fix an issue where pressing Ctrl+C during tab
      completion in the REPL would leave the autocompletion menu in a
      corrupted state.
    - gh-137317: inspect.signature() now correctly handles classes
      that use a descriptor on a wrapped __init__() or __new__()
      method. Contributed by Yongyu Yan.
    - gh-137754: Fix import of the zoneinfo module if the C
      implementation of the datetime module is not available.
    - gh-137490: Handle ECANCELED in the same way as EINTR in
      signal.sigwaitinfo() on NetBSD.
    - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and
      inspect.getsource() for generator expressions.
    - gh-137017: Fix threading.Thread.is_alive to remain True until
      the underlying OS thread is fully cleaned up. This avoids false
      negatives in edge cases involving thread monitoring or premature
      threading.Thread.is_alive calls.
    - gh-136134: SMTP.auth_cram_md5() now raises an SMTPException
      instead of a ValueError if Python has been built without MD5
      support. In particular, SMTP clients will not attempt to use
      this method even if the remote server is assumed to support it.
      Patch by Bénédikt Tran.
    - gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if
      CRAM-MD5 authentication is not supported. Patch by Bénédikt
      Tran.
    - gh-135386: Fix opening a dbm.sqlite3 database for reading from
      read-only file or directory.
    - gh-126631: Fix multiprocessing forkserver bug which prevented
      __main__ from being preloaded.
    - gh-123085: In a bare call to importlib.resources.files(), ensure
      the caller’s frame is properly detected when importlib.resources
      is itself available as a compiled module only (no source).
    - gh-118981: Fix potential hang in
      multiprocessing.popen_spawn_posix that can happen when the child
      proc dies early by closing the child fds right away.
    - gh-78319: UTF8 support for the IMAP APPEND command has been made
      RFC compliant.
    - bpo-38735: Fix failure when importing a module from the root
      directory on unix-like platforms with sys.pycache_prefix set.
    - bpo-41839: Allow negative priority values from
      os.sched_get_priority_min() and os.sched_get_priority_max()
      functions.
  - Core and Builtins
    - gh-134466: Don’t run PyREPL in a degraded environment where
      setting termios attributes is not allowed.
    - gh-71810: Raise OverflowError for (-1).to_bytes() for signed
      conversions when bytes count is zero. Patch by Sergey B
      Kirpichev.
    - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and
      __bases__ from the __dir__() entries of types.GenericAlias.
    - gh-134163: Fix a hang when the process is out of memory inside
      an exception handler.
    - gh-138479: Fix a crash when a generic object’s __typing_subst__
      returns an object that isn’t a tuple.
    - gh-137576: Fix for incorrect source code being shown in
      tracebacks from the Basic REPL when PYTHONSTARTUP is given.
      Patch by Adam Hartz.
    - gh-132744: Certain calls now check for runaway recursion and
      respect the system recursion limit.
  - C API
    - gh-87135: Attempting to acquire the GIL after runtime
      finalization has begun in a different thread now causes the
      thread to hang rather than terminate, which avoids potential
      crashes or memory corruption caused by attempting to terminate a
      thread that is running code not specifically designed to support
      termination. In most cases this hanging is harmless since the
      process will soon exit anyway.
      While not officially marked deprecated until 3.14,
      PyThread_exit_thread is no longer called internally and remains
      solely for interface compatibility. Its behavior is inconsistent
      across platforms, and it can only be used safely in the unlikely
      case that every function in the entire call stack has been
      designed to support the platform-dependent termination
      mechanism. It is recommended that users of this function change
      their design to not require thread termination. In the unlikely
      case that thread termination is needed and can be done safely,
      users may migrate to calling platform-specific APIs such as
      pthread_exit (POSIX) or _endthreadex (Windows) directly.
  - Build
    - gh-135734: Python can correctly be configured and built with
      ./configure --enable-optimizations --disable-test-modules.
      Previously, the profile data generation step failed due to PGO
      tests where immortalization couldn’t be properly suppressed.


- Update to 3.13.7:

  - gh-137583: Fix a deadlock introduced in 3.13.6 when a call
    to ssl.SSLSocket.recv was blocked in one thread, and then
    another method on the object (such as ssl.SSLSocket.send) was
    subsequently called in another thread.
  - gh-137044: Return large limit values as positive integers
    instead of negative integers in resource.getrlimit().
    Accept large values and reject negative values (except
    RLIM_INFINITY) for limits in resource.setrlimit().
  - gh-136914: Fix retrieval of doctest.DocTest.lineno
    for objects decorated with functools.cache() or
    functools.cached_property.
  - gh-131788: Make ResourceTracker.send from multiprocessing
    re-entrant safe
  - gh-136155: We are now checking for fatal errors in EPUB
    builds in CI.
  - gh-137400: Fix a crash in the free threading build when
    disabling profiling or tracing across all threads with
    PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
    or their Python equivalents threading.settrace_all_threads()
    and threading.setprofile_all_threads().


- Update to 3.13.6:

  - Security
    - gh-135661: Fix parsing start and end tags in
      html.parser.HTMLParser according to the HTML5 standard.
    - gh-102555: Fix comment parsing in html.parser.HTMLParser
      according to the HTML5 standard.
    - CVE-2025-6069: Fix quadratic complexity in processing specially
      crafted input in html.parser.HTMLParser. End-of-file errors
      are now handled according to the HTML5 specs – comments and
      declarations are automatically closed, tags are ignored
      (gh-135462, bsc#1244705).
    - CVE-2025-8194: tarfile now validates archives to ensure member
      offsets are non-negative. (gh-130577, bsc#1247249).
    - gh-118350: Fix support of escapable raw text mode (elements
      “textarea” and “title”) in html.parser.HTMLParser.
  - Core and Builtins
    - gh-58124: Fix name of the Python encoding in Unicode errors
      of the code page codec: use “cp65000” and “cp65001” instead
      of “CP_UTF7” and “CP_UTF8” which are not valid Python code
      names. Patch by Victor Stinner.
    - gh-137314: Fixed a regression where raw f-strings
      incorrectly interpreted escape sequences in format
      specifications. Raw f-strings now properly preserve literal
      backslashes in format specs, matching the behavior from
      Python 3.11. For example, rf'{obj:\xFF}' now correctly
      produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
    - gh-136541: Fix some issues with the perf trampolines
      on x86-64 and aarch64. The trampolines were not being
      generated correctly for some cases, which could lead to
      the perf integration not working correctly. Patch by Pablo
      Galindo.
    - gh-109700: Fix memory error handling in
      PyDict_SetDefault().
    - gh-78465: Fix error message for cls.__new__(cls, ...) where
      cls is not instantiable builtin or extension type (with
      tp_new set to NULL).
    - gh-135871: Non-blocking mutex lock attempts now return
      immediately when the lock is busy instead of briefly
      spinning in the free threading build.
    - gh-135607: Fix potential weakref races in an object’s
      destructor on the free threaded build.
    - gh-135496: Fix typo in the f-string conversion type error
      (“exclamanation” -> “exclamation”).
    - gh-130077: Properly raise custom syntax errors when
      incorrect syntax containing names that are prefixes of soft
      keywords is encountered. Patch by Pablo Galindo.
    - gh-135148: Fixed a bug where f-string debug expressions
      (using =) would incorrectly strip out parts of strings
      containing escaped quotes and # characters. Patch by Pablo
      Galindo.
    - gh-133136: Limit excess memory usage in the free threading
      build when a large dictionary or list is resized and
      accessed by multiple threads.
    - gh-132617: Fix dict.update() modification check that could
      incorrectly raise a “dict mutated during update” error when
      a different dictionary was modified that happens to share
      the same underlying keys object.
    - gh-91153: Fix a crash when a bytearray is concurrently
      mutated during item assignment.
    - gh-127971: Fix off-by-one read beyond the end of a string
      in string search.
    - gh-125723: Fix crash with gi_frame.f_locals when generator
      frames outlive their generator. Patch by Mikhail Efimov.
  - Library
    - gh-132710: If possible, ensure that uuid.getnode()
      returns the same result even across different processes.
      Previously, the result was constant only within the same
      process. Patch by Bénédikt Tran.
    - gh-137273: Fix debug assertion failure in
      locale.setlocale() on Windows.
    - gh-137257: Bump the version of pip bundled in ensurepip to
      version 25.2
    - gh-81325: tarfile.TarFile now accepts a path-like when
      working on a tar archive. (Contributed by Alexander Enrique
      Urieles Nieto in gh-81325.)
    - gh-130522: Fix unraisable TypeError raised during
      interpreter shutdown in the threading module.
    - gh-136549: Fix signature of threading.excepthook().
    - gh-136523: Fix wave.Wave_write emitting an unraisable when
      open raises.
    - gh-52876: Add missing keepends (default True)
      parameter to codecs.StreamReaderWriter.readline() and
      codecs.StreamReaderWriter.readlines().
    - gh-85702: If zoneinfo._common.load_tzdata is given a
      package without a resource a zoneinfo.ZoneInfoNotFoundError
      is raised rather than a PermissionError. Patch by Victor
      Stinner.
    - gh-134759: Fix UnboundLocalError in
      email.message.Message.get_payload() when the payload to
      decode is a bytes object. Patch by Kliment Lamonov.
    - gh-136028: Fix parsing month names containing “İ” (U+0130,
      LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().
      This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
    - gh-135995: In the palmos encoding, make byte 0x9b decode to
      › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
    - gh-53203: Fix time.strptime() for %c and %x formats on
      locales byn_ER, wal_ET and lzh_TW, and for %X format on
      locales ar_SA, bg_BG and lzh_TW.
    - gh-91555: An earlier change, which was introduced in
      3.13.4, has been reverted. It disabled logging for a logger
      during handling of log messages for that logger. Since the
      reversion, the behaviour should be as it was before 3.13.4.
    - gh-135878: Fixes a crash of types.SimpleNamespace on free
      threading builds, when several threads were calling its
      __repr__() method at the same time.
    - gh-135836: Fix IndexError in
      asyncio.loop.create_connection() that could occur when
      non-OSError exception is raised during connection and
      socket’s close() raises OSError.
    - gh-135836: Fix IndexError in
      asyncio.loop.create_connection() that could occur when the
      Happy Eyeballs algorithm resulted in an empty exceptions
      list during connection attempts.
    - gh-135855: Raise TypeError instead of SystemError when
      _interpreters.set___main___attrs() is passed a non-dict
      object. Patch by Brian Schubert.
    - gh-135815: netrc: skip security checks if os.getuid() is
      missing. Patch by Bénédikt Tran.
    - gh-135640: Address bug where it was possible to call
      xml.etree.ElementTree.ElementTree.write() on an ElementTree
      object with an invalid root element. This behavior blanked
      the file passed to write if it already existed.
    - gh-135444: Fix asyncio.DatagramTransport.sendto() to
      account for datagram header size when data cannot be sent.
    - gh-135497: Fix os.getlogin() failing for longer usernames
      on BSD-based platforms.
    - gh-135487: Fix reprlib.Repr.repr_int() when given integers
      with more than sys.get_int_max_str_digits() digits. Patch
      by Bénédikt Tran.
    - gh-135335: multiprocessing: Flush stdout and stderr after
      preloading modules in the forkserver.
    - gh-135244: uuid: when the MAC address cannot be
      determined, the 48-bit node ID is now generated with a
      cryptographically-secure pseudo-random number generator
      (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().
    - gh-135069: Fix the “Invalid error handling” exception in
      encodings.idna.IncrementalDecoder to correctly replace the
      ‘errors’ parameter.
    - gh-134698: Fix a crash when calling methods of
      ssl.SSLContext or ssl.SSLSocket across multiple threads.
    - gh-132124: On POSIX-compliant systems,
      multiprocessing.util.get_temp_dir() now ignores TMPDIR
      (and similar environment variables) if the path length of
      AF_UNIX socket files exceeds the platform-specific maximum
      length when using the forkserver start method. Patch by
      Bénédikt Tran.
    - gh-133439: Fix dot commands with trailing spaces are
      mistaken for multi-line SQL statements in the sqlite3
      command-line interface.
    - gh-132969: Prevent the ProcessPoolExecutor executor thread,
      which remains running when shutdown(wait=False), from
      attempting to adjust the pool’s worker processes after
      the object state has already been reset during shutdown.
      A combination of conditions, including a worker process
      having terminated abormally, resulted in an exception and
      a potential hang when the still-running executor thread
      attempted to replace dead workers within the pool.
    - gh-130664: Support the '_' digit separator in formatting
      of the integral part of Decimal’s. Patch by Sergey B
      Kirpichev.
    - gh-85702: If zoneinfo._common.load_tzdata is given a
      package without a resource a ZoneInfoNotFoundError is
      raised rather than a IsADirectoryError.
    - gh-130664: Handle corner-case for Fraction’s formatting:
      treat zero-padding (preceding the width field by a zero
      ('0') character) as an equivalent to a fill character of
      '0' with an alignment type of '=', just as in case of
      float’s.
  - Tools/Demos
    - gh-135968: Stubs for strip are now provided as part of an
      iOS install.
  - Tests
    - gh-135966: The iOS testbed now handles the app_packages
      folder as a site directory.
    - gh-135494: Fix regrtest to support excluding tests from
      --pgo tests. Patch by Victor Stinner.
    - gh-135489: Show verbose output for failing tests during PGO
      profiling step with –enable-optimizations.
  - Documentation
    - gh-135171: Document that the iterator for the leftmost for
      clause in the generator expression is created immediately.
  - Build
    - gh-135497: Fix the detection of MAXLOGNAME in the
      configure.ac script.

-----------------------------------------------------------------
Advisory ID: 172
Released:    Thu Jan 22 15:29:42 2026
Summary:     Security update for libpng16
Type:        security
Severity:    moderate
References:  1231463,1240897,1242844,1256525,1256526,CVE-2025-3360,CVE-2025-4373,CVE-2026-22695,CVE-2026-22801
This update for libpng16 fixes the following issues:

- CVE-2026-22695: Fixed heap buffer over-read in png_image_finish_read (bsc#1256525).
- CVE-2026-22801: Fixed integer truncation causing heap buffer over-read in png_image_write_* (bsc#1256526).

-----------------------------------------------------------------
Advisory ID: 182
Released:    Fri Jan 23 09:24:13 2026
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1245274,1245275,1253029,1253960,1254873,CVE-2024-12678,CVE-2024-25131,CVE-2024-25133,CVE-2024-28892,CVE-2024-43803,CVE-2024-45338,CVE-2024-45387,CVE-2024-54148,CVE-2024-55196,CVE-2024-55947,CVE-2024-56362,CVE-2024-56513,CVE-2024-56514,CVE-2024-9779,CVE-2025-21609,CVE-2025-21613,CVE-2025-21614,CVE-2025-22130,CVE-2025-32462,CVE-2025-32463
This update for dracut fixes the following issues:

- Fix and update testsuite (bsc#1254873):
    * test (FULL-SYSTEMD):
        + ignore errors in systemd-vconsole-setup.service
        + use poweroff to shut down test
        + no need to include dbus to the target rootfs
    * test: move /failed to /run/failed as rootfs might be read-only
    * test: make the size of all test drives 512 MB
    * fix (systemd): move installation of libkmod to udev-rules module
    * test: switch to virtio for the QEMU drive
    * test: increase test VM memory from 512M to 1024M to avoid OOM killer
    * test: move more common test code to test-functions
    * test: upgrade to ext4
- fix (nfs): do not execute logic in nfs hooks if netroot is not nfs (bsc#1253960)
- fix (kernel-modules-extra): remove stray \ before / (bsc#1253029)

-----------------------------------------------------------------
Advisory ID: 187
Released:    Fri Jan 23 17:43:58 2026
Summary:     Security update for the Linux Kernel (Live Patch 2 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1216091,1218459,1235849,1241052,1254196,CVE-2025-40212

This update for the SUSE Linux Enterprise kernel 6.12.0-160000.7.1 fixes one security issue

The following security issue was fixed:

- CVE-2025-40212: nfsd: fix refcount leak in nfsd_set_fh_dentry() (bsc#1254196).

-----------------------------------------------------------------
Advisory ID: 188
Released:    Fri Jan 23 18:19:05 2026
Summary:     Recommended update for ibus
Type:        recommended
Severity:    important
References:  1234812,1236621,1243268,1244561,1244564,1244565,1244566,1244567,1244568,1244570,1244571,1244572,1244574,1244575,1252250,CVE-2024-38822,CVE-2024-38823,CVE-2024-38824,CVE-2024-38825,CVE-2024-40896,CVE-2025-22236,CVE-2025-22237,CVE-2025-22238,CVE-2025-22239,CVE-2025-22240,CVE-2025-22241,CVE-2025-22242,CVE-2025-47287
This update for ibus fixes the following issues:

- Upstream update to 1.5.33:
    * Fix reset signal w/ GTK_IM_MODULE=ibus in Wayland
    * Provide preedit semantic APIs
    * Do not load en-US compose table by default
    * IBus 1.5.33 will insert 'include %L' in your compose file
      automatically generated by old IBus versions
    * Implement IBusMessage
    * Improve BEPO compose sequence visuals
    * Update simple.xml with xkeyboard-config 2.45
    * Update ibusunicodegen.h with Unicode 17.0.0
    * Bug fixes for Wayland input-method
    * Fix PageUp/PageDown buttons with hiding candidate popup
    * Fix leaks and buffer overflows
- Drop patches for unmaintained distributions
- Fix: Barcode scanner input gets jumbled when ibus is running and
  an application written in certain frameworks has focus (bsc#1252250):
    * After libX11 is fixed about the XIM jumbled input issues, too quick
      focus change can causes a freeze with barcode reader
    * Fix the synchronous 'ProcessKeyEvent' D-Bus method in ibus-x11
    * Add ibus_input_context_set_post_process_key_event() and ibus_input_context_post_process_key_event()

-----------------------------------------------------------------
Advisory ID: 191
Released:    Mon Jan 26 10:12:02 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 2 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1233785,1241083,1244079,1254196,CVE-2024-11498,CVE-2024-56406,CVE-2025-40212,CVE-2025-40909

This update for the SUSE Linux Enterprise kernel 6.12.0-160000.7.1 fixes one security issue

The following security issue was fixed:

- CVE-2025-40212: nfsd: fix refcount leak in nfsd_set_fh_dentry() (bsc#1254196).

-----------------------------------------------------------------
Advisory ID: 192
Released:    Mon Jan 26 10:22:47 2026
Summary:     Recommended update for runc
Type:        recommended
Severity:    important
References:  1223880,1243226,1254362,CVE-2024-34062,CVE-2025-6018
This update for runc fixes the following issues:

Changes in runc:

- Update to runc v1.3.4. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362


-----------------------------------------------------------------
Advisory ID: 196
Released:    Mon Jan 26 12:24:31 2026
Summary:     Security update for the Linux Kernel (Live Patch 0 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1221107,1235147,1246019,1248301,1248400,1248631,1248670,1248672,1249207,1249208,1249241,1249537,1250192,1251956,1251982,1252270,1253437,1254196,1256928,CVE-2024-2236,CVE-2024-53164,CVE-2024-5594,CVE-2025-38500,CVE-2025-38554,CVE-2025-38572,CVE-2025-38588,CVE-2025-38608,CVE-2025-38616,CVE-2025-38617,CVE-2025-38618,CVE-2025-38664,CVE-2025-39682,CVE-2025-39963,CVE-2025-40204,CVE-2025-40212

This update for the SUSE Linux Enterprise kernel 6.12.0-160000.5.1 fixes various security issues

The following security issues were fixed:

- CVE-2024-53164: net: sched: fix ordering of qlen adjustment (bsc#1246019).
- CVE-2025-38500: xfrm: interface: fix use-after-free after changing collect_md xfrm interface (bsc#1248672).
- CVE-2025-38554: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped (bsc#1248301).
- CVE-2025-38572: ipv6: reject malicious packets in ipv6_gso_segment() (bsc#1248400).
- CVE-2025-38588: ipv6: prevent infinite loop in rt6_nlmsg_size() (bsc#1249241).
- CVE-2025-38608: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248670).
- CVE-2025-38616: tls: handle data disappearing from under the TLS ULP (bsc#1249537).
- CVE-2025-38617: net/packet: fix a race in packet_set_ring() and packet_notifier() (bsc#1249208).
- CVE-2025-38618: vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1249207).
- CVE-2025-38664: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() (bsc#1248631).
- CVE-2025-39682: tls: fix handling of zero-length records on the rx_list (bsc#1250192).
- CVE-2025-39963: io_uring: fix incorrect io_kiocb reference in io_link_skb (bsc#1251982).
- CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253437).
- CVE-2025-40212: nfsd: fix refcount leak in nfsd_set_fh_dentry() (bsc#1254196).

The following non security issues were fixed:

- Explicitly add module-common.c with vermagic and retpoline modinfo (bsc#1252270).
- powerpc64/modules: correctly iterate over stubs in setup_ftrace_ool_stubs (bsc#1251956).
- fix addr_bit_set() issue on big-endian machines (bsc#1256928).

-----------------------------------------------------------------
Advisory ID: 201
Released:    Tue Jan 27 16:23:11 2026
Summary:     Recommended update for xom, xmlunit, modello, junit5, jna, javapackages-tools, xz-java, sisu, slf4j, jline3, j2objc-annotations, jackson-databind, icu4j, guava, google-guice, google-gson, geronimo-specs, exec-maven-plugin, bouncycastle, byte-buddy, byaccj, apache-commons-logging, apache-commons-cli, apache-commons-codec, apache-commons-daemon, apache-commons-dbcp, apache-commons-beanutils, ant, auto
Type:        recommended
Severity:    moderate
References:  1220262,1230698,1245914,1245931,1245969,1246464,1247228,CVE-2023-50782,CVE-2024-41996
This update for xom, xmlunit, modello, junit5, jna, javapackages-tools, xz-java, sisu, slf4j, jline3, j2objc-annotations, jackson-databind, icu4j, guava, google-guice, google-gson, geronimo-specs, exec-maven-plugin, bouncycastle, byte-buddy, byaccj, apache-commons-logging, apache-commons-cli, apache-commons-codec, apache-commons-daemon, apache-commons-dbcp, apache-commons-beanutils, ant, auto fixes the following issues:

Changes in xom:

- Make build recipe compatible with POSIX sh. Use %autosetup.

Changes in xmlunit:

- Upgrade to 2.11.0

  * XMLUnit 2.x is a complete rewrite of XMLUnit and actually
    doesn't share any code with XMLUnit for Java 1.x.
  * Some goals for XMLUnit 2.x:

    + create .NET and Java versions that are compatible in design
      while trying to be idiomatic for each platform
    + remove all static configuration (the old XMLUnit class
      setter methods)
    + focus on the parts that are useful for testing

      - XPath
      - (Schema) validation
      - comparisons

    + be independent of any test framework

  * XMLUnit 1.x is no longer maintained

- Use diretly the xalan-j2 jar instead of the jaxp_transform_impl
  alternative (bsc#1245931 and bsc#1245914)

  * In cases of ATTR_NAME_NOT_FOUND and CHILD_NODE_NOT_FOUND
    differences the value used to be the local name of the missing
    attribute or node.
  * New assertXpathEvaluatesTo overloads in XMLAssert and a new
    QualifiedName class can be used to assert the stringified result
    of an XPath expression is actually a qualified name

Changes in modello:

- Upgrade to upstream version 2.5.1

  * New features and improvements

    + Improve and add exceptions for singular method
    + Fix Snakeyaml
    + Restore singular method behavior like was in version 2.4.0

  * Maintenance

    + Partially migrate to JUnit 5
    + Apply spotless re-formatting
    + Update build, get rid of legacy, fix CLI
    + Use distributionManagement from parent pom

- Fix the modello script classpath to be able to run the velocity
  generator.

- Upgrade to upstream version 2.3.0

Changes in modello:

- Add -Dguice_custom_class_loading=CHILD option to the command-line
  launcher in order to avoid the following warnings with
  OpenJDK >= 24 :

  WARNING: A terminally deprecated method in sun.misc.Unsafe has
           been called
  WARNING: sun.misc.Unsafe::staticFieldBase has been called by
           com.google.inject.internal.aop.HiddenClassDefiner
  WARNING: Please consider reporting this to the maintainers of
           class com.google.inject.internal.aop.HiddenClassDefiner
  WARNING: sun.misc.Unsafe::staticFieldBase will be removed in a
           future release

- Upgrade to upstream version 2.5.1

  * New features and improvements

    + Improve and add exceptions for singular method
    + Fix Snakeyaml
    + Restore singular method behavior like was in version 2.4.0

  * Maintenance

    + Partially migrate to JUnit 5
    + Apply spotless re-formatting
    + Update build, get rid of legacy, fix CLI
    + Use distributionManagement from parent pom

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

- Fix the modello script classpath to be able to run the velocity
  generator.

Changes in junit5:

- Fix errors in aggregator.pom and in ant build system that prevent
  successful builds with upcoming Maven 4
- Generate a non-modular javadoc

Changes in jna:

+ do not put module-info.class in multirelease directories

Changes in javapackages-tools:

- Require findutils for working build-classpath (bsc#1245969)

- Upgrade to upstream version 6.4.1

  * Changes

    + Revert 'jpackage_script: Remove unneeded backslashes'
    + Initial implementation of %jp_binding macro
    + Replace invalid $ escape in regex

Changes in xz-java:

+ Do not put the module-info.class into multirelease directory
+ If building with Java 8 only, specify in the manifest the
  Automatic-Module-Name, so that it can be recognized as
  modular jar even in that configuration

Changes in sisu:

- Initial packaging of the Sisu Extenders with version 0.9.0.M4

- Upgrade to upstream milestone 0.9.0.M4

  * Most important change

    + ASM is 'demoted' to plain dependency, hence, consumer is able
      to override/update it the usual 'Maven way'. This applies to
      all components: inject, plexus and sisu-maven-plugin as well.
    + Historically, Sisu shaded in ASM just like Guice did. Later
      Sisu started shipping 'main' JAR with shaded ASM but also
      'no_asm' classified artifact without ASM (just like Guice did
      with  'classes' classified JAR). Starting from this version,
      Sisu does not shade ASM anymore, it is 'demoted' to transitive
      dependency.

  * Changes

    + Disable shallow clones for sonarcloud analysis
    + Remove spurious asserts
    + Post release cleanup
    + Fix jacoco + code coverage
    + Enable code coverage again for all modules
    + Use default property for the jacoco agent
    + Add documentation on Plexus Configurator API
    + Remove about.html as only relevant for Eclipse plugins
    + Document Lifecycle support
    + Call TypeAwareExpressionEvaluator.evaluate(String,Class) if
      available
    + Pass strict flag also via 'discoverComponents'
    + Embed/relocate ASM via m-shade-p
    + Update to ASM 9.8
    + Increase coverage
    + Align subproject names (and naming)
    + Build infra updates
    + Reproducible
    + Fix sisu-maven-plugin
    + Lax array converter
    + Update dependencies
    + Publishing to Central

- Build with bootstrap version of maven-plugins. This allows to be
  built early, since it will become a crucial plugin with Maven 4.

Changes in sisu:

- Upgrade to upstream milestone 0.9.0.M4

  * Most important change

    + ASM is 'demoted' to plain dependency, hence, consumer is able
      to override/update it the usual 'Maven way'. This applies to
      all components: inject, plexus and sisu-maven-plugin as well.
    + Historically, Sisu shaded in ASM just like Guice did. Later
      Sisu started shipping 'main' JAR with shaded ASM but also
      'no_asm' classified artifact without ASM (just like Guice did
      with  'classes' classified JAR). Starting from this version,
      Sisu does not shade ASM anymore, it is 'demoted' to transitive
      dependency.

  * Changes

    + Disable shallow clones for sonarcloud analysis
    + Remove spurious asserts
    + Post release cleanup
    + Fix jacoco + code coverage
    + Enable code coverage again for all modules
    + Use default property for the jacoco agent
    + Add documentation on Plexus Configurator API
    + Remove about.html as only relevant for Eclipse plugins
    + Document Lifecycle support
    + Call TypeAwareExpressionEvaluator.evaluate(String,Class) if
      available
    + Pass strict flag also via 'discoverComponents'
    + Embed/relocate ASM via m-shade-p
    + Update to ASM 9.8
    + Increase coverage
    + Align subproject names (and naming)
    + Build infra updates
    + Reproducible
    + Fix sisu-maven-plugin
    + Lax array converter
    + Update dependencies
    + Publishing to Central

Changes in jline3:

- Update to upstream version 3.30.6

  * New features and improvements

    + Improve console variable expansion (fixes #1370)
    + ConsoleEngineImpl: change method and field visibilities
    + Allow ConsoleEngineImpl subclasses access to
      VariableReferenceCompleter
    + feat: add reusable POSIX commands to builtins module
    + feat: support slurp command to be renamed
    + feat: Extend InputRC with method/s to directly read ~/.inputrc
      & /etc/inputrc
    + Allow system commands to be renamed.

  * Bug Fixes

    + Fix macOS hang in pipe operations by removing PTY terminal
      usage
    + enhancement: only compute suggestions in the Nano editor if
      something has changed
    + fix: refactor TerminalProvider methods to use
      inputEncoding/outputEncoding parameters
    + Fix System.out not working after closing dumb terminal
    + Optimize Display performance and fix terminal capability
      usage

  * Dependency updates

    + chore: Bump groovy.version from 4.0.27 to 4.0.28
    + chore: Bump com.palantir.javaformat:palantir-java-format from
      2.67.00 to 2.73.0
    + chore: Bump junit.version from 5.12.2 to 5.13.4
    + chore: Bump org.graalvm.sdk:graal-sdk from 24.2.1 to 24.2.2
    + chore: Bump com.google.jimfs:jimfs from 1.3.0 to 1.3.1
    + chore: Bump org.apache.maven.plugins:maven-enforcer-plugin
      from 3.5.0 to 3.6.1
    + chore: Bump on-headers and compression in /website
    + chore: Bump org.codehaus.gmavenplus:gmavenplus-plugin from
      4.2.0 to 4.2.1
    + chore: Bump org.apache.maven.plugins:maven-clean-plugin from
      3.4.1 to 3.5.0
    + chore: Bump org.codehaus.mojo:build-helper-maven-plugin from
      3.6.0 to 3.6.1
    + chore: Bump org.apache.maven.plugins:maven-gpg-plugin from
      3.2.7 to 3.2.8
    + chore: Bump eu.maveniverse.maven.njord:extension from 0.6.2
      to 0.7.5

  * Documentation updates

    + docs: Link to Nano Customization from Builtins doc page
    + docs: Add Capability.enter_ca_mode and Capability.exit_ca_mode
      tip

  * Maintenance

    + Remove double docs/docs in edit links on jline.org (fixes#
      1309)
    + chore: make downcall handles static final

- Build the ffm support in Factory, since we have now the java >= 22

- Update to upstream version 3.30.4

  * New features and improvements

    + add pluggable completion to Nano editor (fixes #1194)
    + enhanced MouseSupport to handle multiple mouse event formats
      (SGR, URXVT, SGR-Pixels)
    + add getCurrentMouseTracking to Terminal interface
    + add ability to get terminal default foreground and background
      colors
    + add password masking support for dumb terminals (fixes #1172)
    + add line numbers and current line marker to secondary prompt
      (fix for #1151)
    + Add support for separate encodings for stdin, stdout, and
      stderr
    + Make prompts work in non-fullscreen mode

  * Bug Fixes

    + use a fallback classloader suitable for java Modules or OSGi
      environments (fixes #1185)
    + NPE in Status#resize when supported is false (fixes #1191)
    + nano editor exiting when pressing Ctrl+Space (fixes #1200)
    + parse error of system default /usr/share/nano/*.nanorc
    + Terminal.trackMouse(MouseTracking.Off) (fixes #1189)
    + Make command execution order consistent in SystemRegistryImpl
    + handle invalid entries in history files gracefully
    + Properly fill screen lines with spaces when width is increased
      in ScreenTerminal
    + cursor position after Status.update()
    + improve script file detection and execution in Groovy REPL,
      fixes #1139
    + ensure proper cleanup of pump threads in terminal
      implementations
    + add history line width check in ScreenTerminal.setSize()
      (fixes #1206)
    + console-ui example: catch UserInterruptException in place of
      IOError
    + Ctrl+Space handling on Windows terminals
    + Update LineReaderImpl to use new readMouseEvent signature with
      lastBinding parameter
    + enhance nanorc loading and introduce a ClasspathResourceUtil
      utility
    + missing close in PosixSysTerminal.
    + Jansi AnsiConsole broken color detection in uber jars
    + SyntaxHighlighter glob pattern handling for non-default file
      systems

  * Documentation

    + Integrate website into main repository
    + improve JLineNativeLoader documentation and references
    + fix readme
    + Add comprehensive Javadoc to jline-builtins module
    + improve Javadoc in console module
    + add comprehensive Javadoc to org.jline.style package
    + add comprehensive Javadoc to JLine Terminal and Reader
    + Add missing DISABLE_EVENT_EXPANSION JavaDoc (fixes #1218)
    + Make sure snippets compile
    + Corrected the maven central link
    + correct PicocliJLineExample snippet name in
      library-integration.md
    + validate code snippets during build time instead of runtime
    + add missing @SInCE 3.30.0 annotations to new methods in
      Terminal
    + integrate GitHub wiki content into website documentation
    + Improve website build system and documentation management
    + fix javadoc redirect URL issue
    + Add picocli links to library integration
    + Mention InputRC on Builtins
    + doc: update version to 3.30.0 and add Javadoc integration
    + integrate ConsoleUI documentation into website
    + add syntax highlighting example classes for documentation
    + Expand DISABLE_EVENT_EXPANSION JavaDoc (re. #1238)
    + Link to documentation website earlier in README (see #1240)
    + Link to Pty4j on Terminal

- Rewrite to use Ant to build. This prevents potential cycles with
  upcoming Maven 4

Changes in j2objc-annotations:

- Update to version 3.0.0

  * no structured changelog available
  * this version is a modular jar needed by guava

Changes in jackson-databind:

- Fix 'Not fully interpolated version' error with Maven 4

Changes in icu4j:

+ detect java version up to 25 when running ant

Changes in guava:

- Upgrade to guava 33.4.8

  * Changes of version 33.4.8

    + util.concurrent: Removed our VarHandle code from
      guava-android. While the code was never used at runtime under
      Android, it was causing problems under the Android Gradle
      Plugin with a minSdkVersion below 26. To continue to avoid
      sun.misc.Unsafe under the JVM, guava-android will now always
      use AtomicReferenceFieldUpdater when run there.

  * Changes of version 33.4.7
    + Modified the guava module's dependency on failureaccess to be
      transitive. Also, modified the guava-testlib module to make
      its dependency on guava transitive, to remove its dependency
      on failureaccess, and to add a dependency (transitive) on
      junit.
    + util.concurrent: Modified our fast paths to ensure that they
      continue to work when run through optimizers, such as those
      commonly used by Android apps. This fixes problems that some
      users may have seen since Guava 33.4.5.
    + util.concurrent: Changed the guava-android copy of
      AbstractFuture to try VarHandle before Unsafe, eliminating a
      warning under newer JDKs.

  * Changes of version 33.4.6

    + Removed the extra copy of each class from the Guava jar. The
      extra copies were an accidental addition from the
      modularization work in Guava 33.4.5.
    + Fixed annotation-related warnings when using Guava in modular
      builds. The most common such warning is Cannot find annotation
      method 'value()' in type 'DoNotMock': ....

  * Changes of version 33.4.5

    + Changed the Guava jar (plus guava-testlib and failureaccess
      jars) to be a modular jar.
    + Changed various classes to stop using sun.misc.Unsafe under
      Java 9+.
      ° Note that, if you use guava-android on the JVM (instead of
        using guava-jre), Guava will still try to use
        sun.misc.Unsafe. We will do further work on this in the
        future.
    + Belatedly updated the Public Suffix List data.

  * Changes of version 33.4.4

    + Migrated from Checker Framework annotations to JSpecify
      annotations.
    + Made our usages of nullness annotations available in our GWT
      artifact. GWT users will need to upgrade to GWT 2.12.1, which
      makes GWT as tolerant of Java 8 type-use annotations as it is
      of other annotations.

  * Changes of version 33.4.3

    + Migrated from @CheckForNull to the Checker Framework
      @Nullable. Most tools recognize both annotations, so we expect
      this to be a no-op in almost all cases. This release removes
      our dependency on JSR-305.

  * Changes of version 33.4.2

    + Changed @ParametricNullness into a no-op for Kotlin and
      IntelliJ. Before now, it was forcing many usages of type
      variables to have platform types, which meant that Kotlin
      couldn't check those usages for nullness errors. With this
      change, Kotlin can detect more errors.

  * Changes of version 33.4.1

    + Replaced our custom @ElementTypesAreNonnullByDefault
      annotations with the JSpecify @NullMarked annotation.

  * Changes of version 33.4.0

    + Exposed additional Java 8 APIs to Android users.
    + base: Deprecated Charsets constants in favor of
      StandardCharsets. We will not remove the constants, but we
      recommend using StandardCharsets for consistency.
    + base: Added ToStringHelper.omitEmptyValues().
    + collect: Added an optimized copyOf method to TreeRangeMap.
    + collect.testing: Fixed @Require annotations so that features
      implied by absent features are not also required to be absent.
    + io: Changed ByteSink and CharSink to no longer call flush() in
      some cases before close(). This is a no-op for well-behaved
      streams, which internally flush their data as part of closing.
      However, we have discovered some stream implementations that
      have overridden close() to do nothing, including not to flush
      some buffered data. If this change causes problems, the
      simplest fix is usually to change the close() override to at
      least call flush().
    + net: Added HttpHeaders.ALT_SVC and MediaType.CBOR.

  * Changes of version 33.3.1

    + Added j2objc-annotations to the Gradle runtime classpath to
      stop producing an Android Gradle Plugin error.

  * Changes of version 33.3.0

    + base: Removed @Beta from the Duration overload of
      Suppliers.memoizeWithExpiration.
    + cache: Added CacheBuilder Duration overloads to guava-android.
    + collect: Removed @Beta from the guava-android Collector APIs.
    + collect: Added ImmutableMultimap.builderWithExpectedKeys and
      ImmutableMultimap.Builder.expectedValuesPerKey.
    + graph: Improved Graphs.hasCycle to avoid causing
      StackOverflowError for long paths.
    + net: Added text/markdown to MediaType.
    + net: Deprecated HttpHeaders constant for Sec-Ch-UA-Form-Factor
      in favor of Sec-Ch-UA-Form-Factors to follow the latest spec.
    + testing: Changed some test libraries to throw AssertionError
      (instead of the more specific AssertionFailedError) in some
      cases.

    + we are folding the failureaccess into the main guava.jar, so
      we don't have a special module for it.

Changes in google-guice:

- Fix build with Java 25

Changes in google-gson:

- Rewrite the build system for ant to avoid potential build cycles
  with upcoming Maven 4

Changes in geronimo-specs:

- Do not use update-alternatives

Changes in exec-maven-plugin:

- Upgrade to upstream version 3.5.1

- Changes of 3.5.1

  * Bug Fixes

    + Add ClassLoader support for ASM ClassWriter

  * Maintenance

    + Fix ITs for Maven 4 rc-3
    + Document how to use env vars in commandlineArgs

- Changes of 3.5.0

  * New features and improvements

    + Add toolchain java path to environment variables in ExecMojo

  * Bug Fixes

    + #322, enable to control the exec:java interaction with JVM
      classloader more finely

  * Maintenance

    + Update site descriptor to 2.0.0
    + Toolchains manual improvements
    + Manage version of maven-toolchains-plugin

- Changes of 3.4.1

  * Bug Fixes

    + Environment variable Path should be used as case-insensitive
    + fix: NPE because declared MavenSession field hides field of
      superclass

  * Maintenance

    + Remove redundant spotless configuration

  * Build

    + Use Maven4 enabled with GH Action
    + Use shared release drafter GH Action

- Chages of 3.4.0

  * New features and improvements

    + Allow <includePluginDependencies> to be specified for the
      exec:exec goal

  * Bug Fixes

    + Do not get UPPERCASE env vars

  * Maintenance

    + Remove Log4j 1.2.x from ITs

  * Build

    + Use Maven 3.9.7 and 4.0.0-beta-3

- Changes of 3.3.0

  * New features and improvements

    + Add option to include runtime and provided

- Changes of 3.2.0

  * New features and improvements

    + Enable to exec:java runnables and not only mains with loosely
      coupled injections
    + Try to get rid of legacy API which can break starting with
      java 17

  * Bug Fixes

    + Fix #401 - Maven v4 compatibility

  * Maintenance

    + ITs improvement
    + Fix documentation formatting, add menu items for new examples
    + Execute mexec-137 also on unix family
    + Remove unused test

  * Build

    + Bump release-drafter/release-drafter from 5 to 6

- Changes of 3.1.1

  * New features and improvements

    + Remove unused killAfter options
    + [#391] Cope with Thread::stop being unavailable in JDK 20+
    + Only prefix program output with thread name when running with
      multiple threads
    + [#389] Add option 'blockSystemExit' to 'java' mojo
    + Require Maven 3.6.3+
    + Ensure maven.properties can be forwarded to system properties
      for exec:java

  * Bug Fixes

    + Fix #158 - Fix non ascii character handling
    + [#323] exec arguments missing

  * Maintenance

    + Code cleanups - use newer JDK features
    + Enable spotless for code formatting
    + Require Maven 3.6.3+
    + ITs cleanups
    + Use Resolver Api for dependency resolving
  * Build
    + Workaround for concurrent access to local repository on
      Windows by ITs
    + Use Maven 3.9.4, 3.8.8 in GitHub build
- Changes of 3.1.0
  * New features and improvements
    + Require Maven 3.2.5
    + Support stream inheritance for the forked process, fixes #71
  * Bug Fixes
    + Fix NullPointerException when using plugin dependencies in
      version 1.6.0
    + preload common pool - issue #198
    + fix handling of LongModulePathArgument and LongClassPathArgument
    + Do not drop environment variables that contain '=' in their value,
      or have no value.
    + Empty argument tag should add empty string instead of null
    + Fixes #160, ensure the java classloader is a child first one and
      supports to excludes some gathered classpath element to solve
      manually conflicts
  * Maintenance
    + Get rid of maven-artifact-transfer from dependencies
    + Cleanup project site
    + Cleanup project
    + Fix build badge for current CI system
    + Enforce JAVA_HOME for ITs
    + Drop Invokable interface
    + Remove unused class
    + Remove unused class and profile to build it
    + Remove unused imports
    + Remove unused fields
    + Bump sniffed signatures
    + fix issue with IBM semu 11
    + [DEPS] remove unused logging dependencies.
    + Fixed message: Removed duplicate space
    + Fix spelling in error msg (occured -> occurred)
  * Build
    + Testing with Maven 3.2.5 and 3.8.6
    + use shared gh action from ASF
    + use Temurin JDK

Changes in bouncycastle:

- Update to 1.82:

  * Defects Fixed:

    - SNOVA and MAYO are now correctly added to the JCA provider module-info file.
    - TLS: Avoid nonce reuse error in JCE AEAD workaround for pre-Java7.
    - BCJSSE: Session binding map is now shared across all stages of the
      session lifecycle (SunJSSE compatibility).
    - The CMCEPrivateKeyParameters#reconstructPublicKey method was returning
      an empty byte array. It now returns an encoding of the public key.
    - CBZip2InputStream no longer auto-closes at end-of-contents.
    - The BC CertPath implementation was eliminating certificates on the
      bases of the Key-ID. This is not in accordance with RFC 4158.
    - Support for the previous set of libOQS Falcon OIDs has been restored.
    - The BC CipherInputStream could throw an exception if asked to handle an
      AEAD stream consisting of the MAC only.
    - Some KeyAgreement classes were missing in the Java 11 class hierarchy.
    - Fix typo in a constant name in the HPKE class and deprecate the old constant.
    - Fuzzing analysis has been done on the OpenPGP API and additional code
      has been added to prevent escaping exceptions.

  * Additional Features and Functionality:

    - SHA3Digest, CSHAKE, TupleHash, KMAC now provide support for Memoable
      and EncodableService.
    - BCJSSE: Added support for integrity-only cipher suites in TLS 1.3 per RFC 9150.
    - BCJSSE: Added support for system properties 'jdk.tls.{client,server}.maxInboundCertificateChainLength'
    - BCJSSE: Added support for ML-DSA signature schemes in TLS 1.3 per draft-ietf-tls-mldsa-00.
    - The Composite post-quantum signatures implementation has been updated to
      the latest draft (07) draft-ietf-lamps-pq-composite-sigs.
    - '_PREHASH' implementations are now provided for all composite signatures
      to allow the hash of the date to be used instead of the actual data in
      signature calculation.
    - The gradle build can now be used to generate an Bill of Materials (BOM) file.
    - It is now possible to configure the SignerInfoVerifierBuilder used by the
      SignedMailValidator class.
    - The Ascon family of algorithms has been updated with the latest published changes.
    - Composite signature keys can now be constructed from the individual keys of
      the algorithms composing the composite.
    - PGPSecretKey, PGPSignatureGenerator now support version 6.
    - Further optimisation work has been done on ML-KEM public key validation.
    - Zeroization of passwords in the JCA PKCS12 key store has been improved.
    - The 'org.bouncycastle.drbg.effective_256bits_entropy' property has been
      added for platforms where the entropy source is not producing 1 full bit
      of entropy per bit and additional bits are required (default value 282).
    - OpenPGPKeyGenerator now allows for the use of empty UserIDs (version 4 compatibility).
    - The HQC KEM has been updated with the latest draft updates.

  * Additional Notes:

    - The legacy post-quantum package has now been removed.

- Update to 1.81:

  * Defects Fixed:

    - A potention NullPointerException in the KEM KDF KemUtil class
      has been removed.
    - Overlapping input/output buffers in doFinal could result in
      data corruption.
    - Fixed Grain-128AEAD decryption incorrectly handle MAC verification.
    - Add configurable header validation to prevent malicious header
      injection in PGP cleartext signed messages; Fix signature packet
      encoding issues in PGPSignature.join() and embedded signatures
      while phasing out legacy format.
    - Fixed ParallelHash initialization stall when using block size B=0.
    - The PRF from the PBKDF2 function was been lost when PBMAC1 was
      initialized from protectionAlgorithm. This has been fixed.
    - The lowlevel DigestFactory was cloning MD5 when being asked
      to clone SHA1.

  * Additional Features and Functionality:

    - XWing implementation updated to draft-connolly-cfrg-xwing-kem/07/
    - Further support has been added for generation and use of PGP V6 keys
    - Additional validation has been added for armored headers in Cleartext
      Signed Messages.
    - The PQC signature algorithm proposal Mayo has been added to the
      low-level API and the BCPQC provider.
    - The PQC signature algorithm proposal Snova has been added to the
      low-level API and the BCPQC provider.
    - Support for ChaCha20-Poly1305 has been added to the CMS/SMIME APIs.
    - The Falcon implementation has been updated to the latest draft.
    - Support has been added for generating keys which encode as seed-only
      and expanded-key-only for ML-KEM and ML-DSA private keys.
    - Private key encoding of ML-DSA and ML-KEM private keys now follows
      the latest IETF draft.
    - The Ascon family of algorithms has been updated to the initial draft
      of SP 800-232. Some additional optimisation work has been done.
    - Support for ML-DSA's external-mu calculation and signing has been
      added to the BC provider.
    - CMS now supports ML-DSA for SignedData generation.
    - Introduce high-level OpenPGP API for message creation/consumption
      and certificate evaluation.
    - Added JDK21 KEM API implementation for HQC algorithm.
    - BCJSSE: Strip trailing dot from hostname for SNI, endpointID checks.
    - BCJSSE: Draft support for ML-KEM updated (draft-connolly-tls-mlkem-key-agreement-05).
    - BCJSSE: Draft support for hybrid ECDHE-MLKEM (draft-ietf-tls-ecdhe-mlkem-00).
    - BCJSSE: Optionally prefer TLS 1.3 server's supported_groups order
      (BCSSLParameters.useNamedGroupsOrder).

Changes in byte-buddy:

- Fix build with maven 4

- Update to v1.17.6

  * Changes of v1.17.6

    + Add convenience wrapper for ResettableClassFileTransformer
      that implicitly delegates to correct transformer method.
    + Add filter for deduplicate fields and methods in class file.
    + Add missing static requirement of Spotbugs annotations to
      module descriptors.
    + Add LazinessMode for TypePool and add convenience support to
      AgentBuilder.
    + Fix source jars for multi-version release to contain
      duplicated source.

- Update to v1.17.5

  * Changes of v1.17.5

    + Update ASM to version 9.8 to support Java 25 using ASM reader
      and writer.
    + Include AnnotationRemoval visitor for removing or replacing
      annotations.

- Update to v1.17.4

  * Changes of v1.17.4

    + Add SafeVarargs plugin.
    + Fix OSGi declaration for byte-buddy-agent.

- Update to v1.17.3

  * Changes of v1.17.3

    + Fix bug in ASM to Class File API bridge handling tableswitch
      instructions.
    + Add plugin for adding SafeVarargs annotations.
    + Further generify MemberSubstitution API.

- Update to v1.17.2

  * Changes of v1.17.2

    + Update Class File API integration to include support for
      several omitted byte codes.
    + Adjust attach API emulation for OpenJ9 to not create
      subfolder if temporary folder is set explicitly.

- Update to v1.17.1

  * Changes of v1.17.1

    + Fix bug in MemberSubstitution were argument indices were
      resolved by one digit off.
    + Update Class File API integration to avoid that parameter
      annotations are lost.

Changes in byaccj:

- add -std=gnu11 to CFLAGS to fix gcc15 compile time error, and to
  still allow build on SLE / Leap 15

Changes in apache-commons-logging:

- Upgrade to 1.3.5

  * Fixed Bugs

    + Javadoc is missing its Overview page.
    + Remove -nouses directive from maven-bundle-plugin. OSGi
      package imports now state 'uses' definitions for package
      imports, this doesn't affect JPMS (from
      org.apache.commons:commons-parent:80).

  * Changes

    + Bump org.apache.commons:commons-parent from 72 to 81 #285,
      #287, #295, #298, #303, #310, #339.
    + Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0
      #288 [test].
    + Bump log4j2.version from 2.23.1 to 2.24.3 #292, #299, #319,
      #328.

  * Removed:
    + Remove 'cobertura' plugin use JaCoco, Cobertura is
      unmaintained.

    + LOGGING-193: Update Log4j 2 OSGi imports #268.
    + Fix PMD UnnecessaryFullyQualifiedName in SimpleLog.
    + Fix NullPointerException in SimpleLog#write(Object) on null

Changes in apache-commons-cli:

- Update to 1.10.0

  * New Features

    + CLI-339: Help formatter extension in the new package #314.
    + CommandLine.Builder implements Supplier<CommandLine>.
    + DefaultParser.Builder implements Supplier<DefaultParser>.
    + CLI-340: Add CommandLine.getParsedOptionValues() #334.
    + CLI-333: org.apache.commons.cli.Option.Builder implements
      Supplier<Option>.

  * Fixed Bugs

    + Deprecate CommandLine.Builder() in favor of
      CommandLine.builder().
    + Deprecate DeprecatedAttributes.Builder() in favor of
      DeprecatedAttributes.builder().
    + Refactor default parser test #294.
    + Port to JUnit 5.
    + Generics for Converter should use Exception not Throwable.
    + Pick up maven-antrun-plugin version from parent POM
      org.apache:apache.
    + Javadoc is missing its Overview page.
    + Get mockito version from parent pom (#351).
    + Remove -nouses directive from maven-bundle-plugin. OSGi
      package imports now state 'uses' definitions for package
      imports, this doesn't affect JPMS
      (from org.apache.commons:commons-parent:80).
    + Deprecate PatternOptionBuilder.PatternOptionBuilder().
    + CLI-341: HelpFormatter infinite loop with 0 width input.
    + CLI-349: Fail faster with a more precise NullPointerException:
      Option.processValue() throws NullPointerException when passed
      null value with value separator configured.
    + CLI-344: Fail faster with a more precise NullPointerException:
      DefaultParser.parse() throws NullPointerException when options
      parameter is null.
    + CLI-347: Options.addOptionGroup(OptionGroup) does not remove
      required options from requiredOpts list.
    + org.apache.commons.cli.Option.Builder.get() should throw
      IllegalStateException instead of IllegalArgumentException.
    + org.apache.commons.cli.Option.processValue(String) should
      throw IllegalStateException instead of
      IllegalArgumentException.
    + org.apache.commons.cli.OptionBuilder.create() should throw
      IllegalStateException instead of IllegalArgumentException.

  * Updates

    + Bump org.apache.commons:commons-parent from 72 to 85 #302,
      #304, #310, #315, #320, #327, #371.
    + [test] Bump commons-io:commons-io from 2.16.1 to 2.20.0 #309,
      #337.
    + [test] Bump org.apache.commons:commons-text from 1.12.0 to
      1.14.0 #344.
    + Update site documentation to
      https://maven.apache.org/xsd/xdoc-2.0.xsd.

    + CLI-334: Fix Javadoc pathing #280.
    + CLI-335: Updated properties documentation #285.
    + CLI-336: Deprecation not always reported #284.

Changes in apache-commons-codec:

- Update to 1.18.0

  * New features

    + Add Base32.Builder.setHexDecodeTable(boolean).
    + Add Base32.Builder.setHexEncodeTable(boolean).

  * Changes

    + Bump org.apache.commons:commons-parent from 78 to 79.

- Includes changes from 1.17.2

  * Fixed Bugs

    + Rewrite DaitchMokotoffSoundex.soundex(String) using
      String.join().
    + CODEC-324:  Use Resource.class to load resources, rather than
      its class loader #353.
    + Deprecate CharSequenceUtils.CharSequenceUtils().
    + Deprecate Sha2Crypt.Sha2Crypt().

  * Changes

    + Bump org.apache.commons:commons-lang3 from 3.14.0 to 3.17.0
      #296, #305, #313.
    + Bump org.apache.commons:commons-parent from 71 to 78 #310,
      #312, #319, #323, #326, #333.
    + [test] Bump commons-io:commons-io from 2.16.1 to 2.18.0 #318,
      #341.
    + Bump org.codehaus.mojo:taglist-maven-plugin from 3.1.0 to
      3.2.1 #332.

Changes in apache-commons-daemon:

- Upgrade to 1.4.1

  * Bug Fixes:

    + several issues around Java OS and header files location
      detection.
    + Correct several log messages where an incorrect placeholder
      led to truncation of the inserted values.

  * New Features

    + Add protection to avoid high CPU usage for applications
      running in JVM mode that do not wait for the stop method to
      be called before the start method returns. Fixes DAEMON-460.
    + The minimum Java version has been increased to Java 8

Changes in apache-commons-dbcp:

- Do not provide the hibernate_jdbc_cache alternative

Changes in apache-commons-beanutils:

- Updated to 1.9.3

    - Fixed Bugs:

      * BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
      * BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
      * BEANUTILS-490: Update Java requirement from Java 5 to 6.
      * BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.

- update to 1.8.3 and rename to apache- to follow the upstream

Changes in auto:

- Force annotation processing, since it is needed with Java 25


-----------------------------------------------------------------
Advisory ID: 203
Released:    Wed Jan 28 09:27:48 2026
Summary:     Security update for ImageMagick
Type:        security
Severity:    important
References:  1209831,1229047,1234100,1234101,1234102,1234103,1234104,1235475,1240070,1246460,1254435,1254820,1255821,1255822,1255823,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747,CVE-2025-65955,CVE-2025-66628,CVE-2025-68618,CVE-2025-68950,CVE-2025-69204
This update for ImageMagick fixes the following issues:

- CVE-2025-65955: Fixed use-after-free/double-free in ImageMagick (bsc#1254435)
- CVE-2025-66628: Fixed Integer Overflow leading to out of bounds read in ImageMagick (32-bit only)  (bsc#1254820)
- CVE-2025-68618: Fixed that reading a malicious SVG file may result in a DoS attack (bsc#1255821)
- CVE-2025-68950: Fixed check for circular references in mvg files may lead to stack overflow (bsc#1255822)
- CVE-2025-69204: Fixed an integer overflow can lead to a DoS attack (bsc#1255823)

-----------------------------------------------------------------
Advisory ID: 206
Released:    Wed Jan 28 12:26:08 2026
Summary:     Recommended update for grub2
Type:        recommended
Severity:    important
References:  1219724,1240414,1248516,CVE-2024-24806,CVE-2025-31115
This update for grub2 fixes the following issues:

- Optimize PBKDF2 to reduce the decryption time (bsc#1248516)
    * lib/crypto: Introduce new HMAC functions to reuse buffers
    * lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle
    * kern/misc: Implement faster grub_memcpy() for aligned buffers

-----------------------------------------------------------------
Advisory ID: 213
Released:    Thu Jan 29 11:30:03 2026
Summary:     Recommended update for pipewire
Type:        recommended
Severity:    important
References:  1217690,1231284,1245309,1245310,1245311,1245312,1245314,1245317,CVE-2024-8508,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-5987
This update for pipewire fixes the following issues:

Changes in pipewire:

- Fix libcamera working by removing a systemd restriction  (boo#1217690)

-----------------------------------------------------------------
Advisory ID: 215
Released:    Thu Jan 29 11:55:17 2026
Summary:     Security update for postgresql16
Type:        security
Severity:    important
References:  1220262,1236217,1236801,1236839,1253332,1253333,CVE-2023-50782,CVE-2025-12817,CVE-2025-12818,CVE-2025-22866,CVE-2025-22867
This update for postgresql16 fixes the following issues:

Security fixes:

- CVE-2025-12817: Missing check for CREATE
  privileges on the schema in CREATE STATISTICS allowed table
  owners to create statistics in any schema, potentially leading
  to unexpected naming conflicts (bsc#1253332)
- CVE-2025-12818: Several places in libpq were not
  sufficiently careful about computing the required size of a
  memory allocation. Sufficiently large inputs could cause
  integer overflow, resulting in an undersized buffer, which
  would then lead to writing past the end of the buffer (bsc#1253333)

Other fixes:

  - Upgrade to 16.11

-----------------------------------------------------------------
Advisory ID: 217
Released:    Thu Jan 29 16:32:26 2026
Summary:     Security update for elemental-register, elemental-toolkit
Type:        security
Severity:    important
References:  1220763,1228879,1229238,1229685,1229822,1230078,1231373,1231727,1235695,1236151,1237137,1239092,1240031,1241826,1241857,1241897,1243923,1244263,1251511,1251679,1253581,1253901,1254079,CVE-2024-43374,CVE-2024-43790,CVE-2024-43802,CVE-2024-45306,CVE-2024-47814,CVE-2025-1215,CVE-2025-22134,CVE-2025-22872,CVE-2025-24014,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190
This update for elemental-register, elemental-toolkit fixes the following issues:

elemental-register was updated to 1.8.1:

Changes on top of v1.8.1:

  * Update headers to 2026
  * Update questions to include SL Micro 6.2

Update to v1.8.1:

  * Install yip config files in before-install step
  * Bump github.com/rancher-sandbox/go-tpm and its dependencies
    This includes few CVE fixes:
    * bsc#1241826 (CVE-2025-22872)
    * bsc#1241857 (CVE-2025-22872)
    * bsc#1251511 (CVE-2025-47911)
    * bsc#1251679 (CVE-2025-58190)

elemental-toolkit was updated to v2.3.2:

  * Bump golang.org/x/crypto library
    This includes few CVE fixes:
    * bsc#1241826 (CVE-2025-22872)
    * bsc#1241857 (CVE-2025-22872)
    * bsc#1251511 (CVE-2025-47911)
    * bsc#1251679 (CVE-2025-58190)
    * bsc#1253581 (CVE-2025-47913)
    * bsc#1253901 (CVE-2025-58181)
    * bsc#1254079 (CVE-2025-47914)

-----------------------------------------------------------------
Advisory ID: 218
Released:    Thu Jan 29 18:44:57 2026
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1219458,1229069,1229272,1230007,1230596,1234027,1236282,1242827,1243935,1247074,1256436,1256766,1256822,1257005,CVE-2023-31315,CVE-2025-0395,CVE-2025-15281,CVE-2025-4598,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:

Security fixes:

- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).

Other fixes:

- NPTL: Optimize trylock for high cache contention workloads (bsc#1256436)

-----------------------------------------------------------------
Advisory ID: 224
Released:    Fri Jan 30 11:05:07 2026
Summary:     Security update for unbound
Type:        security
Severity:    moderate
References:  1233699,1234665,1236282,1245292,1247326,1247816,1252525,CVE-2025-0395,CVE-2025-11411
This update for unbound fixes the following issues:

Update to 1.24.1:

- CVE-2025-11411: Fixed possible domain hijacking attack (bsc#1252525).

-----------------------------------------------------------------
Advisory ID: 227
Released:    Fri Jan 30 15:27:58 2026
Summary:     Security update for libsoup
Type:        security
Severity:    important
References:  1228216,1250562,1256399,1256418,CVE-2025-11021,CVE-2026-0716,CVE-2026-0719
This update for libsoup fixes the following issues:

- CVE-2025-11021: Fixed out-of-bounds read in Cookie Date Handling of libsoup HTTP Library (bsc#1250562).
- CVE-2026-0719: Fixed stack-based buffer overflow in NTLM authentication can lead to arbitrary code execution (bsc#1256399).
- CVE-2026-0716: Fixed improper bounds handling may allow out-of-bounds read (bsc#1256418).

-----------------------------------------------------------------
Advisory ID: 229
Released:    Fri Jan 30 22:24:31 2026
Summary:     Security update for python-filelock
Type:        security
Severity:    moderate
References:  1223596,1230145,1241114,1241680,1247819,1255244,1256457,CVE-2025-68146,CVE-2026-22701
This update for python-filelock fixes the following issues:

- CVE-2025-68146: TOCTOU race condition may allow local attackers to corrupt or truncate arbitrary user files (bsc#1255244).
- CVE-2026-22701: TOCTOU race condition in the SoftFileLock implementation (bsc#1256457).

-----------------------------------------------------------------
Advisory ID: 230
Released:    Mon Feb  2 12:54:26 2026
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1205462,1214285,1220338,1229228,1231048,1232227,1232844,1233752,1234015,1234313,1234765,1238593,1243112,1243166,1245193,1247500,1250388,1252046,1252861,1253155,1253238,1253262,1253365,1253400,1253413,1253414,1253442,1253458,1253623,1253674,1253739,1254126,1254128,1254195,1254244,1254363,1254378,1254408,1254477,1254510,1254518,1254519,1254520,1254615,1254616,1254618,1254621,1254624,1254791,1254793,1254794,1254795,1254796,1254797,1254798,1254808,1254809,1254813,1254815,1254821,1254824,1254825,1254827,1254828,1254829,1254830,1254832,1254835,1254840,1254843,1254846,1254847,1254849,1254850,1254851,1254852,1254854,1254856,1254858,1254860,1254861,1254864,1254868,1254869,1254871,1254894,1254957,1254959,1254961,1254964,1254996,1255026,1255030,1255034,1255035,1255039,1255040,1255041,1255042,1255057,1255058,1255064,1255065,1255068,1255071,1255072,1255075,1255077,1255081,1255082,1255083,1255087,1255092,1255094,1255095,1255097,1255099,1255103,1255116,1255120,1255121,1255122,1255124,1
 255131,1255134,1255135,1255136,1255138,1255140,1255142,1255145,1255146,1255149,1255150,1255152,1255154,1255155,1255156,1255161,1255167,1255169,1255171,1255175,1255179,1255181,1255182,1255186,1255187,1255190,1255193,1255196,1255197,1255199,1255202,1255203,1255206,1255209,1255218,1255220,1255221,1255223,1255226,1255227,1255228,1255230,1255231,1255233,1255234,1255242,1255243,1255246,1255247,1255251,1255252,1255253,1255255,1255256,1255259,1255260,1255261,1255262,1255272,1255273,1255274,1255276,1255279,1255297,1255312,1255316,1255318,1255325,1255329,1255346,1255349,1255351,1255354,1255357,1255377,1255379,1255380,1255395,1255401,1255415,1255428,1255433,1255434,1255480,1255483,1255488,1255489,1255493,1255495,1255505,1255507,1255508,1255509,1255533,1255541,1255550,1255552,1255553,1255567,1255580,1255601,1255603,1255611,1255614,1255672,1255688,1255698,1255706,1255707,1255709,1255722,1255723,1255724,1255812,1255813,1255814,1255816,1255931,1255932,1255934,1255943,1255944,1256238,1256495,125660
 6,1256794,CVE-2025-38704,CVE-2025-39880,CVE-2025-39977,CVE-2025-40042,CVE-2025-40123,CVE-2025-40130,CVE-2025-40160,CVE-2025-40167,CVE-2025-40170,CVE-2025-40179,CVE-2025-40190,CVE-2025-40209,CVE-2025-40211,CVE-2025-40212,CVE-2025-40213,CVE-2025-40214,CVE-2025-40215,CVE-2025-40218,CVE-2025-40219,CVE-2025-40220,CVE-2025-40221,CVE-2025-40223,CVE-2025-40225,CVE-2025-40226,CVE-2025-40231,CVE-2025-40233,CVE-2025-40235,CVE-2025-40237,CVE-2025-40238,CVE-2025-40239,CVE-2025-40240,CVE-2025-40242,CVE-2025-40246,CVE-2025-40248,CVE-2025-40250,CVE-2025-40251,CVE-2025-40252,CVE-2025-40254,CVE-2025-40255,CVE-2025-40256,CVE-2025-40258,CVE-2025-40262,CVE-2025-40263,CVE-2025-40264,CVE-2025-40266,CVE-2025-40268,CVE-2025-40269,CVE-2025-40271,CVE-2025-40272,CVE-2025-40273,CVE-2025-40274,CVE-2025-40275,CVE-2025-40276,CVE-2025-40277,CVE-2025-40278,CVE-2025-40279,CVE-2025-40280,CVE-2025-40282,CVE-2025-40283,CVE-2025-40284,CVE-2025-40287,CVE-2025-40288,CVE-2025-40289,CVE-2025-40292,CVE-2025-40293,CVE-2025-402
 94,CVE-2025-40297,CVE-2025-40301,CVE-2025-40302,CVE-2025-40303,CVE-2025-40304,CVE-2025-40307,CVE-2025-40308,CVE-2025-40309,CVE-2025-40310,CVE-2025-40311,CVE-2025-40314,CVE-2025-40315,CVE-2025-40316,CVE-2025-40317,CVE-2025-40318,CVE-2025-40319,CVE-2025-40320,CVE-2025-40321,CVE-2025-40322,CVE-2025-40323,CVE-2025-40324,CVE-2025-40328,CVE-2025-40329,CVE-2025-40330,CVE-2025-40331,CVE-2025-40332,CVE-2025-40337,CVE-2025-40338,CVE-2025-40339,CVE-2025-40340,CVE-2025-40342,CVE-2025-40343,CVE-2025-40344,CVE-2025-40345,CVE-2025-40346,CVE-2025-40347,CVE-2025-40350,CVE-2025-40353,CVE-2025-40354,CVE-2025-40355,CVE-2025-40357,CVE-2025-40359,CVE-2025-40360,CVE-2025-40362,CVE-2025-68167,CVE-2025-68170,CVE-2025-68171,CVE-2025-68172,CVE-2025-68176,CVE-2025-68180,CVE-2025-68181,CVE-2025-68183,CVE-2025-68184,CVE-2025-68185,CVE-2025-68190,CVE-2025-68192,CVE-2025-68194,CVE-2025-68195,CVE-2025-68197,CVE-2025-68198,CVE-2025-68201,CVE-2025-68202,CVE-2025-68206,CVE-2025-68207,CVE-2025-68208,CVE-2025-68209,CVE-
 2025-68210,CVE-2025-68213,CVE-2025-68215,CVE-2025-68217,CVE-2025-68222,CVE-2025-68223,CVE-2025-68230,CVE-2025-68233,CVE-2025-68235,CVE-2025-68237,CVE-2025-68238,CVE-2025-68239,CVE-2025-68242,CVE-2025-68244,CVE-2025-68249,CVE-2025-68252,CVE-2025-68254,CVE-2025-68255,CVE-2025-68256,CVE-2025-68257,CVE-2025-68258,CVE-2025-68259,CVE-2025-68264,CVE-2025-68283,CVE-2025-68284,CVE-2025-68285,CVE-2025-68286,CVE-2025-68287,CVE-2025-68289,CVE-2025-68290,CVE-2025-68293,CVE-2025-68298,CVE-2025-68301,CVE-2025-68302,CVE-2025-68303,CVE-2025-68305,CVE-2025-68306,CVE-2025-68307,CVE-2025-68308,CVE-2025-68311,CVE-2025-68312,CVE-2025-68313,CVE-2025-68317,CVE-2025-68327,CVE-2025-68328,CVE-2025-68330,CVE-2025-68331,CVE-2025-68332,CVE-2025-68335,CVE-2025-68339,CVE-2025-68340,CVE-2025-68342,CVE-2025-68343,CVE-2025-68344,CVE-2025-68345,CVE-2025-68346,CVE-2025-68347,CVE-2025-68351,CVE-2025-68352,CVE-2025-68353,CVE-2025-68354,CVE-2025-68362,CVE-2025-68363,CVE-2025-68378,CVE-2025-68380,CVE-2025-68724,CVE-2025-68
 732,CVE-2025-68736,CVE-2025-68740,CVE-2025-68742,CVE-2025-68744,CVE-2025-68746,CVE-2025-68747,CVE-2025-68748,CVE-2025-68749,CVE-2025-68750,CVE-2025-68753,CVE-2025-68757,CVE-2025-68758,CVE-2025-68759,CVE-2025-68765,CVE-2025-68766,CVE-2025-71096

The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues

The following security issues were fixed:

- CVE-2025-38704: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer (bsc#1254408).
- CVE-2025-39880: ceph: fix race condition validating r_parent before applying state (bsc#1250388).
- CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252046).
- CVE-2025-40042: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference (bsc#1252861).
- CVE-2025-40123: bpf: Enforce expected_attach_type for tailcall compatibility (bsc#1253365).
- CVE-2025-40130: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling
- CVE-2025-40160: xen/events: Cleanup find_virq() return codes (bsc#1253400).
- CVE-2025-40167: ext4: detect invalid INLINE_DATA + EXTENTS flag combination (bsc#1253458).
- CVE-2025-40170: net: use dst_dev_rcu() in sk_setup_caps() (bsc#1253413).
- CVE-2025-40179: ext4: verify orphan file size is not too big (bsc#1253442).
- CVE-2025-40190: ext4: guard against EA inode refcount underflow in xattr update (bsc#1253623).
- CVE-2025-40214: af_unix: Initialise scc_index in unix_add_edge() (bsc#1254961).
- CVE-2025-40215: xfrm: delete x->tunnel as we delete x (bsc#1254959).
- CVE-2025-40218: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success (bsc#1254964).
- CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520).
- CVE-2025-40231: vsock: fix lock inversion in vsock_assign_transport() (bsc#1254815).
- CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813).
- CVE-2025-40237: fs/notify: call exportfs_encode_fid with s_umount (bsc#1254809).
- CVE-2025-40238: net/mlx5: Fix IPsec cleanup over MPV device (bsc#1254871).
- CVE-2025-40239: net: phy: micrel: always set shared->phydev for LAN8814 (bsc#1254868).
- CVE-2025-40242: gfs2: Fix unlikely race in gdlm_put_lock (bsc#1255075).
- CVE-2025-40246: xfs: fix out of bounds memory read error in symlink repair (bsc#1254861).
- CVE-2025-40248: vsock: Ignore signal/timeout on connect() if already established (bsc#1254864).
- CVE-2025-40250: net/mlx5: Clean up only new IRQ glue on request_irq() failure (bsc#1254854).
- CVE-2025-40251: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy (bsc#1254856).
- CVE-2025-40252: net: qlogic/qede: fix potential out-of-bounds read in
  qede_tpa_cont() and qede_tpa_end() (bsc#1254849).
- CVE-2025-40254: net: openvswitch: remove never-working support for setting nsh fields (bsc#1254852).
- CVE-2025-40255: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() (bsc#1255156).
- CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1254843).
- CVE-2025-40264: be2net: pass wrb_params in case of OS2BMC (bsc#1254835).
- CVE-2025-40268: cifs: client: fix memory leak in smb3_fs_context_parse_param (bsc#1255082).
- CVE-2025-40271: fs/proc: fix uaf in proc_readdir_de() (bsc#1255297).
- CVE-2025-40274: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying (bsc#1254830).
- CVE-2025-40276: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached (bsc#1254824).
- CVE-2025-40278: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak (bsc#1254825).
- CVE-2025-40279: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak (bsc#1254846).
- CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847).
- CVE-2025-40292: virtio-net: fix received length check in big packets (bsc#1255175).
- CVE-2025-40293: iommufd: Don't overflow during division for dirty tracking (bsc#1255179).
- CVE-2025-40297: net: bridge: fix use-after-free due to MST port state bypass (bsc#1255187).
- CVE-2025-40319: bpf: Sync pending IRQ work before freeing ring buffer (bsc#1254794).
- CVE-2025-40328: smb: client: fix potential UAF in smb2_close_cached_fid() (bsc#1254624).
- CVE-2025-40330: bnxt_en: Shutdown FW DMA in bnxt_shutdown() (bsc#1254616).
- CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615).
- CVE-2025-40338: ASoC: Intel: avs: Do not share the name pointer between components (bsc#1255273).
- CVE-2025-40346: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() (bsc#1255318).
- CVE-2025-40347: net: enetc: fix the deadlock of enetc_mdio_lock (bsc#1255262).
- CVE-2025-40350: net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ (bsc#1255260).
- CVE-2025-40355: sysfs: check visibility before changing group attribute ownership (bsc#1255261).
- CVE-2025-40357: net/smc: fix general protection fault in __smc_diag_dump (bsc#1255097).
- CVE-2025-40359: perf/x86/intel: Fix KASAN global-out-of-bounds warning (bsc#1255087).
- CVE-2025-40362: ceph: fix multifs mds auth caps issue (bsc#1255103).
- CVE-2025-68171: x86/fpu: Ensure XFD state on signal delivery (bsc#1255255).
- CVE-2025-68197: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() (bsc#1255242).
- CVE-2025-68198: crash: fix crashkernel resource shrink (bsc#1255243).
- CVE-2025-68202: sched_ext: Fix unsafe locking in the scx_dump_state() (bsc#1255223).
- CVE-2025-68206: netfilter: nft_ct: add seqadj extension for natted connections (bsc#1255142).
- CVE-2025-68208: bpf: account for current allocated stack depth in widen_imprecise_scalars() (bsc#1255227).
- CVE-2025-68209: mlx5: Fix default values in create CQ (bsc#1255230).
- CVE-2025-68215: ice: fix PTP cleanup on driver removal in error path (bsc#1255226).
- CVE-2025-68239: binfmt_misc: restore write access before closing files opened by open_exec() (bsc#1255272).
- CVE-2025-68259: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced (bsc#1255199).
- CVE-2025-68264: ext4: refresh inline data size before write operations (bsc#1255380).
- CVE-2025-68283: libceph: replace BUG_ON with bounds check for map->max_osd (bsc#1255379).
- CVE-2025-68284: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() (bsc#1255377).
- CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255401).
- CVE-2025-68293: mm/huge_memory: fix NULL pointer deference when splitting folio (bsc#1255150).
- CVE-2025-68301: net: atlantic: fix fragment overflow handling in RX path (bsc#1255120).
- CVE-2025-68302: net: sxgbe: fix potential NULL dereference in sxgbe_rx() (bsc#1255121).
- CVE-2025-68317: io_uring/zctx: check chained notif contexts (bsc#1255354).
- CVE-2025-68340: team: Move team device type change at the end of team_port_add (bsc#1255507).
- CVE-2025-68353: net: vxlan: prevent NULL deref in vxlan_xmit_one (bsc#1255533).
- CVE-2025-68363: bpf: Check skb->transport_header is set in bpf_skb_check_mtu (bsc#1255552).
- CVE-2025-68378: bpf: Refactor stack map trace depth calculation into helper function (bsc#1255614).
- CVE-2025-68736: landlock: Optimize file path walks and prepare for audit support (bsc#1255698).
- CVE-2025-68742: bpf: Fix invalid prog->stats access when update_effective_progs fails (bsc#1255707).
- CVE-2025-68744: bpf: Free special fields when update [lru_,]percpu_hash maps (bsc#1255709).
- CVE-2025-71096: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly (bsc#1256606).

The following non security issues were fixed:

- KVM: SEV: Drop GHCB_VERSION_DEFAULT and open code it (bsc#1255672).
- Set HZ=1000 for ppc64 default configuration (jsc#PED-14344)
- bpf: Do not limit bpf_cgroup_from_id to current's namespace (bsc#1255433).
- btrfs: handle aligned EOF truncation correctly for subpage cases (bsc#1253238).
- cgroup: rstat: use LOCK CMPXCHG in css_rstat_updated (bsc#1255434).
- cifs: update dstaddr whenever channel iface is updated (git-fixes).
- cpuidle: menu: Use residency threshold in polling state override decisions (bsc#1255026).
- cpuset: fix warning when disabling remote partition (bsc#1256794).
- ext4: use optimized mballoc scanning regardless of inode format (bsc#1254378).
- net: usb: pegasus: fix memory leak in update_eth_regs_async() (git-fixes).
- netdevsim: print human readable IP address (bsc#1255071).
- powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event
  handling (bsc#1253262 ltc#216029).
- powerpc/kexec: Enable SMT before waking offline CPUs (bsc#1214285
  bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1253739 ltc#211493
  bsc#1254244 ltc#216496).
- sched: Increase sched_tick_remote timeout (bsc#1254510).
- selftests: net: fib-onlink-tests: Set high metric for default IPv6 route (bsc#1255346).
- selftests: net: use slowwait to make sure IPv6 setup finished (bsc#1255349).
- selftests: net: use slowwait to stabilize vrf_route_leaking test (bsc#1255349).
- serial: xilinx_uartps: Use helper function hrtimer_update_function() (stable-fixes).
- supported.conf: Mark lan 743x supported (jsc#PED-14571)
- tick/sched: Limit non-timekeeper CPUs calling jiffies update (bsc#1254477).
- wifi: ath10k: Avoid vdev delete timeout when firmware is already down (stable-fixes).
- x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo (bsc#1256495).
- x86/microcode/AMD: Make __verify_patch_size() return bool (bsc#1256495).
- x86/microcode/AMD: Remove bogus comment from parse_container() (bsc#1256495).
- x86/microcode/AMD: Select which microcode patch to load (bsc#1256495).
- x86/microcode/AMD: Use sha256() instead of init/update/final (bsc#1256495).

-----------------------------------------------------------------
Advisory ID: 236
Released:    Mon Feb  2 13:56:02 2026
Summary:     Security update for wireshark
Type:        security
Severity:    moderate
References:  1244554,1244555,1244557,1244580,1244700,1246296,1249090,1251933,1254108,1254471,1254472,1256734,1256738,1256739,CVE-2022-47930,CVE-2024-10846,CVE-2024-11218,CVE-2024-11741,CVE-2024-13484,CVE-2024-35177,CVE-2024-36402,CVE-2024-36403,CVE-2024-3727,CVE-2024-45336,CVE-2024-45337,CVE-2024-45339,CVE-2024-45340,CVE-2024-45341,CVE-2024-47770,CVE-2024-50354,CVE-2024-51491,CVE-2024-52281,CVE-2024-52594,CVE-2024-52602,CVE-2024-52791,CVE-2024-53263,CVE-2024-56138,CVE-2024-56323,CVE-2024-56515,CVE-2024-9312,CVE-2024-9313,CVE-2025-0377,CVE-2025-0750,CVE-2025-11626,CVE-2025-13499,CVE-2025-13945,CVE-2025-13946,CVE-2025-20033,CVE-2025-20086,CVE-2025-20088,CVE-2025-20621,CVE-2025-21088,CVE-2025-22149,CVE-2025-22445,CVE-2025-22449,CVE-2025-22865,CVE-2025-22866,CVE-2025-22867,CVE-2025-22868,CVE-2025-22869,CVE-2025-23028,CVE-2025-23047,CVE-2025-23208,CVE-2025-23216,CVE-2025-24030,CVE-2025-24337,CVE-2025-24354,CVE-2025-24355,CVE-2025-24366,CVE-2025-24369,CVE-2025-24371,CVE-2025-24376,CVE-2025
 -24784,CVE-2025-24786,CVE-2025-24787,CVE-2025-24883,CVE-2025-24884,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-7425,CVE-2025-9817,CVE-2026-0959,CVE-2026-0961,CVE-2026-0962
This update for wireshark fixes the following issues:

Update to Wireshark 4.4.13:

- CVE-2025-11626: MONGO dissector infinite loop (bsc#1251933).
- CVE-2025-13499: Kafka dissector crash (bsc#1254108).
- CVE-2025-13945: HTTP3 dissector crash (bsc#1254471).
- CVE-2025-13946: MEGACO dissector infinite loop (bsc#1254472).
- CVE-2025-9817: SSH dissector crash (bsc#1249090).
- CVE-2026-0959: IEEE 802.11 dissector crash (bsc#1256734).
- CVE-2026-0961: BLF file parser crash (bsc#1256738).
- CVE-2026-0962: SOME/IP-SD dissector crash (bsc#1256739).

Full changelog:

https://www.wireshark.org/docs/relnotes/wireshark-4.4.13.html


-----------------------------------------------------------------
Advisory ID: 237
Released:    Mon Feb  2 14:00:02 2026
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1232024,1247539,1256829,1256830,1256831,1256832,1256833,1256834,1256835,1256836,1256837,1256838,1256839,1256840,1257274,CVE-2025-11187,CVE-2025-15467,CVE-2025-15468,CVE-2025-15469,CVE-2025-66199,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-3 fixes the following issues:

Security fixes:

 - CVE-2025-11187: Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (bsc#1256829).
 - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830).
 - CVE-2025-15468: NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (bsc#1256831).
 - CVE-2025-15469: 'openssl dgst' one-shot codepath silently truncates inputs >16MB (bsc#1256832).
 - CVE-2025-66199: TLS 1.3 CompressedCertificate excessive memory allocation (bsc#1256833).
 - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
 - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
 - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
 - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
 - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
 - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
 - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).

Other fixes:

- Enable livepatching support for ppc64le (bsc#1257274).

-----------------------------------------------------------------
Advisory ID: 238
Released:    Mon Feb  2 14:04:04 2026
Summary:     Recommended update for uriparser
Type:        recommended
Severity:    moderate
References:  1227052,1236270,1236507,1237641,1243767,CVE-2023-45288,CVE-2024-11218,CVE-2024-6104,CVE-2024-9407,CVE-2025-27144,CVE-2025-5278
This update for uriparser fixes the following issues:

Changes in uriparser:

- Use Qt6's qhelpgenerator instead of Qt5's and fix its usage since
  Qt5 was being BuildRequired but qch docs weren't being generated.

-----------------------------------------------------------------
Advisory ID: 239
Released:    Tue Feb  3 16:33:50 2026
Summary:     Recommended update for mariadb
Type:        recommended
Severity:    moderate
References:  1235151,1236588,1236590,1246360,1255024,CVE-2025-0167,CVE-2025-0725,CVE-2025-7424
This update for mariadb fixes the following issues:

Changes in mariadb:

- Fix incomplete SELinux labels during database update (bsc#1255024)

-----------------------------------------------------------------
Advisory ID: 240
Released:    Tue Feb  3 17:33:50 2026
Summary:     Recommended update for az-cli-cmd
Type:        recommended
Severity:    low
References:  1228086,1230468,1231792,1232063,1236982,1237695,1246472,1253491,CVE-2025-7519
This update for az-cli-cmd fixes the following issues:

- Update package summary (bsc#1253491)

-----------------------------------------------------------------
Advisory ID: 244
Released:    Thu Feb  5 12:26:20 2026
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1231472,1243419,1246995,1256805,CVE-2026-0989
This update for libxml2 fixes the following issues:

- CVE-2026-0989: Fixed call stack exhaustion leading to application crash
  due to RelaxNG parser not limiting the recursion depth when
  resolving `<include>` directives (bsc#1256805).

-----------------------------------------------------------------
Advisory ID: 245
Released:    Thu Feb  5 12:50:09 2026
Summary:     Recommended update for doxygen
Type:        recommended
Severity:    moderate
References:  1233289,1233322,1242063,1246995
This update for doxygen fixes the following issues:

- drop %suse_update_desktop_file usage
- modified sources:
    * doxywizard.desktop

-----------------------------------------------------------------
Advisory ID: 251
Released:    Tue Feb 10 10:37:11 2026
Summary:     Recommended update for libpfm
Type:        recommended
Severity:    moderate
References:  1084929,1236619,CVE-2025-24528
This update for libpfm fixes the following issues:

- s390: Add counter definition for IBM z17 (jsc#PED-13665)

-----------------------------------------------------------------
Advisory ID: 252
Released:    Wed Feb 11 12:13:17 2026
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1228081,1228184,1228659,1228728,1231986,1234765,1244449,1248356,1248501,1251981,1254563,1255326,1256427,CVE-2023-26154,CVE-2024-40897,CVE-2025-44001,CVE-2025-44004,CVE-2025-48731,CVE-2025-49221,CVE-2025-50946,CVE-2025-52894,CVE-2025-52931,CVE-2025-53514,CVE-2025-53857,CVE-2025-53910,CVE-2025-54458,CVE-2025-54463,CVE-2025-54478,CVE-2025-54525,CVE-2025-55196,CVE-2025-55198,CVE-2025-55199,CVE-2025-8285,CVE-2025-9039
This update for systemd fixes the following issues:

- terminal-util: stop doing 0/upper bound check in tty_is_vc() (bsc#1255326)
- core/dbus-manager: propagate meaningful dbus errors from EnqueueMarkedJobs
- Name libsystemd-{shared,core} based on the major version of systemd and the
  package release number (bsc#1228081, bsc#1256427)
- systemd-update-helper: clean up the flags immediately after they have been consumed.
- systemd.spec: don't reexecute PID1 on transactional updates.
- Drop most of the workarounds contained in the fixlets.
- Drop %filetriggers build flag. It was introduced to ease backport of Base:System to SLE distros
  where file-triggers were unreliable but that is no longer the case on the latest SLE distros.
- Fix: systemd Tainted: unmerged-bin (bsc#1228728, bsc#1251981)
- timer: rebase last_trigger timestamp if needed
- timer: rebase the next elapse timestamp only if timer didn't already run
- main: switch explicitly to tty1 on soft-reboot (bsc#1231986)
- terminal-util: modernize vtnr_from_tty() a bit
- units: don't force the loading of the loop and dm_mod modules in systemd-repart.service (bsc#1248356)
- systemd.spec: use %sysusers_generate_pre so that some systemd users are
  already available in %pre (bsc#1248501)
- core/cgroup: Properly handle aborting a pending freeze operation
- detect-virt: add bare-metal support for GCE (bsc#1244449)
- uki.conf is used by the ukify tool to create an Unified Kernel Image[...]
- Make sure that the ordering trick used to update the udev package as close as
  as possible to the update of the systemd package also works with zypper.
- Fix: Snapshot 20240730 - unbootable after transactional-update dup (bsc#1228659)
    * We also need to add 'Suggests: udev', which serves the same purpose as
      'OrderWithRequires: udev' but is part of the repository metadata.
      It should therefore hint zypper to install systemd and udev as close together as possible
- Fix systemd-network recommending libidn2-devel (bsc#1234765)

-----------------------------------------------------------------
Advisory ID: 254
Released:    Wed Feb 11 12:25:45 2026
Summary:     Security update for xorg-x11-server
Type:        security
Severity:    important
References:  1223947,1243397,1243706,1243933,1246197,1251958,1251959,1251960,CVE-2024-2410,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-62229,CVE-2025-62230,CVE-2025-62231
This update for xorg-x11-server fixes the following issues:

- CVE-2025-62229: Fixed use-after-free in XPresentNotify structures creation (bsc#1251958).
- CVE-2025-62230: Fixed use-after-free in Xkb client resource removal (bsc#1251959).
- CVE-2025-62231: Fixed value overflow in Xkb extension XkbSetCompatMap() (bsc#1251960).

-----------------------------------------------------------------
Advisory ID: 253
Released:    Wed Feb 11 12:31:42 2026
Summary:     Recommended update for nvidia-open-driver-G06-signed
Type:        recommended
Severity:    moderate
References:  1174091,1210638,1219559,1219666,1221854,1225660,1226447,1226448,1227378,1227999,1228165,1228780,1229596,1229704,1230227,1230906,1231795,1232241,1236705,1238450,1239210,1246597,1255858,831629,CVE-2019-20907,CVE-2019-9947,CVE-2020-15523,CVE-2020-15801,CVE-2022-25236,CVE-2023-27043,CVE-2023-52425,CVE-2023-6597,CVE-2024-0397,CVE-2024-0450,CVE-2024-4030,CVE-2024-4032,CVE-2024-6232,CVE-2024-6923,CVE-2024-7592,CVE-2024-8088,CVE-2024-9287,CVE-2025-0938,CVE-2025-1795,CVE-2025-6965
This update for nvidia-open-driver-G06-signed fixes the following issues:

- fixes build for sle15-sp4
- update non-CUDA variant to version 580.126.09 (bsc#1255858)

-----------------------------------------------------------------
Advisory ID: 266
Released:    Fri Feb 13 10:35:51 2026
Summary:     Recommended update for rpmlint
Type:        recommended
Severity:    moderate
References:  1232234,1236878,1240755,1256160,1256841,CVE-2024-10041,CVE-2024-12133
This update for rpmlint fixes the following issues:

Changes in rpmlint:

- Update to version 2.7.0+git20260122.f813669b:
  * systemd-tmpfiles: migrate texlive (bsc#1256841)
  * systemd-tmpfiles: whitelist sendmail spool directory (bsc#1256160)
  * permissions-whitelist: add exim drop-in file (bsc#1240755)

-----------------------------------------------------------------
Advisory ID: 272
Released:    Fri Feb 13 16:21:02 2026
Summary:     Recommended update for pacemaker
Type:        recommended
Severity:    important
References:  1214960,1232276,1237363,1237370,1237418,1239533,1246622,1250349,CVE-2024-56171,CVE-2025-24928,CVE-2025-27113
This update for pacemaker fixes the following issues:

- tools: Prevent crm_verify from stating configuration is 'invalid' if it only has warnings (bsc#1250349)
- various: Avoid warnings about a negative value for `stonith-watchdog-timeout` (bsc#1246622)
- libcrmcommon:
     * Increase poll() timeout to 5s for liveness checks on sub-daemons (bsc#1239533)
     * Add retries on connect to avoid fatal errors when sub-daemons communicate
- libpacemaker:
     * Do not retry on ECONNREFUSED in tools.
     * Fix memory leak in pcmk__group_apply_location()
- daemons: Fix a bug iterating in get_op_total_timeout
- libcrmservice: consider a monitor pending if LoadUnit receives no reply from systemd (bsc#1232276)

-----------------------------------------------------------------
Advisory ID: 273
Released:    Fri Feb 13 17:33:52 2026
Summary:     Security update for trivy
Type:        security
Severity:    important
References:  1215377,1227010,1232948,1234512,1235265,1236217,1237618,1238572,1239182,1239225,1239385,1240466,1240550,1241724,1243633,1246151,1246730,1248897,1248937,1250625,1251363,1251547,1253512,1253786,1253977,CVE-2024-3817,CVE-2024-45337,CVE-2024-45338,CVE-2024-51744,CVE-2025-11065,CVE-2025-21613,CVE-2025-21614,CVE-2025-22868,CVE-2025-22869,CVE-2025-22870,CVE-2025-22871,CVE-2025-22872,CVE-2025-27144,CVE-2025-30204,CVE-2025-46569,CVE-2025-47291,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-53547,CVE-2025-58058,CVE-2025-58181,CVE-2025-58190
This update for trivy fixes the following issues:

Update to version 0.68.2:

Security fixes:

 - CVE-2024-3817: hashicorp/go-getter: argument injection when fetching remote default git branches (bsc#1227010).
 - CVE-2024-45337: golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto (bsc#1234512).
 - CVE-2024-45338: golang.org/x/net/html: denial of service due to non-linear parsing of case-insensitive content (bsc#1235265).
 - CVE-2024-51744: github.com/golang-jwt/jwt/v4: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt (bsc#1232948).
 - CVE-2025-11065: github.com/go-viper/mapstructure/v2: sensitive Information leak in logs (bsc#1250625).
 - CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239225).
 - CVE-2025-22869: golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (bsc#1239385).
 - CVE-2025-22872: golang.org/x/net/html: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction (bsc#1241724).
 - CVE-2025-27144: gopkg.in/go-jose/go-jose.v2: Go JOSE's Parsing Vulnerable to Denial of Service (bsc#1237618).
 - CVE-2025-30204: github.com/golang-jwt/jwt/v4,github.com/golang-jwt/jwt/v5: jwt-go allows excessive memory allocation during header parsing (bsc#1240466).
 - CVE-2025-46569: github.com/open-policy-agent/opa: HTTP request path can be crafted to inject Rego code into a constructed query when a virtual document is requested through the Data API (bsc#1246730).
 - CVE-2025-47291: github.com/containerd/containerd/v2: Incorrect cgroup hierarchy assignment for containers running in usernamespaced Kubernetes pods. (bsc#1243633).
 - CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents (bsc#1251363).
 - CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in response to a key listing or signing request (bsc#1253512).
 - CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read (bsc#1253977).
 - CVE-2025-53547: helm.sh/helm/v3: Helm Chart Code Execution (bsc#1246151).
 - CVE-2025-58058: github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory (bsc#1248937, bsc#1248897).
 - CVE-2025-58181: golang.org/x/crypto/ssh: invalidated number of mechanisms can cause unbounded memory consumption (bsc#1253786).
 - CVE-2025-58190: golang.org/x/net/html: excessive memory consumption by `html.ParseFragment` when processing specially crafted input (bsc#1251547).

Other fixes:

 - Update installation.md (#8979)
 - chore(alpine): add EOL date for Alpine 3.21 (#8221)
 - chore(alpine): add EOL date for Alpine 3.22 (#8992)
 - chore(cli): Remove Trivy Cloud (#9847)
 - chore(deps): Bump trivy-checks (#7819)
 - chore(deps): Bump trivy-checks (#8310)
 - chore(deps): Bump trivy-checks (#8619)
 - chore(deps): Bump trivy-checks (#8934)
 - chore(deps): Bump trivy-checks to v1.7.1 (#8467)
 - chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
 - chore(deps): Switch to go-viper/mapstructure (#9579)
 - chore(deps): Update trivy-checks (#8798)
 - chore(deps): Upgrade trivy-checks (#8018)
 - chore(deps): bump Go to `v1.23.5` (#8341)
 - chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
 - chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105)
 - chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)
 - chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140)
 - chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)
 - chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)
 - chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)
 - chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
 - chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
 - chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)
 - chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
 - chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)
 - chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)
 - chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)
 - chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
 - chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
 - chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
 - chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)
 - chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
 - chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
 - chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
 - chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)
 - chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
 - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
 - chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
 - chore(deps): bump golangci-lint to v2.1.2 (#8766)
 - chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
 - chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
 - chore(deps): bump the aws group across 1 directory with 6 updates (#8074)
 - chore(deps): bump the aws group across 1 directory with 6 updates (#8163)
 - chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
 - chore(deps): bump the aws group across 1 directory with 7 updates (#8468)
 - chore(deps): bump the aws group with 6 updates (#7902)
 - chore(deps): bump the aws group with 6 updates (#9383)
 - chore(deps): bump the aws group with 6 updates (#9481)
 - chore(deps): bump the aws group with 6 updates (#9547)
 - chore(deps): bump the aws group with 7 updates (#8299)
 - chore(deps): bump the aws group with 7 updates (#9311)
 - chore(deps): bump the aws group with 7 updates (#9419)
 - chore(deps): bump the aws group with 7 updates (#9691)
 - chore(deps): bump the common group across 1 directory with 10 updates (#8566)
 - chore(deps): bump the common group across 1 directory with 10 updates (#8817)
 - chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
 - chore(deps): bump the common group across 1 directory with 11 updates (#8381)
 - chore(deps): bump the common group across 1 directory with 13 updates (#8491)
 - chore(deps): bump the common group across 1 directory with 14 updates (#8126)
 - chore(deps): bump the common group across 1 directory with 20 updates (#7876)
 - chore(deps): bump the common group across 1 directory with 20 updates (#9840)
 - chore(deps): bump the common group across 1 directory with 23 updates (#8733)
 - chore(deps): bump the common group across 1 directory with 24 updates (#9228)
 - chore(deps): bump the common group across 1 directory with 24 updates (#9507)
 - chore(deps): bump the common group across 1 directory with 26 updates (#9063)
 - chore(deps): bump the common group across 1 directory with 26 updates (#9347)
 - chore(deps): bump the common group across 1 directory with 29 updates (#8261)
 - chore(deps): bump the common group across 1 directory with 7 updates (#9590)
 - chore(deps): bump the common group across 1 directory with 9 updates (#8887)
 - chore(deps): bump the common group across 1 directory with 9 updates (#9153)
 - chore(deps): bump the common group with 12 updates (#8301)
 - chore(deps): bump the common group with 4 updates (#7949)
 - chore(deps): bump the common group with 6 updates (#7904)
 - chore(deps): bump the common group with 6 updates (#8162)
 - chore(deps): bump the common group with 6 updates (#8411)
 - chore(deps): bump the common group with 7 updates (#9382)
 - chore(deps): bump the docker group across 1 directory with 3 updates (#8127)
 - chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
 - chore(deps): bump the docker group with 3 updates (#9545)
 - chore(deps): bump the docker group with 3 updates (#9776)
 - chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
 - chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)
 - chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)
 - chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
 - chore(deps): bump the github-actions group with 3 updates (#8473)
 - chore(deps): bump the github-actions group with 4 updates (#9739)
 - chore(deps): bump the testcontainers group with 2 updates (#8650)
 - chore(deps): bump the testcontainers group with 2 updates (#9506)
 - chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
 - chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
 - chore(deps): remove missed replace of `trivy-db` (#8492)
 - chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)
 - chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
 - chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
 - chore(deps): update go-rustaudit location (#8450)
 - chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
 - chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289)
 - chore(k8s): enhance k8s scan log (#6997)
 - chore(k8s): update comments with deprecated command format (#8964)
 - chore(license): add missed spdx exceptions: (#9147)
 - chore(secret): add reported issues related to secrets in junit template (#8193)
 - chore(terraform): add accessors to underlying raw hcl values (#8306)
 - chore(terraform): assign *terraform.Module 'parent' field (#8444)
 - chore(terraform): export module path on terraform modules (#8374)
 - chore(terraform): option to pass in instanced logger  (#8738)
 - chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
 - chore(vex): suppress CVE-2024-45337 (#8101)
 - chore(vex): suppress CVE-2024-45338 (#8137)
 - chore: Update release flow to include chocolatey (#9460)
 - chore: Update release workflow to trigger version updates (#9162)
 - chore: add an issue template for maintainers (#8838)
 - chore: add context to the cache interface (#9565)
 - chore: add debug log to show image source location (#9163)
 - chore: add modernize tool integration for code modernization (#9251)
 - chore: bump Go to 1.24.7 (#9435)
 - chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390)
 - chore: bump containerd to v2.0.0 (#7875)
 - chore: bump go to 1.23.4 (#8123)
 - chore: bump golangci-lint to v1.61.0 (#7853)
 - chore: bump up Go version to 1.24.4 (#9031)
 - chore: downgrade the failed block expand message to debug (#7964)
 - chore: drop FreeBSD 32-bit support (#9102)
 - chore: enable int-conversion from perfsprint (#8194)
 - chore: enable staticcheck (#8815)
 - chore: fix errors and typos in docs (#8963)
 - chore: fix some function names in comment (#9314)
 - chore: implement process-safe temp file cleanup (#9241)
 - chore: lint `errors.Join` (#7845)
 - chore: migrate protoc setup from Docker to buf CLI (#9184)
 - chore: remove Go checks (#7907)
 - chore: remove aws iam related scripts (#8179)
 - chore: remove debug prints (#8347)
 - chore: remove mockery (#8417)
 - chore: replace deprecated tenv linter with usetesting (#8504)
 - chore: trigger the trivy-www workflow (#9737)
 - chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)
 - chore: update Docker lib (#8681)
 - chore: update code owners (#8303)
 - chore: update template URL for brew formula (#9221)
 - chore: update the rpm download Update (#9202)
 - chore: use go.mod for managing Go tools (#8493)
 - chore: use require.ErrorContains when possible (#8291)
 - ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
 - ci(helm): auto public Helm chart after PR merged (#7526)
 - ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
 - ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)
 - ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)
 - ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)
 - ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)
 - ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)
 - ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)
 - ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
 - ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
 - ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)
 - ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)
 - ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)
 - ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)
 - ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)
 - ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)
 - ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
 - ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
 - ci(helm): create a helm branch for patches from main (#8673)
 - ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
 - ci(vuln): reduce github action script injection attack risk (#8610)
 - ci: add API diff workflow (#9600)
 - ci: add auto-ready-for-review workflow (#9179)
 - ci: add workflow to restrict direct PRs to release branches (#8240)
 - ci: delete cache after artifacts upload in canary workflow (#9177)
 - ci: enable `check-latest` for `setup-go` [backport: release/v0.68] (#9946)
 - ci: fix path to main dir for canary builds (#8231)
 - ci: get base_sha using base.ref (#9704)
 - ci: improve PR title validation workflow (#8720)
 - ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
 - ci: move runner.os context from job-level env to step-level in canary workflow (#9233)
 - ci: optimize golangci-lint performance with cache-based strategy (#9173)
 - ci: remove invalid `--confirm` flag from `gh cache delete` command in canary builds (#9236)
 - ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
 - ci: skip undefined labels in discussion triage action (#9175)
 - ci: specify repository for `gh cache delete` in canary worklfow (#9240)
 - ci: update GitHub Actions cache to v4 (#8475)
 - ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)
 - ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)
 - ci: use environment variables in GitHub Actions for improved security (#9433)
 - ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)
 - ci: use merge commit for apidiff to avoid false positives (#9622)
 - ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
 - docs(cli): improve flag value display format (#8560)
 - docs(java):  Update info about dev deps in gradle lock (#8830)
 - docs(java): add info about supported scopes (#7842)
 - docs(k8s): add a note about multi-container pods (#7815)
 - docs(misconf): Remove duplicate sections (#9819)
 - docs(misconf): Reorganize misconfiguration scan pages (#8206)
 - docs(misconf): simplify misconfiguration docs (#9030)
 - docs(python): Mention pip-compile (#8484)
 - docs(python): fix type with METADATA file name (#9090)
 - docs(report): Improve SARIF reporting doc (#7655)
 - docs(report): add nuanses about secret/license scanner in summary table (#9442)
 - docs(report): fix reporting doc format (#7671)
 - docs(server): fix info about scanning licenses on the client side. (#9805)
 - docs(vex): use debian minor version in examples (#8166)
 - docs(vuln): remove OSV for Python from data sources (#8841)
 - docs: Add info about helm charts release (#8640)
 - docs: Fix broken link to 'Built-in Checks' (#9375)
 - docs: Fix broken links (#7900)
 - docs: Fix typo in terraform docs (#9492)
 - docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
 - docs: Fix typos in documentation (#8361)
 - docs: Update maintainer docs (#8674)
 - docs: Updated JSON schema version 2 in the trivy documentation (#8188)
 - docs: add Headlamp to the Trivy Ecosystem page (#7916)
 - docs: add PR review policy for maintainers (#9032)
 - docs: add Windows install instructions (#7800)
 - docs: add `overview` page for `others` (#7972)
 - docs: add abbreviation list (#8453)
 - docs: add commercial content (#8030)
 - docs: add example of creating whitelist of checks (#7821)
 - docs: add explanation for how to use non-system certificates (#9081)
 - docs: add info about `java-db` subdir (#9706)
 - docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
 - docs: add note about disabled DS016 check (#7724)
 - docs: add note about temporary podman socket (#7921)
 - docs: add partners page (#8988)
 - docs: add section on customizing default check data (#9114)
 - docs: add terminology page to explain Trivy concepts (#7996)
 - docs: add vulnerability database contribution guide (#9667)
 - docs: apt-transport-https is a transitional package (#7678)
 - docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
 - docs: catch some missed docs -> guide (#9850)
 - docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)
 - docs: change SecObserve URLs in documentatio (#9771)
 - docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
 - docs: clarify inline ignore limitations for resource-less checks (#9537)
 - docs: combine trivy.dev into trivy docs (#7884)
 - docs: correct Ruby documentation (#8402)
 - docs: document eol supportability (#9434)
 - docs: drop AWS account scanning (#7997)
 - docs: fix a broken link (#8546)
 - docs: fix assets with versioning (#8996)
 - docs: fix dead links (#7998)
 - docs: fix mistakes/typos (#7942)
 - docs: fix modules path and update code example (#9539)
 - docs: fix navigate links (#8336)
 - docs: improve databases documentation (#7732)
 - docs: improve documentation for scanning raw IaC configurations (#9571)
 - docs: improve skipping files documentation (#8749)
 - docs: move info about `detection priority` into coverage section (#9469)
 - docs: partners page content updates (#9149)
 - docs: remove slack (#8565)
 - docs: replace short codes with Unicode emojis (#8296)
 - docs: restructure docs for new hosting (#9799)
 - docs: trivy partners page updates (#9133)
 - docs: update VEX documentation index page (#8458)
 - docs: update links to Semaphore pages (#9352)
 - docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
 - feat(alma): add AlmaLinux 10 support (#9207)
 - feat(alpine): add maintainer field extraction for APK packages (#8930)
 - feat(aws): Add support for dualstack ECR endpoints (#9862)
 - feat(cli): Add available version checking (#8553)
 - feat(cli): Add trivy cloud suppport (#9637)
 - feat(cli): add `trivy auth` (#7664)
 - feat(cli): add version constraints to annoucements (#9023)
 - feat(cli): change --list-all-pkgs default to true (#9510)
 - feat(cli): error out when ignore file cannot be found (#7624)
 - feat(cli): rename `trivy auth` to `trivy registry` (#7727)
 - feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)
 - feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)
 - feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)
 - feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)
 - feat(db): append errors (#7843)
 - feat(db): enable concurrent access to vulnerability database (#9750)
 - feat(dotnet): add dependency graph support for .deps.json files (#9726)
 - feat(echo): Add Echo Support (#8833)
 - feat(flag): add `--cacert` flag (#9781)
 - feat(flag): add schema validation for `--server` flag (#9270)
 - feat(fs): change artifact type to repository when git info is detected (#9613)
 - feat(fs): optimize scanning performance by direct file access for known paths (#8525)
 - feat(fs): use git commit hash as cache key for clean repositories (#8278)
 - feat(go): construct dependencies in the parser (#7973)
 - feat(go): construct dependencies of `go.mod` main module in the parser (#7977)
 - feat(go): fix parsing main module version for go >= 1.24 (#8433)
 - feat(go): support license scanning in both GOPATH and vendor (#8843)
 - feat(image): add Docker context resolution (#9166)
 - feat(image): add RepoTags support for Docker archives (#9690)
 - feat(image): add Sigstore bundle SBOM support (#9516)
 - feat(image): pass global context to docker/podman image save func (#9733)
 - feat(image): prevent scanning oversized container images (#8178)
 - feat(image): return error early if total size of layers exceeds limit (#8294)
 - feat(image): save layers metadata into report (#8394)
 - feat(java): add support remote repositories from settings.xml files (#9708)
 - feat(java): dereference all maven settings.xml env placeholders (#9024)
 - feat(k8s): add default commands for unknown platform (#7863)
 - feat(k8s): add support for controllers (#8614)
 - feat(k8s): get components from namespaced resources (#8918)
 - feat(k8s): improve artifact selections for specific namespaces (#8248)
 - feat(license): Support compound licenses (licenses using SPDX operators) (#8816)
 - feat(license): improve work text licenses with custom classification (#8888)
 - feat(license): improve work with custom classification of licenses from config file (#8861)
 - feat(license): observe pkg types option in license scanner (#9091)
 - feat(license): scan vendor directory for license for go.mod files (#8689)
 - feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
 - feat(minimos): Add support for MinimOS (#8792)
 - feat(misconf): Add RoleAssignments attribute (#9396)
 - feat(misconf): Add support for `Minimum Trivy Version` (#8880)
 - feat(misconf): Add support for aws_ami (#8499)
 - feat(misconf): Add support for configurable Rego error limit (#9657)
 - feat(misconf): Show misconfig ID in output (#7762)
 - feat(misconf): Update AppService schema (#9792)
 - feat(misconf): Update Azure Compute schema (#9675)
 - feat(misconf): Update Azure Container Schema (#9673)
 - feat(misconf): Update Azure network schema for new checks (#9791)
 - feat(misconf): Update SecurityCenter schema (#9674)
 - feat(misconf): Update azure storage schema (#9728)
 - feat(misconf): adapt AWS::DynamoDB::Table (#8529)
 - feat(misconf): adapt AWS::EC2::VPC (#8534)
 - feat(misconf): adapt aws_default_security_group (#8538)
 - feat(misconf): adapt aws_opensearch_domain (#8550)
 - feat(misconf): add OpenTofu file extension support (#8747)
 - feat(misconf): add agentpools to azure container schema (#9714)
 - feat(misconf): add misconfiguration location to junit template (#8793)
 - feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
 - feat(misconf): add private ip google access attribute to subnetwork (#9199)
 - feat(misconf): added audit config attribute (#9249)
 - feat(misconf): added logging and versioning to the gcp storage bucket (#9226)
 - feat(misconf): convert AWS managed policy to document (#8757)
 - feat(misconf): export raw Terraform data to Rego (#8741)
 - feat(misconf): export unresolvable field of IaC types to Rego (#7765)
 - feat(misconf): generate placeholders for random provider resources (#8051)
 - feat(misconf): include map key in manifest snippet for diagnostics (#9681)
 - feat(misconf): log causes of HCL file parsing errors (#7634)
 - feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)
 - feat(misconf): public network support for Azure Storage Account (#7601)
 - feat(misconf): render causes for Terraform (#8360)
 - feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
 - feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
 - feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)
 - feat(misconf): support for ignoring by inline comments for Helm (#8138)
 - feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
 - feat(nodejs): add a bun.lock analyzer (#8897)
 - feat(nodejs): add bun.lock parser (#8851)
 - feat(nodejs): add root and workspace for `yarn` packages (#8535)
 - feat(nodejs): respect peer dependencies for dependency tree (#7989)
 - feat(oracle): add `flavors` support (#7858)
 - feat(parser): ignore white space in pom.xml files (#7747)
 - feat(python): add support for poetry dev dependencies (#8152)
 - feat(python): add support for uv (#8080)
 - feat(python): add support for uv dev and optional dependencies (#8134)
 - feat(redhat): Add EOL date for RHEL 10. (#8910)
 - feat(redhat): add os-release detection for RHEL-based images (#9458)
 - feat(repo): add git repository metadata to reports (#9252)
 - feat(report): add CVSS vectors in sarif report (#9157)
 - feat(report): add fingerprint generation for vulnerabilities (#9794)
 - feat(report): add image reference to report metadata (#9729)
 - feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
 - feat(report): update gitlab template to populate operating_system value (#7735)
 - feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)
 - feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
 - feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
 - feat(sbom): add support for SPDX attestations (#9829)
 - feat(sbom): added support for CoreOS (#9448)
 - feat(sbom): use SPDX license IDs list to validate SPDX IDs  (#9569)
 - feat(seal): add seal support (#9370)
 - feat(secret): Add built-in secrets rules for Private Packagist (#7826)
 - feat(secret): implement streaming secret scanner with byte offset tracking (#9264)
 - feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
 - feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
 - feat(terraform): add partial evaluation for policy templates (#8967)
 - feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)
 - feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
 - feat(ubuntu): add eol date for 20.04-ESM (#8981)
 - feat(vuln): add Root.io support for container image scanning (#9073)
 - feat: Update registry fallbacks (#7679)
 - feat: Update registry fallbacks [backport: release/v0.57] (#7944)
 - feat: add ArtifactID field to uniquely identify scan targets (#9663)
 - feat: add Bottlerocket OS package analyzer (#8653)
 - feat: add HTTP request/response tracing support (#9125)
 - feat: add JSONC support for comments and trailing commas (#8862)
 - feat: add ReportID field to scan reports (#9670)
 - feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070)
 - feat: add `--vuln-severity-source` flag (#8269)
 - feat: add `workspaceRelationship` (#7889)
 - feat: add a examples field to check metadata (#8068)
 - feat: add cvss v4 score and vector in scan response (#7968)
 - feat: add documentation URL for database lock errors (#9531)
 - feat: add end of life date for Ubuntu 24.10 (#7787)
 - feat: add graceful shutdown with signal handling (#9242)
 - feat: add report summary table (#8177)
 - feat: add support for registry mirrors (#8244)
 - feat: add timeout handling for cache database operations (#9307)
 - feat: allow ignoring findings by type in Rego (#9578)
 - feat: include registry and repository in artifact ID calculation (#9689)
 - feat: reject unsupported artifact types in remote image retrieval (#9052)
 - feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
 - feat: terraform parser option to set current working directory (#8909)
 - fix(alma): parse epochs from rpmqa file (#9101)
 - fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
 - fix(alpine): add `UID` for removed packages (#7887)
 - fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
 - fix(aws): update amazon linux 2 EOL date (#9176)
 - fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
 - fix(cli): Add more non-sensitive flags to telemetry (#9110)
 - fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
 - fix(cli): Handle empty ignore files more gracefully (#7962)
 - fix(cli): `clean --all` deletes only relevant dirs (#7704)
 - fix(cli): add config name to skip-policy-update alias (#7820)
 - fix(cli): add some values to the telemetry call (#9056)
 - fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886)
 - fix(cli): don't use allow values for `--compliance` flag (#8881)
 - fix(cli): ensure correct command is picked by telemetry (#9260)
 - fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206)
 - fix(conda): memory leak by adding closure method for `package.json` file (#9349)
 - fix(cyclonedx): handle multiple license types (#9378)
 - fix(db): Dowload database when missing but metadata still exists (#9393)
 - fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
 - fix(db): fix javadb downloading error handling (#7642)
 - fix(debian): don't include empty licenses for `dpkgs` (#8623)
 - fix(debian): infinite loop (#7928)
 - fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] (#9949)
 - fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
 - fix(flag): skip hidden flags for `--generate-default-config` command (#8046)
 - fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
 - fix(fs): avoid shadowing errors in file.glob (#9286)
 - fix(fs): check postAnalyzers for StaticPaths (#8543)
 - fix(fs): fix cache key generation to use UUID (#8275)
 - fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
 - fix(go): merge nested flags into string for ldflags for Go binaries (#8368)
 - fix(helm): properly handle multiple archived dependencies (#7782)
 - fix(image): disable AVD-DS-0007 for history scanning (#8366)
 - fix(image): use standardized HTTP client for ECR authentication (#9322)
 - fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)
 - fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050)
 - fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)
 - fix(java): exclude dev dependencies in gradle lockfile (#8803)
 - fix(java): update order for resolving package fields from multiple demManagement (#9575)
 - fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
 - fix(julia): add `Relationship` field support (#8939)
 - fix(k8s)!: support k8s multi container (#7444)
 - fix(k8s): add missed option `PkgRelationships` (#8442)
 - fix(k8s): check all results for vulnerabilities (#7946)
 - fix(k8s): correct compare artifact versions (#8682)
 - fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
 - fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
 - fix(k8s): remove using `last-applied-configuration` (#8791)
 - fix(k8s): show report for `--report all` (#8613)
 - fix(k8s): skip passed misconfigs for the summary report (#8684)
 - fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
 - fix(k8s): skip resources without misconfigs (#7797)
 - fix(k8s): support kubernetes v1.31 (#7810)
 - fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
 - fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping (#9116)
 - fix(license): always trim leading and trailing spaces for licenses (#8095)
 - fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
 - fix(license): fix license normalization for Universal Permissive License (#7766)
 - fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
 - fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
 - fix(misconf): .Config.User always takes precedence over USER in .History (#9050)
 - fix(misconf): Check values wholly prior to evalution (#8604)
 - fix(misconf): Improve logging for unsupported checks (#8634)
 - fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)
 - fix(misconf): add ephemeral block type to config schema (#8513)
 - fix(misconf): add missing variable as unknown (#8683)
 - fix(misconf): allow null values only for tf variables (#8112)
 - fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
 - fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
 - fix(misconf): check if for-each is known when expanding dyn block (#8808)
 - fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
 - fix(misconf): check if metadata is not nil (#8647)
 - fix(misconf): check if property is not nil before conversion (#7578)
 - fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)
 - fix(misconf): correctly adapt azure storage account (#9138)
 - fix(misconf): correctly handle all YAML tags in K8S templates (#8259)
 - fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)
 - fix(misconf): disable git terminal prompt on tf module load (#8026)
 - fix(misconf): do not erase variable type for child modules (#7941)
 - fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)
 - fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
 - fix(misconf): do not skip loading documents from subdirectories (#8526)
 - fix(misconf): do not use cty.NilVal for non-nil values (#8567)
 - fix(misconf): ecs include enhanced for container insights (#8326)
 - fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
 - fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)
 - fix(misconf): ensure module source is known (#9404)
 - fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
 - fix(misconf): filter null nodes when parsing json manifest (#8785)
 - fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
 - fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)
 - fix(misconf): fix log bucket in schema (#9235)
 - fix(misconf): handle heredocs in dockerfile instructions (#8284)
 - fix(misconf): handle null properties in CloudFormation templates (#7813)
 - fix(misconf): handle tofu files in module detection (#9486)
 - fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
 - fix(misconf): identify the chart file exactly by name (#8590)
 - fix(misconf): load full Terraform module (#7925)
 - fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
 - fix(misconf): move disabled checks filtering after analyzer scan (#9002)
 - fix(misconf): perform operations on attribute safely (#8774)
 - fix(misconf): populate context correctly for module instances (#8656)
 - fix(misconf): preserve original paths of remote submodules from .terraform (#9294)
 - fix(misconf): properly expand dynamic blocks (#7612)
 - fix(misconf): properly resolve local Terraform cache (#7983)
 - fix(misconf): reduce log noise on incompatible check (#9029)
 - fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
 - fix(misconf): skip Azure CreateUiDefinition (#8503)
 - fix(misconf): skip rewriting expr if attr is nil (#9113)
 - fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
 - fix(misconf): strip build metadata suffixes from image history (#9498)
 - fix(misconf): unmark cty values before access (#9495)
 - fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
 - fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)
 - fix(misconf): use log instead of fmt for logging (#8033)
 - fix(misconf): wrap AWS EnvVar to iac types (#7407)
 - fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)
 - fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998)
 - fix(nodejs): don't use prerelease logic for compare npm constraints  (#9208)
 - fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
 - fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)
 - fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330)
 - fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
 - fix(oracle): add architectures support for advisories (#4809)
 - fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
 - fix(os): Add photon 5.0 in supported OS (#9724)
 - fix(os): add mapping OS aliases (#8466)
 - fix(plugin): don't remove plugins when updating index.yaml file (#9358)
 - fix(python): add `poetry` v2 support (#8323)
 - fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
 - fix(python): impove package name normalization  (#9290)
 - fix(python): skip dev group's deps for poetry (#8106)
 - fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
 - fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
 - fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222)
 - fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)
 - fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
 - fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)
 - fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)
 - fix(redhat): include arch in PURL qualifiers (#7654)
 - fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
 - fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
 - fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
 - fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)
 - fix(repo): `git clone` output to Stderr (#7561)
 - fix(repo): preserve RepoMetadata on FS cache hit (#9389)
 - fix(repo): sanitize git repo URL before inserting into report metadata (#9391)
 - fix(report): Fix invalid URI in SARIF report (#7645)
 - fix(report): clean buffer after flushing (#8725)
 - fix(report): correct field order in SARIF license results (#9712)
 - fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format (#8549)
 - fix(report): handle `git at github.com` schema for misconfigs in `sarif` report (#7898)
 - fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344)
 - fix(rootio): check full version to detect `root.io` packages (#9117)
 - fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120)
 - fix(rootio): fix severity selection (#9181)
 - fix(sbom):  use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)
 - fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
 - fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346)
 - fix(sbom): add `buildInfo` info as properties (#9683)
 - fix(sbom): add options for DBs in private registries (#7660)
 - fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)
 - fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
 - fix(sbom): attach nested packages to Application (#8144)
 - fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
 - fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
 - fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)
 - fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
 - fix(sbom): improve logic for binding direct dependency to parent component (#8489)
 - fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)
 - fix(sbom): preserve OS packages from multiple SBOMs (#8325)
 - fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
 - fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)
 - fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)
 - fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
 - fix(sbom): use root package for `unknown` dependencies (if exists) (#8104)
 - fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)
 - fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)
 - fix(secret): fix line numbers for multiple-line secrets (#9104)
 - fix(secret): ignore .dist-info directories during secret scanning (#8646)
 - fix(server): add HTTP transport setup to server mode (#9217)
 - fix(server): add missed Relationship field for `rpc` (#8872)
 - fix(server): fix redis key when trying to delete blob (#8649)
 - fix(server): secrets inspectation for the config analyzer in client server mode (#8418)
 - fix(spdx): init `pkgFilePaths` map for all formats (#8380)
 - fix(spdx): save text licenses into `otherLicenses` without normalize (#8502)
 - fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077)
 - fix(suse): SUSE - update OSType constants and references for compatility (#8236)
 - fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
 - fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)
 - fix(terraform): `for_each` on a map returns a resource for every key (#9156)
 - fix(terraform): apply parser options to submodule parsing (#8377)
 - fix(terraform): hcl object expressions to return references (#8271)
 - fix(terraform): set null value as fallback for missing variables (#7669)
 - fix(vex): don't  suppress vulns for packages with infinity loop (#9465)
 - fix(vex): don't use reused BOM (#9604)
 - fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
 - fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
 - fix(vex): use a separate `visited` set for each DFS path (#9760)
 - fix(vuln): compare `nuget` package names in lower case (#9456)
 - fix(wolfi): support new APK database location (#8937)
 - fix: Add missing version check flags (#8951)
 - fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)
 - fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)
 - fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
 - fix: Correctly check for semver versions for trivy version check (#8948)
 - fix: Improve version comparisons when build identifiers are present (#7873)
 - fix: Trim the end-of-range suffix (#9618)
 - fix: Updated twitter icon (#7772)
 - fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
 - fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)
 - fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
 - fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615)
 - fix: also check `filepath` when removing duplicate packages (#9142)
 - fix: check post-analyzers for StaticPaths (#8904)
 - fix: close all opened resources if an error occurs (#9665)
 - fix: close file descriptors and pipes on error paths (#9536)
 - fix: create temp file under composite fs dir (#9387)
 - fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298)
 - fix: don't show corrupted trivy-db warning for first run (#8991)
 - fix: don't use `scope` for `trivy registry login` command (#8393)
 - fix: early-return, indent-error-flow and superfluous-else rules from revive  (#8796)
 - fix: enable err-error and errorf rules from perfsprint linter (#7859)
 - fix: enable usestdlibvars linter (#7770)
 - fix: filter all files when processing files installed from package managers (#8842)
 - fix: handle `BLOW_UNKNOWN` error to download DBs (#8060)
 - fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)
 - fix: improve conversion of image config to Dockerfile (#8308)
 - fix: julia parser panicing (#8883)
 - fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
 - fix: more revive rules (#8814)
 - fix: octalLiteral from go-critic (#8811)
 - fix: persistent flag option typo (#9374)
 - fix: prevent graceful shutdown message on normal exit (#9244)
 - fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)
 - fix: restore compatibility for google.protobuf.Value (#9559)
 - fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
 - fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
 - fix: suppress debug log for context cancellation errors (#9298)
 - fix: testifylint last issues (#8768)
 - fix: unused-parameter rule from revive (#8794)
 - fix: update all documentation links (#8045)
 - fix: update all documentation links (#9777)
 - fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
 - fix: use `--file-patterns` flag for all post analyzers (#7365)
 - fix: use context for analyzers (#9538)
 - fix: use-any from revive (#8810)
 - fix: using SrcVersion instead of Version for echo detector (#9552)
 - fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
 - fix: validate backport branch name (#9548)
 - fix: wasm module test (#8099)
 - perf(misconf): parse input for Rego once (#8483)
 - perf(misconf): retrieve check metadata from annotations once (#8478)
 - perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)
 - perf: avoid heap allocation in applier findPackage (#7883)
 - refactor(cli): Update the cloud config command (#9676)
 - refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)
 - refactor(db): change logic to detect wrong DB (#8864)
 - refactor(db): use `Getter` interface with `GetParams` for trivy-db sources (#9239)
 - refactor(flag): improve flag system architecture and extensibility (#8718)
 - refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)
 - refactor(k8s): add v prefix for Go packages (#7839)
 - refactor(k8s): scan config files as a folder (#7690)
 - refactor(license): improve license expression normalization (#8257)
 - refactor(license): simplify compound license scanning (#8896)
 - refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)
 - refactor(misconf): Remove unused options (#7896)
 - refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
 - refactor(misconf): add ID to scan.Rule (#9573)
 - refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
 - refactor(misconf): decouple input fs and track extracted files with fs references (#9281)
 - refactor(misconf): get a block or attribute without calling HasChild (#8586)
 - refactor(misconf): introduce generic scanner (#7515)
 - refactor(misconf): make Rego scanner independent of config type (#7517)
 - refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
 - refactor(misconf): migrate from custom Azure JSON parser (#9222)
 - refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
 - refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
 - refactor(misconf): remove unused methods for ec2.Instance (#8536)
 - refactor(misconf): remove unused methods from iac types (#8782)
 - refactor(misconf): remove unused methods from providers (#8781)
 - refactor(misconf): remove unused terraform attribute methods (#8657)
 - refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)
 - refactor(misconf): rewrite Rego module filtering using functional filters (#9061)
 - refactor(misconf): set Trivy version by default in Rego scanner (#9001)
 - refactor(misconf): simplify k8s scanner (#7717)
 - refactor(misconf): switch to x/json  (#8719)
 - refactor(misconf): type-safe parser results in generic scanner (#9685)
 - refactor(misconf): use OPA v1 (#8518)
 - refactor(misconf): use atomic.Int32 (#9385)
 - refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175)
 - refactor(report): write tables after rendering all results (#8357)
 - refactor(sbom): simplify relationship generation (#7985)
 - refactor(secret): clarify secret scanner messages (#9409)
 - refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
 - refactor(server): change custom advisory and vulnerability data types fr… (#8923)
 - refactor(terraform): make Scan method of Terraform plan scanner private (#9272)
 - refactor(terraform): remove result sorting from scanner (#8928)
 - refactor(terraform): simplify AllReferences method signature in Attribute (#8906)
 - refactor(ubuntu): update time handling for fixing time (#8780)
 - refactor(vex): improve SBOM reference handling with project standards (#8457)
 - refactor: add case-insensitive string set implementation (#9720)
 - refactor: add generic Set implementation (#8149)
 - refactor: add hook interface for extended functionality (#8585)
 - refactor: centralize HTTP transport configuration (#9058)
 - refactor: export `systemFileFiltering` Post Handler (#9359)
 - refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)
 - refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
 - refactor: move the aws config (#9617)
 - refactor: remove aws flag helper message (#9080)
 - refactor: remove google/wire dependency and implement manual DI (#9509)
 - refactor: remove support for custom Terraform checks (#7901)
 - refactor: rename scanner to service (#8584)
 - refactor: simplify Detect function signature (#9280)
 - refactor: switch to stable azcontainerregistry SDK package (#9319)
 - refactor: use slices package instead of custom function (#8172)
 - refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)
 - refactor: use trivy-checks/pkg/specs package (#8226)
 - release: v0.56.2 [release/v0.56] (#7694)
 - release: v0.57.0 [main] (#7710)
 - release: v0.57.1 [release/v0.57] (#7943)
 - release: v0.58.0 [main] (#7874)
 - release: v0.58.1 [release/v0.58] (#8120)
 - release: v0.58.2 [release/v0.58] (#8216)
 - release: v0.59.0 [main] (#8041)
 - release: v0.59.1 [release/v0.59] (#8334)
 - release: v0.60.0 [main] (#8327)
 - release: v0.61.0 [main] (#8507)
 - release: v0.61.1 [release/v0.61] (#8704)
 - release: v0.62.0 [main] (#8669)
 - release: v0.62.1 [release/v0.62] (#8825)
 - release: v0.63.0 [main] (#8809)
 - release: v0.64.0 [main] (#8955)
 - release: v0.64.1 [release/v0.64] (#9122)
 - release: v0.65.0 [main] (#9108)
 - release: v0.66.0 [main] (#9289)
 - release: v0.67.0 [main] (#9432)
 - release: v0.67.1 [release/v0.67] (#9614)
 - release: v0.67.2 [release/v0.67] (#9639)
 - release: v0.68.0 [main] (#9549)
 - release: v0.68.1 [main] (#9867)
 - release: v0.68.2 [release/v0.68] (#9950)
 - style: Fix MD syntax in self-hosting.md (#8523)
 - test(go): refactor mod_test.go to use txtar format (#9775)
 - test(go): set `GOPATH` for tests (#9785)
 - test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
 - test(k8s): update k8s integrtion test (#9725)
 - test(k8s): use a specific bundle for k8s misconfig scan (#9633)
 - test(misconf): drop gcp iam test covered by another case (#9285)
 - test(misconf): move terraform scan tests to integration tests (#9271)
 - test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)
 - test(server): replace mock driver with memory cache in server tests (#8416)
 - test: add HTTP basic authentication to git test server (#9407)
 - test: add end-to-end testing framework with image scan and proxy tests (#9231)
 - test: change branch in spdx schema link to check in integration tests (#7935)
 - test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
 - test: define constants for test images (#7739)
 - test: improve and extend tests for iac/adapters/arm (#9028)
 - test: improve golden file management in integration tests (#9699)
 - test: include integration tests in linting and fix all issues (#9060)
 - test: replace Go checks with Rego (#7867)
 - test: replace mock with memory cache and fix non-deterministic tests (#8410)
 - test: replace mock with memory cache in scanner tests (#8413)
 - test: save `containerd` image into archive and use in tests (#7816)
 - test: set dummy value for NUGET_PACKAGES (#8107)
 - test: update golden files for TestRepository* integration tests (#9684)
 - test: use `aquasecurity` repository for test images (#8677)
 - test: use `aquasecurity` repository for test images [backport: release/v0.61] (#8698)
 - test: use forked images (#7755)
 - test: use memory cache (#8403)
 - test: use table-driven tests in Helm scanner tests (#8592)

-----------------------------------------------------------------
Advisory ID: 286
Released:    Sat Feb 14 22:30:01 2026
Summary:     Security update for fontforge
Type:        security
Severity:    important
References:  1215484,1220905,1230642,1230944,1231605,1234022,1234881,1249191,1249348,1249367,1252652,1256013,1256025,1256032,CVE-2025-10148,CVE-2025-15269,CVE-2025-15275,CVE-2025-15279,CVE-2025-50949,CVE-2025-9086
This update for fontforge fixes the following issues:

Update to version 20251009.

Security issues fixed:

- CVE-2025-15279: remote code execution via heap-based buffer overflow in BMP file parsing (bsc#1256013).
- CVE-2025-15269: remote code execution via use-after-free in SFD file parsing (bsc#1256032).
- CVE-2025-15275: arbitrary code execution via SFD file parsing buffer overflow (bsc#1256025).
- CVE-2025-50949: memory leak in function DlgCreate8 (bsc#1252652).

Other updates and bugfixes:

- fix multiple crashes in Multiple Masters.
- fix crash for content over 32767 characters in GDraw multiline text field.
- fix crash on Up/Down
- fix crash in Metrics View.
- fix UFO crash for empty contours.
- fix crash issue in allmarkglyphs.

- Version update to 20251009:

  * Update documentation for py scripts (#5180)
  * Update GitHub CI runners (#5328)
  * Update po files from Croudin sources. (#5330)
  * Use consistent Python in MacOS GitHub runner (#5331)
  * Fix CI for Windows GitHub runner (#5335)
  * Fix lookup flags parsing (#5338)
  * Fixes (#5332): glyph file names uXXXXX (#5333)
  * make harmonization robust and avoid zero handles after harmonization (#5262)
  * Quiet strict prototypes warnings. (#5313)
  * Fix crash in parsegvar() due to insufficient buffer (#5339)
  * Handle failed iconv conversion. Unhandled execution path was UB, causing a segfault for me (#5329)
  * Fix CMake function _get_git_version() (#5342)
  * Don't require individual tuple encapsulation in fontforge.font.bitmapSizes setter (#5138)
  * nltransform of anchor points (#5345)
  * Fix generateFontPostHook being called instead of generateFontPreHook (#5226)
  * Always set usDefaultChar to 0 (.notdef) (#5242)
  * add font attributes, method to Python docs (#5353)
  * fix segfault triggered by Python del c[i:j] (#5352)
  * Autoselect internal WOFF2 format (#5346)
  * Fix typos in the FAQ (#5355)
  * add font.style_set_names attribute to Python API (#5354)
  * Bulk tester (#5365)
  * Fix Splinefont shell invocation (#5367)
  * Fix the lists of Windows language IDs (#5359)
  * Support suplementary planes in SFD (emojis etc.) (#5364)
  * Remove psaltnames for multi-code-point names (#5305)
  * doc: added missing sudo to installation instructions (#5300)
  * Fix data corruption on SFD reading (#5380)
  * Compare vertical metrics check when generating TTC (#5372)
  * Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)
  * Don't attempt to copy anchors into NULL font (#5405)
  * Fix export of supplementary plane characters in font name to TTF (#5396)
  * Defer crowdin update to the end of the pipeline (#5409)
  * Fix generated feature file bugs (#5384)
  * crowdin: update to java 17 (#5447)
  * Remove assert from Python script processor (#5410)
  * Use sysconfig for Python module locations (#5423)
  * Use PyConfig API on Python 3.8 (#5404)
  * Fix resource leak in unParseTTInstrs (#5476)
  * Only install GUI-specific files if ENABLE_GUI is set (#5451)
  * add math device tables to Python API (#5348)
  * Update CI runner to macOS 13 (#5482)
  * Allow hyphen and special characters in Feature File glyph names (#5358)
  * Fix Python font.appendSFNTName() function (#5494)
  * Update mm.c (#5386)
  * Warning rollup (probably some hidden bugs!) from clang trunk (#5492)
  * Fix function PyFFFont_addSmallCaps. (#5519)
  * Make SmallCaps() create symbols (#5517)
  * Segfault fix and complete implementation of 'Don't generate FFTM tables' (#5509)
  * Modernize fixed pitch flag computation (#5506)
  * fix memleak in function utf7toutf8_copy (#5495)
  * Avoid crashes in Python scripts when objects are accessed in invalid state (#5483)
  * Fix CI for Ubuntu 24 (#5531)
  * Bump GitHub CI runner to Ubuntu 22 (#5551)
  * Fix memory corruption in SFUnicodeRanges() (#5537)
  * Add contour draw option to H.Metrics. (#5496)
  * Fix scaling of references in CharView (#5558)
  * Fix TTF validation on load for fixed pitch fonts (#5562)
  * Performance fixes for GSUB/GPOS dumps (#5547)
  * Simple GTK-based dialog with CSS appearance support (#5546)
  * Support Harfbuzz in Metrics View (#5522)
  * Update po files from crowdin translations (#5575)
  * Be more clever about label text in gtextfield (#5583)
  * Add minimal support for GDEF version 1.3 (#5584)
  * Sanitize messages from python (#5589)
  * Fix a crash caused by deleting a glyph with vertical kerning pairs. (#5592)
  * THEME -> GUI_THEME (#5596)
  * Update po translations from Crowdin (#5593)
  * Upgrade to Unicode 16.0.0 (#5594)
  * Fix Linux AppImage (#5599)
  * Upgrade to Unicode 17.0.0 and extend the language and script lists (#5618)
  * Remove X11 and non-Cairo drawing backends (#5612)
  * Add macOS dependency setup script (#5563)
  * Fix hotkeys in BitmapView (#5626)
  * Manually install Inno Setup 6 (#5621)
  * Remove cv->back_img_out_of_date and cv->backimgs (#5625)
  * fix spelling 'bt' -> 'but' (#5636)
  * Fix typos in Python module docs (#5634)

- Version update to 20230101+git59.770356c9b:

  * Add contour draw option to H.Metrics. (#5496)
  * Fix memory corruption in SFUnicodeRanges() (#5537)
  * Bump GitHub CI runner to Ubuntu 22 (#5551)
  * Fix CI for Ubuntu 24 (#5531)
  * Avoid crashes in Python scripts when objects are accessed in
    invalid state (#5483)
  * fix memleak in function utf7toutf8_copy (#5495)
  * Modernize fixed pitch flag computation (#5506)
  * Segfault fix and complete implementation of 'Don't generate
    FFTM tables' (#5509)
  * Make SmallCaps() translate symbols, too.  Update
    documentation accordingly. (#5517)
  * Fix function PyFFFont_addSmallCaps. (#5519)
  * Warning rollup (probably some hidden bugs!) from clang trunk
    (#5492)
  * Update mm.c (#5386)
  * fix memleak in function DlgCreate8 (#5491)
  * Fix Python font.appendSFNTName() function (#5494)
  * Allow hyphen and special characters in Feature File glyph names
    (#5358)
  * Update CI runner to macOS 13 (#5482)
  * add math device tables to Python API (#5348)
  * Only install GUI-specific files if ENABLE_GUI is set (#5451)
  * Fix resource leak in unParseTTInstrs (#5476)
  * Use PyConfig API on Python 3.8 (#5404)
  * Use sysconfig for Python module locations (#5423)
  * More crowdin fix
  * Python script shall trigger no asserts (#5410)
  * crowdin: update to java 17 (#5447)
  * try fix crowdin
  * Fix generated feature file bugs (#5384)
  * Defer crowdin update to the end of the pipeline (#5409)
  * Fix export of supplementary plane characters in font name to
    TTF (#5396)
  * Don't attempt to copy anchors into NULL font (#5405)
  * Treat FT_PIXEL_MODE_MONO as 2 grey levels (#5379)
  * Compare vertical metrics check when generating TTC (#5372)
  * Fix data corruption on SFD reading (#5380)
  * doc: added missing sudo to installation instructions (#5300)
  * Remove `psaltnames` for multi-code-point names (#5305)
  * Support suplementary planes in SFD (emojis etc.) (#5364)
  * Fix the lists of Windows language IDs (#5359)
  * fix splinefont shell command injection (#5367)
  * Bulk tester (#5365)
  * add `font.style_set_names` attribute to Python API (#5354)
  * Fix typos in the FAQ (#5355)
  * Autoselect internal WOFF2 format (#5346)
  * fix segfault triggered by Python `del c[i:j]` (#5352)
  * add `font` attributes, method to Python docs (#5353)
  * Always set `usDefaultChar` to 0 (.notdef) (#5242)
  * Fix generateFontPostHook being called instead of
    generateFontPreHook (#5226)
  * nltransform of anchor points (#5345)
  * Don't require individual tuple encapsulation in
    fontforge.font.bitmapSizes setter (#5138)
  * Fix CMake function _get_git_version() (#5342)
  * Handle failed iconv conversion. Unhandled execution path was
    UB, causing a segfault for me (#5329)
  * Fix crash in parsegvar() due to insufficient buffer (#5339)
  * Quiet strict prototypes warnings. (#5313)
  * harmonizing can now no longer produce zero handles, the
    computation of harmonization is now numerically robust (#5262)
  * Fix glyph file names uXXXXX (#5333)
  * Fix lookup flags parsing (#5338)
  * Duplicate libfontforge.dll for 'py' and 'pyhook' tests. (#5335)
  * Use consistent Python in MacOS GitHub runner (#5331)
  * Update po files from Croudin sources after fixing problems
  * Fix GinHub CI runners (#5328)

-----------------------------------------------------------------
Advisory ID: 300
Released:    Thu Feb 19 11:31:04 2026
Summary:     Security update for python313
Type:        security
Severity:    important
References:  1035807,1036457,1079600,1198823,1198830,1198832,1229952,1230029,1242623,1243861,1247193,1248006,1257029,1257031,1257042,1257046,1257181,867620,CVE-2014-2240,CVE-2014-2241,CVE-2017-8105,CVE-2017-8287,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406,CVE-2024-12224,CVE-2024-43806,CVE-2024-58266,CVE-2025-11468,CVE-2025-15282,CVE-2025-3416,CVE-2025-55159,CVE-2026-0672,CVE-2026-0865,CVE-2026-1299
This update for python313 fixes the following issues:

Update to version 3.13.12.

Security issues fixed:

- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
  characters (bsc#1257029).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
  (bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in `BytesGenerator`
  (bsc#1257181).

Other updates and bugfixes:

- Update to version 3.13.12.

  - Library

    - gh-144380: Improve performance of io.BufferedReader line
      iteration by ~49%.
    - gh-144169: Fix three crashes when non-string keyword
      arguments are supplied to objects in the ast module.
    - gh-144100: Fixed a crash in ctypes when using a deprecated
      POINTER(str) type in argtypes. Instead of aborting, ctypes
      now raises a proper Python exception when the pointer
      target type is unresolved.
    - gh-144050: Fix stat.filemode() in the pure-Python
      implementation to avoid misclassifying invalid mode values
      as block devices.
    - gh-144023: Fixed validation of file descriptor 0 in posix
      functions when used with follow_symlinks parameter.
    - gh-143999: Fix an issue where inspect.getgeneratorstate()
      and inspect.getcoroutinestate() could fail for generators
      wrapped by types.coroutine() in the suspended state.
    - gh-143706: Fix multiprocessing forkserver so that sys.argv
      is correctly set before __main__ is preloaded. Previously,
      sys.argv was empty during main module import in forkserver
      child processes. This fixes a regression introduced in
      3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
      provided by Thomas Watson, thanks!
    - gh-143638: Forbid reentrant calls of the pickle.Pickler and
      pickle.Unpickler methods for the C implementation.
      Previously, this could cause crash or data corruption, now
      concurrent calls of methods of the same object raise
      RuntimeError.
    - gh-78724: Raise RuntimeError's when user attempts to call
      methods on half-initialized Struct objects, For example,
      created by Struct.__new__(Struct). Patch by Sergey
      B Kirpichev.
    - gh-143602: Fix a inconsistency issue in write() that leads
      to unexpected buffer overwrite by deduplicating the buffer
      exports.
    - gh-143547: Fix sys.unraisablehook() when the hook raises an
      exception and changes sys.unraisablehook(): hold a strong
      reference to the old hook. Patch by Victor Stinner.
    - gh-143378: Fix use-after-free crashes when a BytesIO object
      is concurrently mutated during write() or writelines().
    - gh-143346: Fix incorrect wrapping of the Base64 data in
      plistlib._PlistWriter when the indent contains a mix of
      tabs and spaces.
    - gh-143310: tkinter: fix a crash when a Python list is
      mutated during the conversion to a Tcl object (e.g., when
      setting a Tcl variable). Patch by Benedikt Tran.
    - gh-143309: Fix a crash in os.execve() on non-Windows
      platforms when given a custom environment mapping which is
      then mutated during parsing. Patch by Benedikt Tran.
    - gh-143308: pickle: fix use-after-free crashes when
      a PickleBuffer is concurrently mutated by a custom buffer
      callback during pickling. Patch by Benedikt Tran and Aaron
      Wieczorek.
    - gh-143237: Fix support of named pipes in the rotating
      logging handlers.
    - gh-143249: Fix possible buffer leaks in Windows overlapped
      I/O on error handling.
    - gh-143241: zoneinfo: fix infinite loop in
      ZoneInfo.from_file when parsing a malformed TZif file.
      Patch by Fatih Celik.
    - gh-142830: sqlite3: fix use-after-free crashes when the
      connection's callbacks are mutated during a callback
      execution. Patch by Benedikt Tran.
    - gh-143200: xml.etree.ElementTree: fix use-after-free
      crashes in __getitem__() and __setitem__() methods of
      Element when the element is concurrently mutated. Patch by
      Benedikt Tran.
    - gh-142195: Updated timeout evaluation logic in subprocess
      to be compatible with deterministic environments like
      Shadow where time moves exactly as requested.
    - gh-143145: Fixed a possible reference leak in ctypes when
      constructing results with multiple output parameters on
      error.
    - gh-122431: Corrected the error message in
      readline.append_history_file() to state that nelements must
      be non-negative instead of positive.
    - gh-143004: Fix a potential use-after-free in
      collections.Counter.update() when user code mutates the
      Counter during an update.
    - gh-143046: The asyncio REPL no longer prints copyright and
      version messages in the quiet mode (-q). Patch by Bartosz
      Slawecki.
    - gh-140648: The asyncio REPL now respects the -I flag
      (isolated mode). Previously, it would load and execute
      PYTHONSTARTUP even if the flag was set. Contributed by
      Bartosz Slawecki.
    - gh-142991: Fixed socket operations such as recvfrom() and
      sendto() for FreeBSD divert(4) socket.
    - gh-143010: Fixed a bug in mailbox where the precise timing
      of an external event could result in the library opening an
      existing file instead of a file it expected to create.
    - gh-142881: Fix concurrent and reentrant call of
      atexit.unregister().
    - gh-112127: Fix possible use-after-free in
      atexit.unregister() when the callback is unregistered
      during comparison.
    - gh-142783: Fix zoneinfo use-after-free with descriptor
      _weak_cache. a descriptor as _weak_cache could cause
      crashes during object creation. The fix ensures proper
      reference counting for descriptor-provided objects.
    - gh-142754: Add the ownerDocument attribute to
      xml.dom.minidom elements and attributes created by directly
      instantiating the Element or Attr class. Note that this way
      of creating nodes is not supported; creator functions like
      xml.dom.Document.documentElement() should be used instead.
    - gh-142784: The asyncio REPL now properly closes the loop
      upon the end of interactive session. Previously, it could
      cause surprising warnings. Contributed by Bartosz Slawecki.
    - gh-142555: array: fix a crash in a[i] = v when converting
      i to an index via i.__index__ or i.__float__ mutates the
      array.
    - gh-142594: Fix crash in TextIOWrapper.close() when the
      underlying buffer's closed property calls detach().
    - gh-142451: hmac: Ensure that the HMAC.block_size attribute
      is correctly copied by HMAC.copy. Patch by Benedikt Tran.
    - gh-142495: collections.defaultdict now prioritizes
      __setitem__() when inserting default values from
      default_factory. This prevents race conditions where
      a default value would overwrite a value set before
      default_factory returns.
    - gh-142651: unittest.mock: fix a thread safety issue where
      Mock.call_count may return inaccurate values when the mock
      is called concurrently from multiple threads.
    - gh-142595: Added type check during initialization of the
      decimal module to prevent a crash in case of broken stdlib.
      Patch by Sergey B Kirpichev.
    - gh-142517: The non-compat32 email policies now correctly
      handle refolding encoded words that contain bytes that can
      not be decoded in their specified character set. Previously
      this resulted in an encoding exception during folding.
    - gh-112527: The help text for required options in argparse
      no longer extended with '(default: None)'.
    - gh-142315: Pdb can now run scripts from anonymous pipes
      used in process substitution. Patch by Bartosz Slawecki.
    - gh-142282: Fix winreg.QueryValueEx() to not accidentally
      read garbage buffer under race condition.
    - gh-75949: Fix argparse to preserve | separators in mutually
      exclusive groups when the usage line wraps due to length.
    - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
      name defects are now correctly passed to the handle_defect
      method of policy in FeedParser.
    - gh-142006: Fix a bug in the email.policy.default folding
      algorithm which incorrectly resulted in a doubled newline
      when a line ending at exactly max_line_length was followed
      by an unfoldable token.
    - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
      underlying cancelled asyncio task running.
    - gh-139971: pydoc: Ensure that the link to the online
      documentation of a stdlib module is correct.
    - gh-139262: Some keystrokes can be swallowed in the new
      PyREPL on Windows, especially when used together with the
      ALT key. Fix by Chris Eibl.
    - gh-138897: Improved license/copyright/credits display in
      the REPL: now uses a pager.
    - gh-79986: Add parsing for References and In-Reply-To
      headers to the email library that parses the header content
      as lists of message id tokens. This prevents them from
      being folded incorrectly.
    - gh-109263: Starting a process from spawn context in
      multiprocessing no longer sets the start method globally.
    - gh-90871: Fixed an off by one error concerning the backlog
      parameter in create_unix_server(). Contributed by Christian
      Harries.
    - gh-133253: Fix thread-safety issues in linecache.
    - gh-132715: Skip writing objects during marshalling once
      a failure has occurred.
    - gh-127529: Correct behavior of
      asyncio.selector_events.BaseSelectorEventLoop._accept_connection()
      in handling ConnectionAbortedError in a loop. This improves
      performance on OpenBSD.

  - IDLE

    - gh-143774: Better explain the operation of Format / Format
      Paragraph.

  - Core and Builtins

    - gh-144307: Prevent a reference leak in module teardown at
      interpreter finalization.
    - gh-144194: Fix error handling in perf jitdump
      initialization on memory allocation failure.
    - gh-141805: Fix crash in set when objects with the same hash
      are concurrently added to the set after removing an element
      with the same hash while the set still contains elements
      with the same hash.
    - gh-143670: Fixes a crash in ga_repr_items_list function.
    - gh-143377: Fix a crash in _interpreters.capture_exception()
      when the exception is incorrectly formatted. Patch by
      Benedikt Tran.
    - gh-143189: Fix crash when inserting a non-str key into
      a split table dictionary when the key matches an existing
      key in the split table but has no corresponding value in
      the dict.
    - gh-143228: Fix use-after-free in perf trampoline when
      toggling profiling while threads are running or during
      interpreter finalization with daemon threads active. The
      fix uses reference counting to ensure trampolines are not
      freed while any code object could still reference them.
      Pach by Pablo Galindo
    - gh-142664: Fix a use-after-free crash in
      memoryview.__hash__ when the __hash__ method of the
      referenced object mutates that object or the view. Patch by
      Benedikt Tran.
    - gh-142557: Fix a use-after-free crash in bytearray.__mod__
      when the bytearray is mutated while formatting the %-style
      arguments. Patch by Benedikt Tran.
    - gh-143195: Fix use-after-free crashes in bytearray.hex()
      and memoryview.hex() when the separator's __len__() mutates
      the original object. Patch by Benedikt Tran.
    - gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
      0. Previously, it was set to 0 in this case.
    - gh-143003: Fix an overflow of the shared empty buffer in
      bytearray.extend() when __length_hint__() returns 0 for
      non-empty iterator.
    - gh-143006: Fix a possible assertion error when comparing
      negative non-integer float and int with the same number of
      bits in the integer part.
    - gh-142776: Fix a file descriptor leak in import.c
    - gh-142829: Fix a use-after-free crash in
      contextvars.Context comparison when a custom __eq__ method
      modifies the context via set().
    - gh-142766: Clear the frame of a generator when
      generator.close() is called.
    - gh-142737: Tracebacks will be displayed in fallback mode
      even if io.open() is lost. Previously, this would crash the
      interpreter. Patch by Bartosz Slawecki.
    - gh-142554: Fix a crash in divmod() when
      _pylong.int_divmod() does not return a tuple of length two
      exactly. Patch by Benedikt Tran.
    - gh-142560: Fix use-after-free in bytearray search-like
      methods (find(), count(), index(), rindex(), and rfind())
      by marking the storage as exported which causes
      reallocation attempts to raise BufferError. For contains(),
      split(), and rsplit() the buffer protocol is used for this.
    - gh-142343: Fix SIGILL crash on m68k due to incorrect
      assembly constraint.
    - gh-141732: Ensure the __repr__() for ExceptionGroup and
      BaseExceptionGroup does not change when the exception
      sequence that was original passed in to its constructor is
      subsequently mutated.
    - gh-100964: Fix reference cycle in exhausted generator
      frames. Patch by Savannah Ostrowski.
    - gh-140373: Correctly emit PY_UNWIND event when generator
      object is closed. Patch by Mikhail Efimov.
    - gh-138568: Adjusted the built-in help() function so that
      empty inputs are ignored in interactive mode.
    - gh-127773: Do not use the type attribute cache for types
      with incompatible MRO.

  - C API

    - gh-142571: PyUnstable_CopyPerfMapFile() now checks that
      opening the file succeeded before flushing.

  - Build

    - gh-142454: When calculating the digest of the JIT stencils
      input, sort the hashed files by filenames before adding
      their content to the hasher. This ensures deterministic
      hash input and hence deterministic hash, independent on
      filesystem order.
    - gh-141808: When running make clean-retain-profile, keep the
      generated JIT stencils. That way, the stencils are not
      generated twice when Profile-guided optimization (PGO) is
      used. It also allows distributors to supply their own
      pre-built JIT stencils.
    - gh-138061: Ensure reproducible builds by making JIT stencil
      header generation deterministic.

-----------------------------------------------------------------
Advisory ID: 299
Released:    Thu Feb 19 12:09:58 2026
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    moderate
References:  1234015,1236886,1246602,1246604,1247938,1247939,1258231,CVE-2025-53905,CVE-2025-53906,CVE-2025-55157,CVE-2025-55158,CVE-2026-2447
This update for MozillaFirefox fixes the following issues:

Changes in MozillaFirefox:

Firefox Extended Support Release 140.7.1 ESR was released:

  * Fixed: Security fix.

MFSA 2026-10 (bsc#1258231):

  * CVE-2026-2447: Heap buffer overflow in libvpx.

-----------------------------------------------------------------
Advisory ID: 304
Released:    Fri Feb 20 16:40:19 2026
Summary:     Security update for docker-stable
Type:        security
Severity:    moderate
References:  1219559,1219561,1221289,1229930,1229931,1229932,1232579,1232601,1239618,1242170,1250508,1250596,1252290,CVE-2013-0340,CVE-2019-15903,CVE-2023-52425,CVE-2023-52426,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492,CVE-2024-50602,CVE-2024-8176
This update for docker-stable fixes the following issues:

- Enable SELinux in default daemon.json config (--selinux-enabled).
  This has no practical impact on non-SELinux systems (bsc#1252290).
- Remove git-core recommends on SLE. Most SLE systems have installRecommends=yes
  by default and thus end up installing git with Docker (bsc#1250508).
- Include historical changelog data from before the docker-stable fork.
  This includes CVE numbers for security tracking reasons (bsc#1250596).

-----------------------------------------------------------------
Advisory ID: 305
Released:    Fri Feb 20 16:44:31 2026
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1238700,1239335,1257661,CVE-2025-22869,CVE-2025-22870
This update for lvm2 fixes the following issues:

- L3: LVM_SUPPRESS_FD_WARNINGS is no longer effective (bsc#1257661)
    * libdaemon: fix suppressing stray fd warnings

-----------------------------------------------------------------
Advisory ID: 308
Released:    Fri Feb 20 17:18:08 2026
Summary:     Security update for postgresql15
Type:        security
Severity:    important
References:  1229163,1229164,1230840,1231591,1232411,1233606,1233608,1233609,1233610,1233612,1233613,1233614,1233615,1233616,1233617,1234958,1234959,1236316,1236317,1237002,1237006,1237008,1237009,1237010,1237011,1237012,1237013,1237014,1242971,1247242,1249140,1253332,1253333,1258008,1258009,1258010,1258011,CVE-2024-45774,CVE-2024-45775,CVE-2024-45776,CVE-2024-45777,CVE-2024-45778,CVE-2024-45779,CVE-2024-45780,CVE-2024-45781,CVE-2024-45782,CVE-2024-45783,CVE-2024-49504,CVE-2024-56737,CVE-2024-56738,CVE-2025-0622,CVE-2025-0624,CVE-2025-0677,CVE-2025-0678,CVE-2025-0684,CVE-2025-0685,CVE-2025-0686,CVE-2025-0689,CVE-2025-0690,CVE-2025-1118,CVE-2025-1125,CVE-2025-12817,CVE-2025-12818,CVE-2025-4382,CVE-2026-2003,CVE-2026-2004,CVE-2026-2005,CVE-2026-2006
This update for postgresql15 fixes the following issues:

Update to version 15.16.

Security issues fixed:

- CVE-2026-2003: improper validation of type 'oidvector' may allow disclose a few bytes of server memory (bsc#1258008).
- CVE-2026-2004: intarray missing validation of type of input to selectivity estimator could lead to arbitrary code
  execution (bsc#1258009).
- CVE-2026-2005: buffer overrun in contrib/pgcrypto's PGP decryption functions could lead to arbitrary code execution
  (bsc#1258010).
- CVE-2026-2006: inadequate validation of multibyte character lengths could lead to arbitrary code execution
  (bsc#1258011).
- CVE-2025-12817: missing check for CREATE privileges on the schema in CREATE STATISTICS (bsc#1253332).
- CVE-2025-12818: integer overflow in allocation-size calculations within libpq (bsc#1253333).

-----------------------------------------------------------------
Advisory ID: 309
Released:    Wed Feb 25 11:14:34 2026
Summary:     Optional update for ansible-trento
Type:        optional
Severity:    moderate
References:  1239749,1246974,1249375,CVE-2024-40635,CVE-2025-8114,CVE-2025-8277
This update for ansible-trento fixes the following issues:

Adds ansible-trento to the distribution.

-----------------------------------------------------------------
Advisory ID: 310
Released:    Thu Feb 26 08:38:22 2026
Summary:     Recommended update for openssl-3
Type:        recommended
Severity:    low
References:  1219276,1223903,1241205,1242011,1247286,1247495,1248158,CVE-2022-48622
This update for openssl-3 fixes the following issues:

- removed test patches because they are not needed.

-----------------------------------------------------------------
Advisory ID: 311
Released:    Thu Feb 26 08:39:56 2026
Summary:     Recommended update for crmsh
Type:        recommended
Severity:    important
References:  1227316,1254571,1254892,1257143
This update for crmsh fixes the following issues:


- Update to version 5.0.0+20260126.316aa9fa:
    * Dev: options: Change 'force' option to be session-only (bsc#1254892)
    * Fix: sbd: Allow setting -1 to stonith-watchdog-timeout (bsc#1257143)
    * Fix: qdevice: Make sure stonith-watchdog-timeout is 2 times of SBD_WATCHDOG_TIMEOUT (bsc#1254571)
    * Fix: migration: Avoid exception inside thread
    * Dev: sbd: Remove sbd configuration directories while removing cluster node

-----------------------------------------------------------------
Advisory ID: 315
Released:    Thu Feb 26 12:53:30 2026
Summary:     Security update for 7zip
Type:        security
Severity:    moderate
References:  1246706,1246707,1249130,1249584,CVE-2017-14992,CVE-2017-9232,CVE-2019-11243,CVE-2019-15119,CVE-2023-32198,CVE-2024-22031,CVE-2025-1386,CVE-2025-22871,CVE-2025-22872,CVE-2025-23390,CVE-2025-2424,CVE-2025-24358,CVE-2025-2475,CVE-2025-24839,CVE-2025-24866,CVE-2025-2564,CVE-2025-27538,CVE-2025-27571,CVE-2025-27936,CVE-2025-30204,CVE-2025-30206,CVE-2025-30215,CVE-2025-31363,CVE-2025-31483,CVE-2025-31489,CVE-2025-32024,CVE-2025-32025,CVE-2025-32093,CVE-2025-32386,CVE-2025-32387,CVE-2025-32431,CVE-2025-32445,CVE-2025-32777,CVE-2025-32793,CVE-2025-32963,CVE-2025-35965,CVE-2025-3801,CVE-2025-3879,CVE-2025-41395,CVE-2025-41423,CVE-2025-4166,CVE-2025-4210,CVE-2025-43970,CVE-2025-43971,CVE-2025-43972,CVE-2025-43973,CVE-2025-46327,CVE-2025-46342,CVE-2025-46569,CVE-2025-46599,CVE-2025-53816,CVE-2025-53817,CVE-2025-59375
This update for 7zip fixes the following issues:

- Update to 25.01 (boo#1249130)
  * The code for handling symbolic links has been changed to
    provide greater security when extracting files from archives
  * Command line switch -snld20 can be used to bypass default
    security checks when creating symbolic links.

- Update to 25.00:
  * bzip2 compression speed was increased by 15-40%.
  * deflate (zip/gz) compression speed was increased by 1-3%.
  * improved support for zip, cpio and fat archives.
  * CVE-2025-53816: Fixed input manipulation leading
    to heap buffer overflow (bsc#1246706)
  * CVE-2025-53817: Fixed null pointer dereference leading
    to denial of service (bsc#1246707)

-----------------------------------------------------------------
Advisory ID: 316
Released:    Thu Feb 26 13:03:49 2026
Summary:     Recommended update for SAPHanaSR-angi
Type:        recommended
Severity:    moderate
References:  1236217,1240764,1242715,1250232,1257744,1257746,1257747,CVE-2025-22873,CVE-2025-9230
This update for SAPHanaSR-angi fixes the following issues:

- Version bump to 1.3.0:
    * Technology preview - Support for XSA standalone node
      in Mx-setup (one master, one XSA worker)
    * improve logging to SAP HANA trace file (bsc#1257746)
    * improve HANA 'stop' logging (bsc#1257747)
    * improve srHook attribute logging (bsc#1257744)
    * stop lost slave workers, if master nameserver node crashed before promoting the secondary
    * fix stop status for lost slave worker (bsc#1257747)
    * SAPHanaSR-alert-fencing could now restart a node without using cluster infrastructure
    * new man page:
        + SAPHanaSR-ScaleOut-XSA.7
    * update man pages:
        + ocf_suse_SAPHanaFilesystem.7
        + SAPHanaController-scale-out.7
        + SAPHanaController-scale-up.7
        + SAPHanaSR-alert-fencing.8
        + SAPHanaSR-angi-scenarios.7
        + SAPHanaSR-angi.7
        + SAPHanaSR-hookHelper.8
        + SAPHanaSR-ScaleOut.7
        + SAPHanaSR-ScaleOut_basic_cluster.7
        + SAPHanaSR-showAttr.8
        + SAPHanaSR_basic_cluster.7
        + SAPHanaSR_maintenance_examples.7
        + SAPHanaSR_upgrade_to_angi.7
        + susHanaSR.py.7
    * update man pages - copyright date only:
        + ocf_suse_SAPHanaController.7
        + ocf_suse_SAPHanaTopology.7
        + SAPHanaSR-manageProvider.8
        + SAPHanaSR-replay-archive.8
        + SAPHanaSR-show-hadr-runtimes.8
        + SAPHanaSR-showAttr_properties.5
        + SAPHanaSR-upgrade-to-angi-demo.8
        + SAPHanaSR.7
        + susChkSrv.py.7
        + susCostOpt.py.7
        + susHanaSrMultiTarget.py.7
        + susTkOver.py.7
- change required crmsh version from 4.4.0 to 4.4.2+20250526.46896f4

-----------------------------------------------------------------
Advisory ID: 314
Released:    Thu Feb 26 17:51:31 2026
Summary:     Recommended update for gcc15
Type:        recommended
Severity:    moderate
References:  1240897,1244485,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,CVE-2025-3360,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725
This update for gcc15 fixes the following issues:

Update to GCC 15.2 release

  * the GCC 15.2 release contains regression fixes accumulated since
    the GCC 15.1 release

- Fixes PR120714, RISC-V: incorrect frame pointer CFA address for
  stack-clash protection loops

-----------------------------------------------------------------
Advisory ID: 323
Released:    Fri Feb 27 09:51:11 2026
Summary:     Recommended update for google-guest-configs
Type:        recommended
Severity:    important
References:  1241957,1248586,1252217,1254266
This update for google-guest-configs fixes the following issues:

- Install NetworkManager disptacher for SLE-16 and newer only
- Add NetworkManager-devel to BuildRequires
- Install NetworkManager dispatcher script (bsc#1254266)

-----------------------------------------------------------------
Advisory ID: 327
Released:    Fri Feb 27 11:34:41 2026
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    important
References:  1241872,1246934,1247286,1247495,1248158,1249686,1250513,1257875,CVE-2025-43859
This update for aaa_base fixes the following issues:

- Update to version 84.87+git20260210.ecce285:
    * For boo#1257875 get intrinsic DEFAULT_WM back
    * DIR_COLORS: add vt220 and .jxl
- Update to version 84.87+git20260112.8f614f3:
    * add ghost entries for the removed dirs
    * Revert list directories above all normal files.
- Update to version 84.87+git20251217.34fd7bc:
    * add tmpfiles template adm-backup.conf (jsc#PED-14803)
    * Fix old script to support copy mode as well
    * Support for XDG environment variables for the su,
    * adapted sugggestions
    * Patching nsswitch.conf only if it has not been generated by nsswitch-config (jsc#PED-13807).
    * Avoid nasty exceptions running tput
- Update to version 84.87+git20251111.509a363:
    * Avoid escape sequences on dump terminal of s390
- Update to version 84.87+git20251111.16d9d43:
    * Set XDG environment variables consistently without trailing slash
- Update to version 84.87+git20251110.af063e6:
    * Avoid escape sequences on dump terminal of s390
    * Set erase character from kbs entry of terminfo
- Update to version 84.87+git20251030.441f926:
    * Add systemd to /etc/nsswitch.conf (bsc#1250513)
    * Add group-directories-first option
    * prevent normal users from accessing dmesg (bsc#1249686)
    * Use explicit defaults for XDG environment variables
- Update to version 84.87+git20250903.33e5ba4:
    * Correct fix for (bsc#1247495, bsc#1248158)
- Update to version 84.87+git20250805.3069494:
    * Remove initviocons for tcsh as well and
    * Update csh.login
    * Add missing quoting and remove unneeded uses of eval
- Update to version 84.87+git20250801.f305627:
    * Remove sysconfig.language (bsc#1247286)
- Update to version 84.87+git20250801.b2fa3fe:
    * Allow /etc/locale.conf to have no newline

-----------------------------------------------------------------
Advisory ID: 325
Released:    Fri Feb 27 14:03:55 2026
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1205462,1214285,1215199,1235905,1241020,1241078,1242505,1242974,1242986,1243452,1243507,1243662,1246184,1246282,1247030,1247292,1247712,1248166,1248175,1248178,1248179,1248185,1248188,1248196,1248206,1248208,1248209,1248211,1248212,1248213,1248214,1248216,1248217,1248222,1248227,1248228,1248229,1248232,1248234,1248240,1248360,1248366,1248384,1248626,1249307,1249609,1249895,1249998,1250032,1250082,1250388,1250562,1250705,1250738,1250748,1252712,1252773,1252784,1252891,1252900,1253049,1253078,1253079,1253087,1253344,1253500,1253739,1254244,1254308,1254447,1254839,1254842,1254845,1254977,1255102,1255128,1255157,1255164,1255172,1255216,1255232,1255241,1255245,1255266,1255268,1255269,1255319,1255327,1255346,1255403,1255417,1255459,1255482,1255506,1255526,1255527,1255529,1255530,1255536,1255537,1255542,1255544,1255547,1255569,1255593,1255622,1255694,1255695,1255703,1255708,1255811,1255930,1256579,1256582,1256584,1256586,1256591,1256592,1256593,1256594,1256597,1256605,1256607,1
 256608,1256609,1256610,1256611,1256612,1256613,1256616,1256617,1256619,1256622,1256623,1256625,1256627,1256628,1256630,1256632,1256638,1256641,1256643,1256645,1256646,1256650,1256651,1256653,1256654,1256655,1256656,1256659,1256660,1256661,1256664,1256665,1256667,1256668,1256674,1256677,1256680,1256682,1256683,1256688,1256689,1256716,1256726,1256728,1256730,1256733,1256737,1256741,1256742,1256744,1256748,1256749,1256752,1256754,1256755,1256756,1256757,1256759,1256760,1256761,1256763,1256770,1256773,1256774,1256777,1256779,1256781,1256785,1256792,1256793,1256794,1256864,1256865,1256867,1256975,1257015,1257035,1257053,1257154,1257155,1257158,1257159,1257163,1257164,1257167,1257168,1257179,1257180,1257202,1257204,1257207,1257208,1257215,1257217,1257218,1257220,1257221,1257225,1257227,1257232,1257234,1257236,1257243,1257245,1257276,1257277,1257279,1257282,1257296,1257309,1257473,1257504,1257603,CVE-2024-54031,CVE-2025-11021,CVE-2025-29087,CVE-2025-29088,CVE-2025-37744,CVE-2025-37751,CVE-
 2025-37841,CVE-2025-37845,CVE-2025-37904,CVE-2025-37955,CVE-2025-38243,CVE-2025-38262,CVE-2025-38297,CVE-2025-38298,CVE-2025-38379,CVE-2025-38423,CVE-2025-38505,CVE-2025-38507,CVE-2025-38510,CVE-2025-38511,CVE-2025-38512,CVE-2025-38513,CVE-2025-38515,CVE-2025-38516,CVE-2025-38520,CVE-2025-38521,CVE-2025-38529,CVE-2025-38530,CVE-2025-38535,CVE-2025-38537,CVE-2025-38538,CVE-2025-38539,CVE-2025-38540,CVE-2025-38541,CVE-2025-38543,CVE-2025-38547,CVE-2025-38548,CVE-2025-38550,CVE-2025-38551,CVE-2025-38569,CVE-2025-38589,CVE-2025-38590,CVE-2025-38645,CVE-2025-39689,CVE-2025-39795,CVE-2025-39813,CVE-2025-39814,CVE-2025-39817,CVE-2025-39829,CVE-2025-39880,CVE-2025-39913,CVE-2025-39927,CVE-2025-40030,CVE-2025-40045,CVE-2025-40097,CVE-2025-40106,CVE-2025-40147,CVE-2025-40195,CVE-2025-40257,CVE-2025-40259,CVE-2025-40261,CVE-2025-40363,CVE-2025-68174,CVE-2025-68178,CVE-2025-68188,CVE-2025-68200,CVE-2025-68211,CVE-2025-68218,CVE-2025-68227,CVE-2025-68241,CVE-2025-68245,CVE-2025-68261,CVE-2025-68
 296,CVE-2025-68297,CVE-2025-68320,CVE-2025-68325,CVE-2025-68337,CVE-2025-68341,CVE-2025-68348,CVE-2025-68349,CVE-2025-68356,CVE-2025-68359,CVE-2025-68360,CVE-2025-68361,CVE-2025-68366,CVE-2025-68367,CVE-2025-68368,CVE-2025-68372,CVE-2025-68374,CVE-2025-68376,CVE-2025-68379,CVE-2025-68725,CVE-2025-68735,CVE-2025-68741,CVE-2025-68743,CVE-2025-68764,CVE-2025-68768,CVE-2025-68770,CVE-2025-68771,CVE-2025-68773,CVE-2025-68775,CVE-2025-68776,CVE-2025-68777,CVE-2025-68778,CVE-2025-68783,CVE-2025-68784,CVE-2025-68788,CVE-2025-68789,CVE-2025-68792,CVE-2025-68795,CVE-2025-68797,CVE-2025-68798,CVE-2025-68799,CVE-2025-68800,CVE-2025-68801,CVE-2025-68802,CVE-2025-68803,CVE-2025-68804,CVE-2025-68808,CVE-2025-68811,CVE-2025-68813,CVE-2025-68814,CVE-2025-68815,CVE-2025-68816,CVE-2025-68819,CVE-2025-68820,CVE-2025-68821,CVE-2025-68822,CVE-2025-71064,CVE-2025-71066,CVE-2025-71073,CVE-2025-71076,CVE-2025-71077,CVE-2025-71078,CVE-2025-71079,CVE-2025-71080,CVE-2025-71081,CVE-2025-71082,CVE-2025-71083,CVE
 -2025-71084,CVE-2025-71085,CVE-2025-71086,CVE-2025-71087,CVE-2025-71088,CVE-2025-71089,CVE-2025-71091,CVE-2025-71093,CVE-2025-71094,CVE-2025-71095,CVE-2025-71097,CVE-2025-71098,CVE-2025-71099,CVE-2025-71100,CVE-2025-71101,CVE-2025-71108,CVE-2025-71111,CVE-2025-71112,CVE-2025-71113,CVE-2025-71114,CVE-2025-71116,CVE-2025-71118,CVE-2025-71119,CVE-2025-71120,CVE-2025-71123,CVE-2025-71126,CVE-2025-71130,CVE-2025-71131,CVE-2025-71132,CVE-2025-71133,CVE-2025-71135,CVE-2025-71136,CVE-2025-71137,CVE-2025-71138,CVE-2025-71141,CVE-2025-71142,CVE-2025-71143,CVE-2025-71145,CVE-2025-71147,CVE-2025-71148,CVE-2025-71149,CVE-2025-71154,CVE-2025-71156,CVE-2025-71157,CVE-2025-71162,CVE-2025-71163,CVE-2026-22976,CVE-2026-22977,CVE-2026-22978,CVE-2026-22981,CVE-2026-22982,CVE-2026-22984,CVE-2026-22985,CVE-2026-22986,CVE-2026-22988,CVE-2026-22989,CVE-2026-22990,CVE-2026-22991,CVE-2026-22992,CVE-2026-22993,CVE-2026-22996,CVE-2026-22997,CVE-2026-22999,CVE-2026-23000,CVE-2026-23001,CVE-2026-23002,CVE-2026-2
 3005,CVE-2026-23006,CVE-2026-23011

The SUSE Linux Enterprise 16.0 and SL MIxro 6.2 kernel was updated to fix various security issues

The following security issues were fixed:

- CVE-2025-40147: blk-throttle: fix access race during throttle policy activation (bsc#1253344).
- CVE-2025-40257: mptcp: fix a race in mptcp_pm_del_add_timer() (bsc#1254842).
- CVE-2025-40259: scsi: sg: Do not sleep in atomic context (bsc#1254845).
- CVE-2025-40261: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() (bsc#1254839).
- CVE-2025-40363: net: ipv6: fix field-spanning memcpy warning in AH output (bsc#1255102).
- CVE-2025-68174: amd/amdkfd: enhance kfd process check in switch partition (bsc#1255327).
- CVE-2025-68178: blk-cgroup: fix possible deadlock while configuring policy (bsc#1255266).
- CVE-2025-68188: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() (bsc#1255269).
- CVE-2025-68200: bpf: Add bpf_prog_run_data_pointers() (bsc#1255241).
- CVE-2025-68211: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item (bsc#1255319).
- CVE-2025-68218: nvme-multipath: fix lockdep WARN due to partition scan work (bsc#1255245).
- CVE-2025-68227: mptcp: Fix proto fallback detection with BPF (bsc#1255216).
- CVE-2025-68241: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe (bsc#1255157).
- CVE-2025-68245: net: netpoll: fix incorrect refcount handling causing incorrect cleanup (bsc#1255268).
- CVE-2025-68261: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() (bsc#1255164).
- CVE-2025-68296: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup (bsc#1255128).
- CVE-2025-68297: ceph: fix crash in process_v2_sparse_read() for encrypted directories (bsc#1255403).
- CVE-2025-68320: lan966x: Fix sleeping in atomic context (bsc#1255172).
- CVE-2025-68325: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop (bsc#1255417).
- CVE-2025-68337: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted (bsc#1255482).
- CVE-2025-68341: veth: reduce XDP no_direct return section to fix race (bsc#1255506).
- CVE-2025-68348: block: fix memory leak in __blkdev_issue_zero_pages (bsc#1255694).
- CVE-2025-68349: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid (bsc#1255544).
- CVE-2025-68356: gfs2: Prevent recursive memory reclaim (bsc#1255593).
- CVE-2025-68359: btrfs: fix double free of qgroup record after failure to add delayed ref head (bsc#1255542).
- CVE-2025-68360: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks (bsc#1255536).
- CVE-2025-68361: erofs: limit the level of fs stacking for file-backed mounts (bsc#1255526).
- CVE-2025-68366: nbd: defer config unlock in nbd_genl_connect (bsc#1255622).
- CVE-2025-68367: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse (bsc#1255547).
- CVE-2025-68368: md: init bioset in mddev_init (bsc#1255527).
- CVE-2025-68372: nbd: defer config put in recv_work (bsc#1255537).
- CVE-2025-68374: md: fix rcu protection in md_wakeup_thread (bsc#1255530).
- CVE-2025-68376: coresight: ETR: Fix ETR buffer use-after-free issue (bsc#1255529).
- CVE-2025-68379: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure (bsc#1255695).
- CVE-2025-68735: drm/panthor: Prevent potential UAF in group creation (bsc#1255811).
- CVE-2025-68741: scsi: qla2xxx: Fix improper freeing of purex item (bsc#1255703).
- CVE-2025-68743: mshv: Fix create memory region overlap check (bsc#1255708).
- CVE-2025-68764: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags (bsc#1255930).
- CVE-2025-68768: inet: frags: add inet_frag_queue_flush() (bsc#1256579).
- CVE-2025-68770: bnxt_en: Fix XDP_TX path (bsc#1256584).
- CVE-2025-68771: ocfs2: fix kernel BUG in ocfs2_find_victim_chain (bsc#1256582).
- CVE-2025-68775: net/handshake: duplicate handshake cancellations leak socket (bsc#1256665).
- CVE-2025-68776: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() (bsc#1256659).
- CVE-2025-68784: xfs: fix a UAF problem in xattr repair (bsc#1256793).
- CVE-2025-68788: fsnotify: do not generate ACCESS/MODIFY events on child for special files (bsc#1256638).
- CVE-2025-68792: tpm2-sessions: Fix out of range indexing in name_size (bsc#1256656).
- CVE-2025-68795: ethtool: Avoid overflowing userspace buffer on stats query (bsc#1256688).
- CVE-2025-68798: perf/x86/amd: Check event before enable to avoid GPF (bsc#1256689).
- CVE-2025-68799: caif: fix integer underflow in cffrml_receive() (bsc#1256643).
- CVE-2025-68800: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats (bsc#1256646).
- CVE-2025-68801: mlxsw: spectrum_router: Fix neighbour use-after-free (bsc#1256653).
- CVE-2025-68803: NFSD: NFSv4 file creation neglects setting ACL (bsc#1256770).
- CVE-2025-68811: svcrdma: use rc_pageoff for memcpy byte offset (bsc#1256677).
- CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256641).
- CVE-2025-68814: io_uring: fix filename leak in __io_openat_prep() (bsc#1256651).
- CVE-2025-68815: net/sched: ets: Remove drr class from the active list if it changes to strict (bsc#1256680).
- CVE-2025-68816: net/mlx5: fw_tracer, Validate format string parameters (bsc#1256674).
- CVE-2025-68820: ext4: xattr: fix null pointer deref in ext4_raw_inode() (bsc#1256754).
- CVE-2025-68821: fuse: fix readahead reclaim deadlock (bsc#1256667).
- CVE-2025-71064: net: hns3: using the num_tqps in the vf driver to apply for resources (bsc#1256654).
- CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (bsc#1256645).
- CVE-2025-71077: tpm: Cap the number of PCR banks (bsc#1256613).
- CVE-2025-71080: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT (bsc#1256608).
- CVE-2025-71084: RDMA/cm: Fix leaking the multicast GID table reference (bsc#1256622).
- CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256623).
- CVE-2025-71087: iavf: fix off-by-one issues in iavf_config_rss_reg() (bsc#1256628).
- CVE-2025-71088: mptcp: fallback earlier on simult connection (bsc#1256630).
- CVE-2025-71089: iommu: disable SVA when CONFIG_X86 is set (bsc#1256612).
- CVE-2025-71091: team: fix check for port enabled in team_queue_override_port_prio_changed() (bsc#1256773).
- CVE-2025-71093: e1000: fix OOB in e1000_tbi_should_accept() (bsc#1256777).
- CVE-2025-71094: net: usb: asix: ax88772: Increase phy_name size (bsc#1256597).
- CVE-2025-71095: net: stmmac: fix the crash issue for zero copy XDP_TX action (bsc#1256605).
- CVE-2025-71097: ipv4: Fix reference count leak when using error routes with nexthop objects (bsc#1256607).
- CVE-2025-71098: ip6_gre: make ip6gre_header() robust (bsc#1256591).
- CVE-2025-71112: net: hns3: add VLAN id validation before using (bsc#1256726).
- CVE-2025-71116: libceph: make decode_pool() more resilient against corrupted osdmaps (bsc#1256744).
- CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256779).
- CVE-2025-71123: ext4: fix string copying in parse_apply_sb_mount_options() (bsc#1256757).
- CVE-2025-71126: mptcp: avoid deadlock on fallback while reinjecting (bsc#1256755).
- CVE-2025-71132: smc91x: fix broken irq-context in PREEMPT_RT (bsc#1256737).
- CVE-2025-71133: RDMA/irdma: avoid invalid read in irdma_net_event (bsc#1256733).
- CVE-2025-71135: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() (bsc#1256761).
- CVE-2025-71137: octeontx2-pf: fix 'UBSAN: shift-out-of-bounds error' (bsc#1256760).
- CVE-2025-71148: net/handshake: restore destructor on submit failure (bsc#1257159).
- CVE-2025-71149: io_uring/poll: correctly handle io_poll_add() return value on update (bsc#1257164).
- CVE-2025-71156: gve: defer interrupt enabling until NAPI registration (bsc#1257167).
- CVE-2025-71157: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() (bsc#1257168).
- CVE-2026-22976: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset (bsc#1257035).
- CVE-2026-22977: net: sock: fix hardened usercopy panic in sock_recv_errqueue (bsc#1257053).
- CVE-2026-22981: idpf: detach and close netdevs while handling a reset (bsc#1257225).
- CVE-2026-22982: net: mscc: ocelot: Fix crash when adding interface under a lag (bsc#1257179).
- CVE-2026-22984: libceph: prevent potential out-of-bounds reads in handle_auth_done() (bsc#1257217).
- CVE-2026-22986: gpiolib: fix race condition for gdev->srcu (bsc#1257276).
- CVE-2026-22990: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (bsc#1257221).
- CVE-2026-22991: libceph: make free_choose_arg_map() resilient to partial allocation (bsc#1257220).
- CVE-2026-22992: libceph: return the handler error from mon_handle_auth_done() (bsc#1257218).
- CVE-2026-22993: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations (bsc#1257180).
- CVE-2026-22996: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv.
- CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257236).
- CVE-2026-23000: net/mlx5e: Fix crash on profile change rollback failure (bsc#1257234).
- CVE-2026-23001: macvlan: fix possible UAF in macvlan_forward_source() (bsc#1257232).
- CVE-2026-23005: x86/fpu: Clear XSTATE_BV in guest XSAVE state whenever XFD[i]=1 (bsc#1257245).
- CVE-2026-23011: ipv4: ip_gre: make ipgre_header() robust (bsc#1257207).

The following non security issues were fixed:

- ALSA: usb-audio: Update for native DSD support quirks (stable-fixes).
- Add bugnumber to an existing hv_netvsc change (bsc#1257473).
- Fix locking issue introduced by a CVE backport (bsc#1256975 bsc#1254977).
- Update config files: disable CONFIG_DEVPORT for arm64 (bsc#1256792)
- arm64: Update config files. Disable DEVPORT (bsc#1256792)
- bpf/selftests: test_select_reuseport_kern: Remove unused header (bsc#1257603).
- bpf: Do not let BPF test infra emit invalid GSO types to stack (bsc#1255569).
- btrfs: pass fs_info to btrfs_delete_ref_head() (git-fixes).
- btrfs: scrub: always update btrfs_scrub_progress::last_physical (git-fixes).
- bus: fsl-mc: Constify fsl_mc_device_match() (jsc#PED-10906 git-fixes).
- drm/imagination: Wait for FW trace update command completion (git-fixes).
- drm/msm/a6xx: fix bogus hwcg register updates (git-fixes).
- ice: use netif_get_num_default_rss_queues() (bsc#1247712).
- libbpf: Fix -Wdiscarded-qualifiers under C23 (bsc#1257309).
- mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations (bsc#1254447 bsc#1253087).
- net: mana: Fix incorrect speed reported by debugfs (bsc#1255232).
- net: mana: Support HW link state events (bsc#1253049).
- nfsd: adjust WARN_ON_ONCE in revoke_delegation (bsc#1257015).
- nvme: nvme-fc: move tagset removal to nvme_fc_delete_ctrl() (git-fixes).
- powerpc/addnote: Fix overflow on 32-bit builds (bsc#1215199).
- sched/fair: Disable scheduler feature NEXT_BUDDY (bsc#1255459).
- scsi: lpfc: Rework lpfc_sli4_fcf_rr_next_index_get() (bsc#1256864).
- scsi: lpfc: Update lpfc version to 14.4.0.13 (bsc#1256864).
- scsi: qla2xxx: Add Speed in SFP print information (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Add bsg interface to support firmware img validation (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Add load flash firmware mailbox support for 28xxx (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Add support for 64G SFP speed (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Allow recovery for tape devices (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Delay module unload while fabric scan in progress (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Fix bsg_done() causing double free (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Free sp in error path to fix system crash (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Query FW again before proceeding with login (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Update version to 10.02.10.100-k (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Validate MCU signature before executing MBC 03h (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: qla2xxx: Validate sp before freeing associated memory (bsc#1256865 bsc#1256867 jsc#PED-14156).
- scsi: storvsc: Process unsupported MODE_SENSE_10 (bsc#1257296).
- selftests: net: fib-onlink-tests: Convert to use namespaces by default (bsc#1255346).
- slimbus: core: Constify slim_eaddr_equal() (jsc#PED-10906 git-fixes).
- smb: client: split cached_fid bitfields to avoid shared-byte RMW races (bsc#1250748,bsc#1257154).
- smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (git-fixes).
- smb: improve directory cache reuse for readdir operations (bsc#1252712).
- tsm-mr: Add TVM Measurement Register support (bsc#1257504).
- tsm-mr: Add tsm-mr sample code (bsc#1257504).
- virt: tdx-guest: Expose TDX MRs as sysfs attributes (bsc#1257504).
- virt: tdx-guest: Refactor and streamline TDREPORT generation (bsc#1257504).
- virt: tdx-guest: Transition to scoped_cond_guard for mutex operations (bsc#1257504).
- wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() (git-fixes).
- x86/tdx: Add tdx_mcall_extend_rtmr() interface (bsc#1257504).
- x86/tdx: tdx_mcall_get_report0: Return -EBUSY on TDCALL_OPERAND_BUSY error (bsc#1257504).

-----------------------------------------------------------------
Advisory ID: 328
Released:    Fri Feb 27 14:15:21 2026
Summary:     Security update for haproxy
Type:        security
Severity:    moderate
References:  1234128,1239883,1243317,1246080,1250628,1257521,1257976,CVE-2025-4802,CVE-2026-26080,CVE-2026-26081
This update for haproxy fixes the following issues:

- Update to version 3.2.12+git0.6011f448e
- CVE-2026-26081: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
- CVE-2026-26080: Fixed a DOS vulnerability in QUIC. (bsc#1257976)

-----------------------------------------------------------------
Advisory ID: 329
Released:    Fri Feb 27 14:36:22 2026
Summary:     Security update for fluidsynth
Type:        security
Severity:    important
References:  1084929,1241453,1241551,1256435,CVE-2025-32414,CVE-2025-32415,CVE-2025-56225
This update for fluidsynth fixes the following issues:

- CVE-2025-56225: NULL pointer deference when loading and invalid MIDI file (bsc#1256435).

-----------------------------------------------------------------
Advisory ID: 330
Released:    Sun Mar  1 16:59:54 2026
Summary:     Security update for python-azure-core
Type:        security
Severity:    important
References:  1206044,1207697,1214364,1232030,1241083,1257703,CVE-2024-56406,CVE-2026-21226
This update for python-azure-core fixes the following issues:

- CVE-2026-21226: Fixed deserialization of untrusted data which may allow an authorized attacker to execute code over a network. (bsc#1257703)

-----------------------------------------------------------------
Advisory ID: 331
Released:    Mon Mar  2 13:51:58 2026
Summary:     Recommended update for maven, maven-archiver, maven-dependency-plugin, maven-dependency-analyzer, maven-compiler-plugin, maven-assembly-plugin, byte-buddy, bouncycastle, apache-parent, maven-parent, maven-resolver, maven-resources-plugin, objectweb-asm, truth, xmlunit, xz-java
Type:        recommended
Severity:    moderate
References:  1010996,1199079,1229003,1234798,1240009,1240343,1248373,1250508,1252290,441356
This update for maven, maven-archiver, maven-dependency-plugin, maven-dependency-analyzer, maven-compiler-plugin, maven-assembly-plugin, byte-buddy, bouncycastle, apache-parent, maven-parent, maven-resolver, maven-resources-plugin, objectweb-asm, truth, xmlunit, xz-java fixes the following issues:

Changes in maven:

Specify required maven-resolver version since the maven-resolver-provider requires methods added in 1.9.25

Upgrade to upstream version 3.9.12

  * New features and improvements
    + Apply resolver changes and improvements
    + Update formatting of prerequisites-requirements error to
      improve readability
    + Allow a Maven plugin to require a Java version
    + Use MavenRepositorySystem in ProjectBuildingHelper instead
      of deprecated RepositorySystem
    + Make maven.config use UTF8
    + Simplify prefix resolution
  * Bug Fixes
    + Add default implementation for new method in
      MavenPluginManager
    + Repository layout should be used in MavenRepositorySystem
    + Fix plugin prefix resolution when metadata is not available
      from repository
    + Improve source root modification warning message
    + Bug: bad cache isolation between two sessions
    + Set Guice class loading to CHILD - avoid using terminally
      deprecated methods
    + Avoid parsing MAVEN_OPTS (3.9.x)
  * Documentation updates
    + clarify repository vs deployment repository
    + add maintained branches
  * Maintenance
    + Add IntelliJ icon
    + Build by JDK 25
    + Deprecate org.apache.maven.repository.RepositorySystem in
      3.9.x
  * Build
    + Bump actions/download-artifact from 5.0.0 to 6.0.0
    + Bump actions/upload-artifact from 4.6.2 to 5.0.0
  * Dependency updates
    + Bump actions/cache from 4.2.3 to 5.0.0
    + Bump resolverVersion from 1.9.24 to 1.9.25
    + Bump actions/checkout from 5.0.0 to 6.0.1
    + Bump actions/setup-java from 5.0.0 to 5.1.0
    + Bump commons-cli:commons-cli from 1.9.0 to 1.11.0
    + Bump org.codehaus.plexus:plexus-interpolation from 1.28 to
      1.29
    + Bump commons-io:commons-io from 2.19.0 to 2.21.0
    + Bump xmlunitVersion from 2.10.3 to 2.11.0
    + Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24
      to 1.26
    + Bump org.ow2.asm:asm from 9.8 to 9.9
    + Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre

Changes in maven-archiver:

- Upgrade to maven-archiver 3.6.6

  * New features and improvements
     + Backport sorting of properties to maven archiver 3.x
  * Maintenance
     + Convert to MARKDOWN with doxia-converter
     + Add more timestamp tests
  * Dependency updates
     + Bump Maven to 3.9.12
     + Bump org.codehaus.plexus:plexus-archiver from 4.10.2 to 4.10.4
     + Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29




Changes in maven-dependency-plugin:

- Upgrade to version 3.9.0
  * New features and improvements
    + Use Resolver API in go-offline for dependencies resolving
    + Use Resolver API in go-offline for plugins resolving
    + Fixes #1522, add render-dependencies mojo
    + Use Resolver API in resolve-plugin
    + MDEP-964: unconditionally ignore dependencies known to be
      loaded by reflection
    + Update maven-dependency-analyzer to support Java24
    + MDEP-972: copy-dependencies: copy signatures alongside
      artifacts
    + MDEP-776: Warn when multiple dependencies have the same file
      name
    + MDEP-966: Migrate AnalyzeDepMgt to Sisu
    + MDEP-957: By default, don't report slf4j-simple as unused
  * Bug Fixes
    + ProjectBuildingRequest should not be modified
    + Fix: markersDirectory is not working when unpack goal is
      executed from command line
    + Fix broken link for analyze-exclusions-mojo on usage-page
    + MDEP-839: Avoid extra blank lines in file
    + Update collect URL
    + MDEP-689: Fixes ignored dependency filtering in go-offline
      goal
    + MDEP-960: Repair silent logging
  * Documentation updates
    + MDEP-933: Document dependency tree output formats
    + Add additional comment to clarify the minimal supported
      version of outputing dependency tree in JSON fromat.
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + Unix file separators
  * Maintenance
    + Simplify usage of RepositoryManager and DependencyResolver
    + Use Resolver API in copy and unpack
    + Update site descriptor to 2.0.0
    + Enable prevent branch protection rules
    + Fix [MDEP-931: Replace PrintWriter with Writer in
      AbstractSerializing Visitor and subclasses
    + Cleanups dependencies
    + Copy edit parameter descriptions
    + Small Javadoc clarifications
    + MDEP-967: Change info to debug logging in
      AbstractFromConfigurationMojo
    + fix: remove duplicate maven-resolver-api and
      maven-resolver-util dependencies in pom.xml
    + Enable GH issues
    + Remove redundant/unneeded code
    + Add PR Automation and Stale actions
    + Keep files in temporary directory to be deleted after test
    + Drop unnecessary call
    + Avoid deprecated ArtifactFactory
    + MDEP-966: Convert remaining Mojos to Guice injection
    + MDEP-966: Convert Analyze Mojos to Guice constructor injection
    + MDEP-966: Prefer Guice injection
    + MDEP-966: Migrate TreeMojo/CopyMojo/AnalyzeExclusionsMojo/
      /UnpackMojo/CopyDependenciesMojo from Plexus to Sisu Guice
    + MDEP-966: @component --> @Inject for DisplayAncestorsMojo
    + Fixing flaky test in TestCopyDependenciesMojo
    + MNG-2961: Remove workaround for fixed bug
  * Build
    + Build by Maven 4
  * Dependency updates
    + Bump Maven in dependencies to 3.9.11
    + Bump commons-io:commons-io from 2.16.1 to 2.20.0
    + Bump jettyVersion from 9.4.56.v20240826 to 9.4.58.v20250814
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.apache.maven.plugins:maven-plugins from 43 to 45
    + Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump org.jsoup:jsoup from 1.18.1 to 1.21.2
    + MDEP-963: Bump
      org.apache.maven.shared:maven-dependency-analyzer from 1.15.0
      to 1.15.1

Changes in maven-dependency-analyzer:

- Upgrade to upstream version 1.17.0
  * New features and improvements
    + Recognize classes used in web.xml as main classes
    + Introduced a DependencyClassesProvider service
  * Maintenance
    + Update site descriptor to 2.0
    + Fix badges in README
    + Exclude slf4j 2.x and mockito 5.x from dependabot
    + feat: enable prevent branch protection rules
    + Catch exceptions on all paths
    + Add Apache 2.0 LICENSE file
    + Handle corrupt constant pools
    + Remove redundant code
    + move default to end
  * Build
    + Build on GH also by Maven 4
  * Dependency updates
    + Bump org.assertj:assertj-bom from 3.27.3 to 3.27.7
    + Bump org.apache.maven.shared:maven-shared-components from 44
      to 47
    + Bump mavenVersion from 3.9.9 to 3.9.12
    + Bump org.ow2.asm:asm from 9.8 to 9.9.1
    + Update Invoker Plugin and Plugin tools to support Java 25

    + Bump org.assertj:assertj-bom from 3.26.3 to 3.27.3

Changes in maven-compiler-plugin:

- Upgrade to upsteam release 3.15.0
  * Bug Fixes
    + Fix Java 25 compatibility during integration tests
    + MCOMPILER-540: useIncrementalCompilation=false may add
      generated sources to the sources list
  * Maintenance
    + Bump org.apache.maven.plugins:maven-plugins from 45 to 46
    + Remove declaration of 'plexus-snapshots' repository
    + Works only with Maven 4.0.0 rc4
    + Enable Java 25 and Maven 4 in CI
  * Dependency updates
    + Bump maven-plugin-testing-harness to 3.5.0
    + Bump plexusCompilerVersion from 2.15.0 to 2.16.2
    + Bump org.apache.maven.plugins:maven-plugins from 46 to 47
    + Bump org.codehaus.plexus:plexus-java from 1.5.0 to 1.5.2
    + Bump org.ow2.asm:asm from 9.8 to 9.9.1
    + Bump mavenVersion from 3.9.11 to 3.9.12

Changes in maven-assembly-plugin:

- Update to version 3.8.0
  * Bug Fixes
    + MASSEMBLY-1030: Manifest entries from archive configuration
      are not added in final MANIFEST
    + MASSEMBLY-1029: Use minimal level for model validation
  * Documentation updates
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
  * Maintenance
    + chore: migrate junit3/4 to junit5
    + feat: enable prevent branch protection rules
    + Enable Github Issues
  * Dependency updates
    + MASSEMBLY-1028: Bump org.apache.maven:maven-archiver from
      3.6.1 to 3.6.2
    + Bump org.apache.maven:maven-archiver from 3.6.2 to 3.6.5
    + MASSEMBLY-1027: Bump commons-io:commons-io from 2.15.1 to
      2.16.0
    + Bump commons-io:commons-io from 2.16.0 to 2.21.0
    + Bump Maven to 3.9.11. Prerequisite still 3.6.3
    + Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0
    + Bump org.codehaus.plexus:plexus-io from 3.4.2 to 3.6.0
    + Bump org.codehaus.plexus:plexus-interpolation from 1.27 to
      1.29
    + Bump org.codehaus.plexus:plexus-archiver from 4.9.2 to 4.10.4
    + Bump com.github.luben:zstd-jni from 1.5.5-11 to 1.5.7-6
    + Bump m-invoker-p to 3.9.1 for Java 25
    + Bump org.apache.maven.plugins:maven-plugins from 41 to 45
    + Bump org.apache.commons:commons-compress from 1.26.1 to 1.28.0
    + Bump commons-fileupload:commons-fileupload from 1.5 to 1.6.0
      in /src/it/projects/bugs/massembly-580
    + Bump org.codehaus.plexus:plexus-archiver from  to 4.10.0
    + Bump org.apache.maven.shared:maven-common-artifact-filters
      from 3.3.2 to 3.4.0
    + Bump org.apache.maven.shared:maven-filtering from 3.3.2 to
      3.4.0
    + Bump org.hamcrest:hamcrest from 2.2 to 3.0

Changes in byte-buddy:

- Update to v1.18.3
  * Changes of v1.18.3
    + Avoid using Class File API when Byte Buddy is loaded on the
      boot loader where multi-release jars are not available.
    + Add additional safety when processing class files with
      illegally formed parameters.
    + Update to latest ASM.
  * Changes of v1.18.2
    + Support modifiers for value classes in Valhalla builds.
    + Improve use of build cache in Gradle.

- Update to v1.18.1
  * Changes of v1.18.1
    + Fix generated module-info to include new package.
  * Changes of v1.18.0
    + Add support for module-info class files and
      ModuleDescriptions.
    + Allow for manipulating module information using the ByteBuddy
      API.
  * Changes of v1.17.8
    + Avoid use of types that are deprecated as of Java 26.
    + Include ASM 9.9 that offers ASM support for Java 26.
    + Make sure that generated code internal to Byte Buddy supports
      CDS if available.
    + Update version of ASM to JDK Class File API bridge to fix
      some minor bugs related to type annotations.
  * Changes of v1.17.7
    + Specify correct JVM environment for Android builds when using
      the Gradle plugin.
    + Avoid recomputing the size of a parameter list for
      performance reasons after measuring the significant impact.
    + Correct validation of JVM names to avoid breaking when Java
      names are not allowed while JVM names are, with Kotlin and
      others.

- Require for build objectweb-asm >= 9.8 for Opcodes.V25

Changes in bouncycastle:

- Update to 1.83:
  * Defects Fixed:
    - Attempting to check a password on a stripped PGP would throw an
      exception. Checking the password on such a key will now always
      return false.
    - Fixed an issue in KangarooTwelve where premature absorption caused
      erroneous 168-byte padding; absorption is now delayed so correct
      final-byte padding is applied.
    - BCJSSE: Fix supported_versions creation for renegotiation handshake.
    - (D)TLS: Reneg info now oly offered with pre-1.3.
  * Additional Features and Functionality:
    - A generic 'COMPOSITE' algorithm name has been added as a JCA
      Signature algorithm. The algorithm will identify the composite
      signature to use from the composite key passed in.
    - The composite signatures implementation has been updated to the
      final draft and now follows the submitted standard.
    - Support for the generation and use as trust anchors has been added
      for certificate signatures with id-alg-unsigned as the signature type.
    - Support for CMP direct POP for encryption keys using
      challenge/response has been added to the CMP/CRMF APIs.
    - Support for SupportedCurves attribute to the BC provider
    - BCJSSE: Added support for SLH-DSA signature schemes in TLS 1.3 per
      draft-reddy-tls-slhdsa-01.
    - Support has been added for the Java 25 KDF API (current algorithms,
      PBKDF2, SCRYPT, and HKDF).
    - Support for composite signatures is now included in CMS and timestamping.
    - It is now possible to disable the Lenstra check in RSA where the public
      key is not available via the system/security property
      'org.bouncycastle.rsa.no_lenstra_check'.

Changes in apache-parent:

- Update to 37:
  * New features and improvements
    + Disable parallel PUT on release

- Update to 36:
  * Breaking changes
    + Update minimum maven version to match current stable version
      (3.6.3 -> 3.9)
    + Introduce javaVersion property for maven.compiler.*
      configuration
    + Switch JDK >= 9 to only use maven.compiler.release
  * New features and improvements
    + Add default specification and implementation for javadoc and
      source manifest entries
  * Documentation updates
    + Clarify how to use Apache Snapshot repository
    + activate Fluido skin's anchorJs
  * Maintenance
    + Avoid - WARNING: Use of the three-letter time zone ID ... on
      JDK 25 for RAT plugin
    + feat: enable prevent branch protection rules

Changes in maven-parent:

- Upgrade to Apache Maven parent POM version 47
  * Dependency updates
    + Bump parent to 37
    + Bump org.junit:junit-bom from 5.14.1 to 5.14.2

- Upgrade to Apache Maven parent POM version 46
  * Breaking changes
    + Require Maven 3.6.3+ from plugins
    + Update rat plugin configuration
    + Use spotless 3 when running on JDK >= 17
    + Drop Doxia Tools parent pom
  * New features and improvements
    + MPOM-387: Exclude test scope from enforcedBytecodeVersion
    + feat: activate Fluido skin's anchorJs
    + Enhance target JDK definition for JDK >= 9
    + Always render a GitHub ribbon on the right-hand side
  * Maintenance
    + MPOM-277: Move maven-invoker-plugin configuration to one
      place
    + Remove doxia-tools from documentations
    + feat: enable prevent branch protection rules
    + Add Apache 2.0 LICENSE file

Changes in maven-resolver:

- Update to upstream version 1.9.25
  * New features and improvements
    + Add scope support for trusted checksums
    + Name mappers cleanup and new GAECV mapper
    + Proper metadata locking support
    + Ability to augment metadata nature for version range request
  * Bug Fixes
    + TrackingFileManager changes
    + Maven filters daemon friendly
    + Remove hack from Basic connector
    + Fix locking issues
  * Documentation updates
    + Updated the documentation to reflect the current list of name
      mappers
  * Maintenance
    + Mild backport: support same properties as Resolver 2.x
    + Maven resolver lockrepro
    + Bugfix: Java 25 broke test
  * Dependency updates
    + Bump com.github.siom79.japicmp:japicmp-maven-plugin from
      0.23.1 to 0.25.0
    + Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24
      to 1.26
    + Bump commons-codec:commons-codec from 1.18.0 to 1.20.0
    + Bump org.redisson:redisson from 3.50.0 to 3.52.0
    + Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre
    + Bump com.google.code.gson:gson from 2.13.1 to 2.13.2
    + Bump jettyVersion from 9.4.57.v20241219 to 9.4.58.v20250814
    + Bump mavenVersion from 3.9.10 to 3.9.11

Changes in maven-resolver:

- Update to upstream version 1.9.25
  * New features and improvements
    + Add scope support for trusted checksums
    + Name mappers cleanup and new GAECV mapper
    + Proper metadata locking support
    + Ability to augment metadata nature for version range request
  * Bug Fixes
    + TrackingFileManager changes
    + Maven filters daemon friendly
    + Remove hack from Basic connector
    + Fix locking issues
  * Documentation updates
    + Updated the documentation to reflect the current list of name
      mappers
  * Maintenance
    + Mild backport: support same properties as Resolver 2.x
    + Maven resolver lockrepro
    + Bugfix: Java 25 broke test
  * Dependency updates
    + Bump com.github.siom79.japicmp:japicmp-maven-plugin from
      0.23.1 to 0.25.0
    + Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24
      to 1.26
    + Bump commons-codec:commons-codec from 1.18.0 to 1.20.0
    + Bump org.redisson:redisson from 3.50.0 to 3.52.0
    + Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre
    + Bump com.google.code.gson:gson from 2.13.1 to 2.13.2
    + Bump jettyVersion from 9.4.57.v20241219 to 9.4.58.v20250814
    + Bump mavenVersion from 3.9.10 to 3.9.11

Changes in maven-resources-plugin:

- Upgrade to version 3.4.0
  * New features and improvements
    + Enable GitHub Issues
  * Documentation updates
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + MRESOURCES-299: Be more accurate on using filtering element
    + Don't bother with very old versions
  * Maintenance
    + Migrate site to Doxia 2
    + PlexusFileUtils Refaster recipes
    + Add PR Automation action
    + Improve release-drafter configuration
    + Add dependency to slf4j-simple for test scope
    + Use try with resources in integration test
    + reduce dependency scope of plexus-utils and commons-io
  * Dependency updates
    + Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.20.0
    + Bump org.apache.maven.resolver:maven-resolver-api from 1.6.3
      to 1.9.24
    + Bump Maven to 3.9.11 while keep prerequisites on 3.6.3
    + MRESOURCES-304: Bump org.codehaus.plexus:plexus-interpolation
      from 1.26 to 1.27
    + Bump org.codehaus.plexus:plexus-interpolation from 1.27 to
      1.29
    + Bump m-invoker-p to 3.9.1
    + Bump org.apache.maven.plugins:maven-plugins from 39 to 45
    + Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness
      from 3.3.0 to 3.4.0
    + MRESOURCES-302: Bump commons-io:commons-io from 2.11.0 to
      2.16.0
    + Bump commons-io:commons-io from 2.16.0 to 2.20.0
    + MRESOURCES-303: Bump org.apache.maven.shared:maven-filtering
      from 3.3.1 to 3.3.2
    + Bump org.apache.maven.shared:maven-filtering from 3.3.2 to
      3.4.0
    + MRESOURCES-305: Bump org.codehaus.plexus:plexus-utils from
      3.5.1 to 4.0.0
    + Bump apache/maven-gh-actions-shared from 3 to 4

    + MRESOURCES-171: ISO8859-1 properties files get changed into
    + MRESOURCES-210: copy-resources erases file permissions
    + MRESOURCES-236: Copying of files with permissions broken
    + MRESOURCES-257: property from list element in pom model
    + MRESOURCES-251: Upgrade plexus-interpolation 1.26
    + MRESOURCES-252: Add m2e lifecycle Metadata to plugin
    + MRESOURCES-256: make build Reproducible
    + MRESOURCES-258: Only overwrite filtered resources when
    + MRESOURCES-249: Upgrade maven-plugins parent to version 32
    + MRESOURCES-255: Upgrade plexus-utils 3.3.0
    + MRESOURCES-261: Make Maven 3.1.0 the minimum version
    + MRESOURCES-263: Update to maven-filtering 3.2.0

Changes in objectweb-asm:

- Upgrade to version 9.9.1
  * bug fixes
    + 318036: OutOfMemoryError when reading invalid class
    + 318037: Version ranges too wide on Import-Package

Changes in truth:

- Force annotation processing, since it is needed with Java 25

Changes in xmlunit:

- Upgrade to 2.11.0
  * XMLUnit 2.x is a complete rewrite of XMLUnit and actually
    doesn't share any code with XMLUnit for Java 1.x.
  * Some goals for XMLUnit 2.x:
    + create .NET and Java versions that are compatible in design
      while trying to be idiomatic for each platform
    + remove all static configuration (the old XMLUnit class
      setter methods)
    + focus on the parts that are useful for testing
      - XPath
      - (Schema) validation
      - comparisons
    + be independent of any test framework
  * XMLUnit 1.x is no longer maintained

- Use directly the xalan-j2 jar instead of the jaxp_transform_impl

Changes in xz-java:

- Upgrade to version 1.11
  * Fix a data corruption bug when encoding with the rarely-used
    option LZMA2Options.MODE_UNCOMPRESSED. To trigger the bug, a
    write call must cross an offset that is a multiple of 65536
    bytes. For example, one write of 70000 bytes or two write calls
    of 50000 bytes each would trigger the bug. The bug isn't
    triggered if there are ten write calls of 8192 bytes each
    followed by one 123-byte write.
  * If encoding to a .xz file, a decoder would catch the issue
    because the integrity check wouldn't match.
  * The binaries of 1.10 in the Maven Central require Java 8 and
    contain optimized classes for Java >= 9 as multi-release JAR.
    They were built with OpenJDK 21.0.9 on GNU/Linux and can be
    reproduced using the following command:
    SOURCE_DATE_EPOCH=1763575020 TZ=UTC0 ant maven

-----------------------------------------------------------------
Advisory ID: 334
Released:    Mon Mar  2 14:17:40 2026
Summary:     Recommended update for smc-tools
Type:        recommended
Severity:    important
References:  1205042,1217782,1230052,1231589,1236664,1253029
This update for smc-tools fixes the following issues:

- Upgrade smc-tools to v1.8.7 (jsc#PED-14601, bsc#1230052):
    * Bug fixes:
        + smc_rnics: fix regression when PFT not available
        + smcd/smcr: prevent DoS on statistics workfile present in /tmp/
- Upgrade smc-tools to v1.8.6 (jsc#PED-14601):
    * Bug fixes:
        + man pages: Update man page for smc_pnet
        + smc-tools: Display sndbuf/RMB stats only if supported by the kernel
- Upgrade smc-tools to v1.8.5:
    * Changes:
        + smc_rnics: Add support for Network Express RNIC in smc_rnics
        + smc_rnics: Add PFT and VF columns to smc_rnics output
    * Bug fixes:
        + libnetlink..: Fix function declaration to use a void prototype
        + smc_rnics: Update smc_chk to extract PNetID from column 9
        + man pages: Update man page for --rawids option and PFT and VF columns
        + smc_rnics: Fix missing PPrt values in smc_rnics -r output
- fix build with gcc15
- Makefile: Make sure to show the right release number

-----------------------------------------------------------------
Advisory ID: 338
Released:    Tue Mar  3 09:57:47 2026
Summary:     Recommended update for grub2
Type:        recommended
Severity:    important
References:  1217885,1240919,1253001,1254299,1254415,1258022
This update for grub2 fixes the following issues:

- Support dm multipath bootlist on PowerPC (bsc#1254415)
- Backport upstream's commit to prevent BIOS assert (bsc#1258022)
- Fix error 'grub-core/script/lexer.c:352:out of memory' after PowerPC CAS Reboot (bsc#1254299)
    * Fix PowerPC CAS reboot to evaluate menu context

-----------------------------------------------------------------
Advisory ID: 341
Released:    Tue Mar  3 12:28:18 2026
Summary:     Recommended update for NetworkManager
Type:        recommended
Severity:    moderate
References:  1241957,1250086,1252930,1252931,1252932,1252933,1252934,1252935,CVE-2025-54770,CVE-2025-54771,CVE-2025-61661,CVE-2025-61662,CVE-2025-61663,CVE-2025-61664
This update for NetworkManager fixes the following issues:

- Move dispatcher.d/pre-up.d/90-nm-cloud-setup.sh to cloud-setup subpackage (bsc#1250086).

-----------------------------------------------------------------
Advisory ID: 344
Released:    Tue Mar  3 17:13:34 2026
Summary:     Security update for expat
Type:        security
Severity:    moderate
References:  1229122,1244156,1244157,1244325,1251827,1257144,1257496,CVE-2025-0913,CVE-2025-11561,CVE-2025-4673,CVE-2026-24515,CVE-2026-25210
This update for expat fixes the following issues:

- CVE-2026-24515: failure to copy the encoding handler data passed to XML_SetUnknownEncodingHandler may cause a NULL
  dereference (bsc#1257144).
- CVE-2026-25210: lack of buffer size check can lead to an integer overflow (bsc#1257496).

-----------------------------------------------------------------
Advisory ID: 345
Released:    Tue Mar  3 17:59:36 2026
Summary:     Recommended update for python-numpy
Type:        recommended
Severity:    moderate
References:  1237147,1241938,1243106,1245203,1253741,CVE-2025-22247
This update for python-numpy fixes the following issues:

Changes in python-numpy:

- Make debuginfo build reproducible (bsc#1245203)

-----------------------------------------------------------------
Advisory ID: 346
Released:    Tue Mar  3 18:46:58 2026
Summary:     Security update for go1.24-openssl
Type:        security
Severity:    critical
References:  1236217,1242300,1245878,1247816,1248082,1249985,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,1253757,1254430,1254431,1256816,1256817,1256818,1256819,1256820,1256821,1257692,CVE-2025-11563,CVE-2025-47268,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725,CVE-2025-61726,CVE-2025-61727,CVE-2025-61728,CVE-2025-61729,CVE-2025-61730,CVE-2025-61731,CVE-2025-61732,CVE-2025-68119,CVE-2025-68121
This update for go1.24-openssl fixes the following issues:

- Update to version 1.24.13 (jsc#SLE-18320)
- CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information. (bsc#1251255)
- CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress. (bsc#1251253)
- CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys. (bsc#1251260)
- CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion. (bsc#1251258)
- CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion. (bsc#1251259)
- CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs. (bsc#1251256)
- CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map. (bsc#1251261)
- CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames. (bsc#1251257)
- CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints. (bsc#1251254)
- CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse. (bsc#1251262)
- CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation. (bsc#1254431)
- CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN. (bsc#1254430)
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level. (bsc#1256821)
- CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution. (bsc#1256819)
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm. (bsc#1256817)
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives. (bsc#1256816)
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain. (bsc#1256818)
- CVE-2025-61732: cmd/go: potential code smuggling using doc comments. (bsc#1257692)
- CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain. (bsc#1256820)

-----------------------------------------------------------------
Advisory ID: 352
Released:    Wed Mar  4 11:44:08 2026
Summary:     Security update for the Linux Kernel (Live Patch 1 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1236177,1237496,1241190,1242938,1253415,CVE-2025-40130,CVE-2025-4598

This update for the SUSE Linux Enterprise kernel 6.12.0-160000.6.1 fixes one security issue

The following security issue was fixed:

- CVE-2025-40130: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling (bsc#1253415).

-----------------------------------------------------------------
Advisory ID: 353
Released:    Wed Mar  4 11:51:24 2026
Summary:     Security update for libxml2, libxslt
Type:        security
Severity:    moderate
References:  1236136,1240366,1247850,1247858,1250553,1251442,1251649,1256804,1256807,1256808,1256809,1256810,1256811,1256812,1257593,1257594,1257595,CVE-2024-13176,CVE-2025-10911,CVE-2025-27587,CVE-2025-47911,CVE-2025-58190,CVE-2025-8732,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757
This update for libxml2, libxslt fixes the following issues:

Changes in libxml2:

- CVE-2026-0990: call stack overflow may lead to application crash due to infinite recursion in
  `xmlCatalogXMLResolveURI` (bsc#1256807, bsc#1256811).
- CVE-2026-0992: excessive resource consumption when processing XML catalogs due to exponential behavior when handling
  `nextCatalog` elements (bsc#1256809, bsc#1256812).
- CVE-2025-8732: infinite recursion in catalog parsing functions when processing malformed SGML catalog files
  (bsc#1247858).
- CVE-2026-1757: memory leak in the `xmllint` interactive shell (bsc#1257594, bsc#1257595).
- CVE-2025-10911: parsing xsl nodes may lead to use-after-free with key data stored cross-RVT (bsc#1250553)

-----------------------------------------------------------------
Advisory ID: 354
Released:    Wed Mar  4 11:54:36 2026
Summary:     Recommended update for plymouth
Type:        recommended
Severity:    moderate
References:  1242631,1254157,1254158,1254159,1254160,1254480,CVE-2025-3416,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293
This update for plymouth fixes the following issues:

- Remove unused BuildRequires: update-desktop-files.

-----------------------------------------------------------------
Advisory ID: 355
Released:    Wed Mar  4 21:07:36 2026
Summary:     Security update for the Linux Kernel (Live Patch 3 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1224386,1229122,1244156,1244157,1244449,1245551,1248356,1248501,1253415,1254563,CVE-2025-0913,CVE-2025-40130,CVE-2025-4673

This update for the SUSE Linux Enterprise kernel 6.12.0-160000.8.1 fixes one security issue

The following security issue was fixed:

- CVE-2025-40130: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling (bsc#1253415).

-----------------------------------------------------------------
Advisory ID: 361
Released:    Thu Mar  5 15:28:58 2026
Summary:     Recommended update for python-graphviz, graphviz
Type:        recommended
Severity:    moderate
References:  1214724,1234718,1244509,1254161,CVE-2024-11614,CVE-2025-23259,CVE-2025-6020
This update for python-graphviz, graphviz fixes the following issues:

Changes in python-graphviz:

Update to 0.21:

  * Drop Python 3.8 support (end of life 7 Oct 2024).
  * Tag Python 3.13 support.
  * Add support for ``format='svg_inline'``, available since upstream
    Graphviz 10.0.1. Produces header-less SVG suitable for inlining
    into HTML (see https://www.graphviz.org/docs/outputs/svg/).
  * Switch project to ``pyproject.toml`` and build to ``python -m build``)
    (https://build.pypa.io). This changes the source distribution formar
    from ``.zip`` to PEP 625 compliant ``.tar.gz``
    (https://peps.python.org/pep-0625/).

Changes in graphviz:

Update to 12.2.1:

  * Added

    - Support for building the SWIG-generated R language bindings
      has been integrated into the CMake build system. This is
      controllable by the -DENABLE_R={AUTO|ON|OFF} option.
    - A sandboxing wrapper, dot_sandbox, is now included with
      Graphviz. Users should prefer their platform’s native
      security solutions, but if nothing better is available this
      wrapper offers safe processing of untrusted inputs in some
      scenarios.

  * Changed

    - JPEG images without an APP0 leading segment are supported for
      use in src fields and friends. Previously Graphviz was overly
      strict with the types of JPEGs it would recognize. #2619
    - The CMake build system now discovers and uses
      pango_fc_font_lock_face if possible, for the Pango plugin to
      provide more information about used fonts.

  * Fixed

    - The GVPR library program depath no longer acts on previously
      deleted nodes, causing unpredictable results. #1702 (closed)
    - Void-typed function parameters (int foo(void bar)) and
      variables void baz; in GVPR are gracefully rejected.
      #2585 (closed)
    - Input that induce a set node height but no set node width no
      longer crash with the failure 'Assertion failed:
      (r->boundary[i] <= r->boundary[NUMDIMS + i]), function
      RTreeInsert'. It is typically not obvious to users when their
      input falls into this situation, hence why the assertion
      message is quoted here. This was a regression in Graphviz
      12.0.0. #2613 (closed)
    - Strings containing double quote characters preceded by escape
      sequences (e.g. \n') are once again correctly escaped in dot
      or canonical output. This was a regression in Graphviz 9.0.0.
      #2614 (closed)
    - dot_builtins no longer lists duplicate format options in its
      error messages. #2604 (closed)
    - A precision error that resulted in truncated edge lines has
      been corrected. This was a regression in Graphviz 12.0.0.
      #2620 (closed)
    - The xlib plugin (-Tx11) resets its initialization state
      during finalization. This fixes a rare scenario where
      multiple input graphs are supplied and initialization for one
      of the not-first graphs fails. In this scenario, finalization
      would be unaware of this failure and act on invalid state.

Update to 12.2.0:

  * Removed

    - Visual Studio build files have been removed. CMake is now the
      only supported build system on Windows.

  * Added

    - Support for building the SWIG-generated PHP language bindings
      has been integrated into the CMake build system. This is
      controllable by the -DENABLE_PHP={AUTO|ON|OFF} option.
    - Support for building the SWIG-generated Python language
      bindings has been integrated into the CMake build system.
      This is controllable by the -DENABLE_PYTHON={AUTO|ON|OFF}
      option.

  * Changed

    - An algorithm closer to that described in RFC 1942 and/or the
      CSS 2.1 specification is now used for sizing table cells
      within HTML-like labels. This is less scalable than the
      network simplex algorithm it replaces, but in general
      produces more intuitive results. #2159 (closed)
    - Tooltips on table elements within HTML-like labels are now
      propagated to SVGs produced by the core plugin (-Tsvg) even
      when the elements do not have href attributes. #1425 (closed)
    - In the Autotools build system, pkg-config is the only
      supported way for discovering Guile. Previous use of
      guile-config* has been removed. #2606 (closed)
    - The Autotools release artifacts for macOS
      (Darwin_*_graphviz-*.tar.gz) now use relative paths in links
      to dependent libraries and plugins. This should make the tree
      relocatable instead of having to live at
      /Users/gitlab/builds. #2501 (closed)
    - gml2gv no longer maps GML label attributes to Graphviz name
      attributes. These are now mapped to Graphviz label
      attributes. #2586 (closed)

  * Fixed

    - In the Autotools build system, the core plugin links against
      libm, fixing some unresolvable symbols. This was a regression
      in Graphviz 4.0.0. Though it would primarily have affected
      non-Graphviz applications attempting to load this plugin on
      Linux.
    - The osage layout engine now understands a cluster to be
      indicated by the common rules, including the 'cluster' prefix
      being case insensitive and the cluster=true attribute as an
      alternative. #2187
    - acyclic once again produces its output on stdout. This was a
      regression in Graphviz 10.0.1. #2600 (closed)
    - When using the Tclpathplan module, created vgpanes can once
      again be named and addressed. This was a regression in
      Graphviz 12.1.2.
    - Omitting a polygon identifier when running triangulation
      using the Tclpathplan module (e.g. vgpane0 triangulate
      instead of vgpane0 triangulate 42) no longer goes unnoticed
      and reads invalid memory. This bug seems to have existed
      since the first revision of Graphviz.
    - When using the Tclpathplan module, defining a malformed
      <3-point polygon and then attempting to triangulate this
      polygon no longer reads invalid memory. This case is now
      rejected with an error during triangulation. Like the
      previous entry, this bug seems to have existed since the
      first revision of Graphviz.
    - When using the Tclpathplan module, binding a pane’s
      triangulation callback to a string ending in a trailing %
      (e.g. vgpane0 bind triangle %) no longer causes later
      out-of-bounds reads during triangulation. Like the previous
      entries, this bug seems to have existed since the first
      revision of Graphviz. #2596 (closed)
    - Mouse right-clicks in Smyrna are no longer sticky. In some
      contexts, right-clicking the mouse would register a mouse
      down event but no mouse up event, leading Smyrna to believe
      the user was dragging with the right button held down.
    - Arrowhead missing from tail-end of edge #2437 (closed)
    - The Ruby bindings package (libgv-ruby) is once again
      installable on Ubuntu. This became uninstallable when
      Ruby 1.8 was no longer available on Ubuntu, as it had a hard
      coded dependency of Ruby 1.8. This has now been relaxed to
      depend on any Ruby version ≥ 1.8. #2607 (closed)
    - Generated GIFs and JPEGs display the graphed image instead
      of a single solid color. This was a regression in Graphviz
      12.1.1. #2609 (closed)
    - The CMake build system includes some supporting pieces of the
      SWIG-generated language bindings that were previously
      missing. It also links further dependencies that were
      previously missing.
    - In the CMake build system, linking of the Guile language
      bindings uses the full path to libguile, fixing issues on
      macOS.
    - The provided release packages for Debian-based operating
      systems (only Ubuntu currently) have corrected package
      dependencies. #2466 (closed)
    - Discussion of gvpr -c '' in the gvpr man page has been
      removed. This invocation did not do what was claimed.
      #2584 (closed)
- To see the full changelog for all intermediate releases, see:
  https://gitlab.com/graphviz/graphviz/-/blob/main/CHANGELOG.md


-----------------------------------------------------------------
Advisory ID: 365
Released:    Mon Mar  9 11:04:29 2026
Summary:     Security update for ImageMagick
Type:        security
Severity:    important
References:  1243268,1254441,1256962,1256969,1256976,1257076,1258743,1258748,1258749,1258757,1258759,1258763,1258765,1258767,1258769,1258770,1258771,1258772,1258774,1258775,1258776,1258779,1258780,1258785,1258786,1258787,1258790,1258791,1258792,1258793,1258799,1258802,1258805,1258807,1258810,1258812,1258818,1258821,1259017,1259018,CVE-2025-10158,CVE-2025-47287,CVE-2026-22770,CVE-2026-23874,CVE-2026-23876,CVE-2026-23952,CVE-2026-24481,CVE-2026-24484,CVE-2026-24485,CVE-2026-25576,CVE-2026-25637,CVE-2026-25638,CVE-2026-25794,CVE-2026-25795,CVE-2026-25796,CVE-2026-25797,CVE-2026-25798,CVE-2026-25799,CVE-2026-25897,CVE-2026-25898,CVE-2026-25965,CVE-2026-25966,CVE-2026-25967,CVE-2026-25968,CVE-2026-25969,CVE-2026-25970,CVE-2026-25971,CVE-2026-25982,CVE-2026-25983,CVE-2026-25985,CVE-2026-25986,CVE-2026-25987,CVE-2026-25988,CVE-2026-25989,CVE-2026-26066,CVE-2026-26283,CVE-2026-26284,CVE-2026-26983,CVE-2026-27798,CVE-2026-27799
This update for ImageMagick fixes the following issues:

- CVE-2026-22770: improper pointer initialization can cause denial of service (bsc#1256969).
- CVE-2026-23874: manipulation of digital images can lead to stack overflow (bsc#1256976).
- CVE-2026-23876: ImageMagick: maliciously crafted image can lead to heap buffer overflow (bsc#1256962).
- CVE-2026-23952: processing comment tag can cause null pointer dereference (bsc#1257076).
- CVE-2026-24481: Possible Heap Information Disclosure in PSD ZIP Decompression (bsc#1258743).
- CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790).
- CVE-2026-24485: denial of service via malformed PCD file processing (bsc#1258791).
- CVE-2026-25576: Out of bounds read in multiple coders that read raw pixel data (bsc#1258748).
- CVE-2026-25637: Denial of Service via crafted image due to memory leak (bsc#1258759).
- CVE-2026-25638: Denial of Service due to memory leak in image processing (bsc#1258793).
- CVE-2026-25794: Heap-buffer-overflow via signed integer overflow in `WriteUHDRImage` when writing UHDR images with
  large dimensions (bsc#1258749).
- CVE-2026-25795: Denial of Service due to NULL pointer dereference during temporary file creation failure
  (bsc#1258792).
- CVE-2026-25796: Memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths
  (bsc#1258757).
- CVE-2026-25797: Code injection in various encoders (bsc#1258770).
- CVE-2026-25798: NULL Pointer Dereference in ClonePixelCacheRepository via crafted image (bsc#1258787).
- CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786).
- CVE-2026-25897: Out-of-bounds heap write via integer overflow in sun decoder (bsc#1258799).
- CVE-2026-25898: Information disclosure or denial of service via crafted image with invalid pixel index (bsc#1258807).
- CVE-2026-25965: Policy bypass through path traversal allows reading restricted content despite secured policy
  (bsc#1258785).
- CVE-2026-25966: Security Policy Bypass through config/policy-secure.xml via 'fd handler' leads to stdin/stdout access
  (bsc#1258780).
- CVE-2026-25967: Stack buffer overflow in FTXT reader via oversized integer field (bsc#1258779).
- CVE-2026-25968: MSL attribute stack buffer overflow leads to out of bounds write (bsc#1258776).
- CVE-2026-25969: Memory Leak in coders/ashlar.c (bsc#1258775).
- CVE-2026-25970: Memory corruption and denial of service via signed integer overflow in SIXEL decoder (bsc#1258802).
- CVE-2026-25971: MSL: Stack overflow in ProcessMSLScript (bsc#1258774).
- CVE-2026-25982: Heap Out-of-Bounds Read in DCM Decoder (bsc#1258772).
- CVE-2026-25983: Denial of service via crafted MSL script (bsc#1258805).
- CVE-2026-25985: Memory allocation with excessive without limits in the internal SVG decoder (bsc#1258812).
- CVE-2026-25986: Denial of Service via malicious YUV image processing (bsc#1258818).
- CVE-2026-25987: Memory disclosure and denial of service via crafted MAP files (bsc#1258821).
- CVE-2026-25988: Denial of Service due to memory leak in image processing (bsc#1258810).
- CVE-2026-25989: Integer overflow or wraparound and incorrect conversion between numeric types in the internal SVG
  decoder (bsc#1258771).
- CVE-2026-26066: Infinite loop when writing IPTCTEXT leads to denial of service via crafted profile (bsc#1258769).
- CVE-2026-26283: Possible infinite loop in JPEG encoder when using `jpeg: extent` (bsc#1258767).
- CVE-2026-26284: Heap overflow in pcd decoder leads to out of bounds read (bsc#1258765).
- CVE-2026-26983: Invalid MSL <map> can result in a use after free (bsc#1258763).
- CVE-2026-27798: Heap Buffer Over-read in WaveletDenoise when processing small images (bsc#1259018).
- CVE-2026-27799: ImageMagick has a heap Buffer Over-read in its DJVU image format handler (bsc#1259017).

-----------------------------------------------------------------
Advisory ID: 368
Released:    Tue Mar 10 13:34:56 2026
Summary:     Security update for freerdp
Type:        security
Severity:    important
References:  1214869,1214870,1214871,1219049,1223293,1223294,1223295,1223296,1223297,1223298,1223346,1223347,1223348,1223353,1243109,1243314,1243332,1243422,1243423,1255731,1255732,1255733,1255734,1256717,1256718,1256719,1256720,1256721,1256722,1256723,1256724,1256725,1256940,1256941,1256942,1256943,1256944,1256945,1256946,1256947,528882,553466,CVE-2023-40574,CVE-2023-40575,CVE-2023-40576,CVE-2024-22211,CVE-2024-32039,CVE-2024-32040,CVE-2024-32041,CVE-2024-32458,CVE-2024-32459,CVE-2024-32460,CVE-2024-32658,CVE-2024-32659,CVE-2024-32660,CVE-2024-32661,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224,CVE-2025-4476,CVE-2025-4478,CVE-2025-4945,CVE-2025-4948,CVE-2025-4969,CVE-2026-22851,CVE-2026-22852,CVE-2026-22853,CVE-2026-22854,CVE-2026-22855,CVE-2026-22856,CVE-2026-22857,CVE-2026-22858,CVE-2026-22859,CVE-2026-23530,CVE-2026-23531,CVE-2026-23532,CVE-2026-23533,CVE-2026-23534,CVE-2026-23732,CVE-2026-23883,CVE-2026-23884,CVE-2026-23948,CVE-2026-24491,CVE-2026-24675,CVE-2026-24
 676,CVE-2026-24677,CVE-2026-24678,CVE-2026-24679,CVE-2026-24680,CVE-2026-24681,CVE-2026-24682,CVE-2026-24683,CVE-2026-24684
This update for freerdp fixes the following issues:

Update to version 3.22.0 (jsc#PED-15526):

  + Major bugfix release:

    * Complete overhaul of SDL client
    * Introduction of new WINPR_ATTR_NODISCARD macro wrapping compiler or C language version specific [[nodiscard]] attributes
    * Addition of WINPR_ATTR_NODISCARD to (some) public API functions so usage errors are producing warnings now
    * Add some more stringify functions for logging
    * We've received CVE reports, check
      https://github.com/FreeRDP/FreeRDP/security/advisories for more details!
      @Keryer reported an issue affecting client and proxy:
      * CVE-2026-23948
      @ehdgks0627 did some more fuzzying and found quite a number of client side bugs.
      * CVE-2026-24682
      * CVE-2026-24683
      * CVE-2026-24676
      * CVE-2026-24677
      * CVE-2026-24678
      * CVE-2026-24684
      * CVE-2026-24679
      * CVE-2026-24681
      * CVE-2026-24675
      * CVE-2026-24491
      * CVE-2026-24680

- Changes from version 3.21.0

  * [core,info] fix missing NULL check (#12157)
  * [gateway,tsg] fix TSG_PACKET_RESPONSE parsing (#12161)
  * Allow querying auth identity with kerberos when running as a server (#12162)
  * Sspi krb heimdal (#12163)
  * Tsg fix idleTimeout parsing (#12167)
  * [channels,smartcard] revert 649f7de (#12166)
  * [crypto] deprecate er and der modules (#12170)
  * [channels,rdpei] lock full update, not only parts (#12175)
  * [winpr,platform] add WINPR_ATTR_NODISCARD macro (#12178)
  * Wlog cleanup (#12179)
  * new stringify functions & touch API defines (#12180)
  * Add support for querying SECPKG_ATTR_PACKAGE_INFO to NTLM and Kerberos (#12171)
  * [channels,video] measure times in ns (#12184)
  * [utils] Nodiscard (#12187)
  * Error handling fixes (#12186)
  * [channels,drdynvc] check pointer before reset (#12189)
  * Winpr api def (#12190)
  * [winpr,platform] drop C23 [[nodiscard]] (#12192)
  * [gdi] add additional checks for a valid rdpGdi (#12194)
  * Sdl3 high dpiv2 (#12173)
  * peer: Disconnect if Logon() returned FALSE (#12196)
  * [channels,rdpecam] fix PROPERTY_DESCRIPTION parsing (#12197)
  * [channel,rdpsnd] only clean up thread before free (#12199)
  * [channels,rdpei] add RDPINPUT_CONTACT_FLAG_UP (#12195)

- Update to version 3.21.0:

  + Bugfix release with a few new API functions addressing shortcomings with
    regard to input data validation.
    Thanks to @ehdgks0627 we have fixed the following additional (medium)
    client side vulnerabilities:

    * CVE-2026-23530
    * CVE-2026-23531
    * CVE-2026-23532
    * CVE-2026-23533
    * CVE-2026-23534
    * CVE-2026-23732
    * CVE-2026-23883
    * CVE-2026-23884

- Changes from version 3.20.2

  * [client,sdl] fix monitor resolution (#12142)
  * [codec,progressive] fix progressive_rfx_upgrade_block (#12143)
  * Krb cache fix (#12145)
  * Rdpdr improved checks (#12141)
  * Codec advanced length checks (#12146)
  * Glyph fix length checks (#12151)
  * Wlog printf format string checks (#12150)
  * [warnings,format] fix format string warnings (#12152)
  * Double free fixes (#12153)
  * [clang-tidy] clean up code warnings (#12154)

- Update to version 3.20.2:

  + Patch release fixing a regression with gateway connections
    introduced with 3.20.1
    ## What's Changed
    * Warnings and missing enumeration types (#12137)

- Changes from version 3.20.1:

  + New years cleanup release. Fixes some issues reported and does
    a cleaning sweep to bring down warnings.
    Thanks to @ehdgks0627 doing some code review/testing we've
    uncovered the following (medium) vulnerabilities:

    * CVE-2026-22851
    * CVE-2026-22852
    * CVE-2026-22853
    * CVE-2026-22854
    * CVE-2026-22855
    * CVE-2026-22856
    * CVE-2026-22857
    * CVE-2026-22858
    * CVE-2026-22859

  + These affect FreeRDP based clients only, with the exception of
    CVE-2026-22858 also affecting FreeRDP proxy. FreeRDP based
    servers are not affected.

- Update to version 3.20.0:

  * Mingw fixes (#12070)
  * [crypto,certificate_data] add some hostname sanitation
  * [client,common]: Fix loading of rdpsnd channel
  * [client,sdl] set touch and pen hints

- Changes from version 3.19.1:

  * [core,transport] improve SSL error logging
  * [utils,helpers] fix freerdp_settings_get_legacy_config_path
  * From stdin and sdl-creds improve
  * [crypto,certificate] sanitize hostnames
  * [channels,drdynvc] propagate error in dynamic channel
  * [CMake] make Mbed-TLS and LibreSSL experimental
  * Json fix
  * rdpecam: send sample only if it's available
  * [channels,rdpecam] allow MJPEG frame skip and direct passthrough
  * [winpr,utils] explicit NULL checks in jansson WINPR_JSON_ParseWithLength

- Changes from version 3.19.0:

  * [client,common] fix retry counter
  * [cmake] fix aarch64 neon detection
  * Fix response body existence check when using RDP Gateway
  * fix line clipping issue
  * Clip coord fix
  * [core,input] Add debug log to keyboard state sync
  * Update command line usage for gateway option
  * [codec,ffmpeg] 8.0 dropped AV_PROFILE_AAC_MAIN
  * [channels,audin] fix pulse memory leak
  * [channels,drive] Small performance improvements in drive channel
  * [winpr,utils] fix command line error logging
  * [common,test] Adjust AVC and H264 expectations
  * drdynvc: implement compressed packet
  * [channels,rdpecam] improve log messages
  * Fix remote credential guard channel loading
  * Fix inverted ifdef
  * [core,nego] disable all enabled modes except the one requested
  * rdpear: handle basic NTLM commands and fix server-side
  * [smartcardlogon] Fix off-by-one error in `smartcard_hw_enumerateCerts`
  * rdpecam: fix camera sample grabbing

- Update to version 3.18.0:

  + Fix a regression reading passwords from stdin
  + Fix a timer regression (µs instead of ms)
  + Improved multitouch support
  + Fix a bug with PLANAR codec (used with /bpp:32 or sometimes with /gfx)
  + Better error handling for ARM transport (Entra)
  + Fix audio encoder lag (microphone/AAC) with FFMPEG
  + Support for janssen JSON library

- Update to version 3.17.2:

  + Minor improvements and bugfix release.
  + Most notably resource usage (file handles) has been greatly reduced and
    static build pkg-config have been fixed.
    For users of xfreerdp RAILS/RemoteApp mode the switch to DesktopSession
    mode has been fixed (working UAC screen)

- Changes from version 3.17.1

  + Minor improvements and bugfix release.
    * most notably a memory leak was addressed
    * fixed header files missing C++ guards
    * xfreerdp as well as the SDL clients now support a system wide configuration file
    * Heimdal kerberos support was improved
    * builds with [MS-RDPEAR] now properly abort at configure if Heimdal is used
      (this configuration was never supported, so ensure nobody compiles it that way)

- Enable openh264 support, we can build against the noopenh264 stub

- Update to 3.17.0:

  * [client,sdl2] fix build with webview (#11685)
  * [core,nla] use wcslen for password length (#11687)
  * Clear channel error prior to call channel init event proc (#11688)
  * Warn args (#11689)
  * [client,common] fix -mouse-motion (#11690)
  * [core,proxy] fix IPv4 and IPv6 length (#11692)
  * Regression fix2 (#11696)
  * Log fixes (#11693)
  * [common,settings] fix int casts (#11699)
  * [core,connection] fix log level of several messages (#11697)
  * [client,sdl] print current video driver (#11701)
  * [crypto,tls] print big warning for /cert:ignore (#11704)
  * [client,desktop] fix StartupWMClass setting (#11708)
  * [cmake] unify version creation (#11711)
  * [common,settings] force reallocation on caps copy (#11715)
  * [manpages] Add example of keyboard remapping (#11718)
  * Some fixes in Negotiate and NLA (#11722)
  * [client,x11] fix clipboard issues (#11724)
  * kerberos: do various tries for TGT retrieval in u2u (#11723)
  * Cmdline escape strings (#11735)
  * [winpr,utils] do not log command line arguments (#11736)
  * [api,doc] Add stylesheed for doxygen (#11738)
  * [core,proxy] fix BIO read methods (#11739)
  * [client,common] fix sso_mib_get_access_token return value in error case (#11741)
  * [crypto,tls] do not use context->settings->instance (#11749)
  * winpr: re-introduce the credentials module (#11734)
  * [winpr,timezone] ensure thread-safe initialization (#11754)
  * core/redirection: Ensure stream has enough space for the certificate (#11762)
  * [client,common] do not log success (#11766)
  * Clean up bugs exposed on systems with high core counts (#11761)
  * [cmake] add installWithRPATH (#11747)
  * [clang-tidy] fix various warnings (#11769)
  * Wlog improve type checks (#11774)
  * [client,common] fix tenantid command line parsing (#11779)
  * Proxy module static and shared linking support (#11768)
  * LoadLibrary Null fix (#11786)
  * [client,common] add freerdp_client_populate_settings_from_rdp_file_un… (#11780)
  * Fullchain support (#11787)
  * [client,x11] ignore floatbar events (#11771)
  * [winpr,credentials] prefer utf-8 over utf-16-LE #11790
  * [proxy,modules] ignore bitmap-filter skip remaining #11789

- Update to 3.16.0:
  * Lots of improvements for the SDL3 client
  * Various X11 client improvements
  * Add a timer implementation
  * Various AAD/Azure/Entra improvements
  * YUV420 primitives fixes
- Update to 3.15.0:
  * [client,sdl] fix crash on suppress output
  * [channels,remdesk] fix possible memory leak
  * [client,x11] map exit code success
  * Hidef rail checks and deprecation fixe
  * Standard rdp security network issues
  * [core,rdp] fix check for SEC_FLAGSHI_VALID
  * [core,caps] fix rdp_apply_order_capability_set
  * [core,proxy] align no_proxy to curl
  * [core,gateway] fix string reading for TSG
  * [client,sdl] refactor display update

- Update to version 3.14.0:

  + Bugfix and cleanup release. Due to some new API functions the
    minor version has been increased.

- Changes from version 3.13.0:

  + Friends of old hardware rejoice, serial port redirection got an
    update (not kidding you)
  + Android builds have been updated to be usable again
  + Mingw builds now periodically do a shared and static build
  + Fixed some bugs and regressions along the way and improved test
    coverage as well

- Changes from version 3.12.0:

  + Multimonitor backward compatibility fixes
  + Smartcard compatibility
  + Improve the [MS-RDPECAM] support
  + Improve smartcard redirection support
  + Refactor SSE optimizations: Split headers, unify load/store,
    require SSE3 for all optimized functions
  + Refactors the CMake build to better support configuration based
    builders
  + Fix a few regressions from last release (USB redirection and
    graphical glitches)

- Changes from version 3.11.0:

  + A new release with bugfixes and code cleanups as well as a few
    nifty little features

- CVE-2024-22211: In affected versions an integer overflow in
    `freerdp_bitmap_planar_context_reset` leads to heap-buffer
    overflow. (bsc#1219049)

- CVE-2024-32658: Fixedout-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients (bsc#1223353)

- Multiple CVE fixes
  + CVE-2024-32659: Fixed out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`(bsc#1223346)
  + CVE-2024-32660: Fixed client crash via invalid huge allocation size (bsc#1223347)
  + CVE-2024-32661: Fixed client NULL pointer dereference (bsc#1223348)

- Multiple CVE fixes:
    * bsc#1223293, CVE-2024-32039
    * bsc#1223294, CVE-2024-32040
    * bsc#1223295, CVE-2024-32041
    * bsc#1223296, CVE-2024-32458
    * bsc#1223297, CVE-2024-32459
    * bsc#1223298, CVE-2024-32460

  * Fix CVE-2023-40574 - bsc#1214869: Out-Of-Bounds Write in general_YUV444ToRGB_8u_P3AC4R_BGRX
  * Fix CVE-2023-40575 - bsc#1214870: Out-Of-Bounds Read in general_YUV444ToRGB_8u_P3AC4R_BGRX
  * Fix CVE-2023-40576 - bsc#1214871: Out-Of-Bounds Read in RleDecompress

-----------------------------------------------------------------
Advisory ID: 372
Released:    Wed Mar 11 10:48:28 2026
Summary:     Recommended update for ipw-firmware
Type:        recommended
Severity:    important
References:  1244079,1252153,1256341,CVE-2025-13151,CVE-2025-40909
This update for ipw-firmware fixes the following issues:

- mark LICENSE.ipw2x00 as %license (bsc#1252153)

-----------------------------------------------------------------
Advisory ID: 373
Released:    Thu Mar 12 14:45:55 2026
Summary:     Recommended update for aws-nitro-enclaves-cli
Type:        recommended
Severity:    moderate
References:  1236136,1250566,1250567,1250573,1256070,CVE-2024-13176,CVE-2025-15444
This update for aws-nitro-enclaves-cli fixes the following issues:

- Add header from kernel configs to blobs to fix image builds (bsc#1250573)
- Fix group in udev rule (bsc#1250566)
- Automatically load kernel module when allocator service is started (bsc#1250567)
- Update to version 1.4.3

-----------------------------------------------------------------
Advisory ID: 375
Released:    Thu Mar 12 14:46:52 2026
Summary:     Security update for amazon-ssm-agent
Type:        security
Severity:    important
References:  1241826,1241857,1242987,1251511,1251679,1253581,1253611,1253901,1254079,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190
This update for amazon-ssm-agent fixes the following issues:

- CVE-2025-47913: client process termination when receiving an unexpected message type in response to a key listing or
  signing request (bsc#1253611).

-----------------------------------------------------------------
Advisory ID: 377
Released:    Thu Mar 12 22:50:17 2026
Summary:     Recommended update for rust1.93
Type:        recommended
Severity:    important
References:  1189788,1216091,1222044,1225451,1228434,1229106,1230267,1232458,1234752,1235598,1235636,1236384,1236481,1236820,1236939,1236983,1237044,1237172,1237587,1237949,1238315,1239012,1239543,1239809,1240132,1240529,1241463,1243279,1243457,1243887,1243901,1244042,1244105,1244710,1245220,1245452,1245496,1245672,1253321,1256105,614646,CVE-2025-14017
This update for rust1.93 fixes the following issues:

- Resolve missing gcc requirement that may affect some crate building (bsc#1253321)

-----------------------------------------------------------------
Advisory ID: 381
Released:    Fri Mar 13 11:47:15 2026
Summary:     Security update for qemu
Type:        security
Severity:    moderate
References:  1221107,1254666,1255400,1256484,1257474,1257492,CVE-2024-2236,CVE-2025-14104,CVE-2025-14876,CVE-2026-0665
This update for qemu fixes the following issues:

- Update to version 10.0.8
- CVE-2025-14876: Fixed unbounded allocation in virtio-crypto. (bsc#1255400)
- CVE-2026-0665: Fixed PIRQ bounds check in xen_physdev_map_pirq. (bsc#1256484)

-----------------------------------------------------------------
Advisory ID: 386
Released:    Mon Mar 16 12:12:20 2026
Summary:     Recommended update for multipath-tools
Type:        recommended
Severity:    important
References:  1228081,1243226,1254094,1254293,1255285,1256427,1257007,1257153,1257244,CVE-2025-6018
This update for multipath-tools fixes the following issues:

- Bug fixes from 0.12.2 (bsc#1257007)
    * kpartx: fix segfault when operating on regular files (bsc#1257244, bsc#1257153)
    * multipathd: print path offline message even without a checker (bsc#1254094)
    * Fix `mpathpersist --report-capabilities` output.
    * Fix command descriptions in the multipathd man page.
    * Fix ISO C23 compatibility issue causing errors with new compilers.
    * Fix memory leak caused by not joining the 'init unwinder' thread.
    * Fix memory leaks in kpartx.
    * Print the warning 'setting scsi timeouts is unsupported for protocol' only once per protocol.
    * Make sure multipath-tools is compiled with the compiler flag `-fno-strict-aliasing` (bsc#1255285).
- Features from upstream 0.12.0:
    * Maps that were added outside of multipathd and that couldn't be reloaded
      by multipathd used to be ignored by multipathd. multipathd will now monitor them.
      If some paths were offline while the map was created, multipathd will now
      add them to the map when they go online again.
    * multipathd retries persistent reservation commands that have failed on one path on another one.
- Documentation fixes
- Additions to the hardware table

-----------------------------------------------------------------
Advisory ID: 388
Released:    Mon Mar 16 17:42:36 2026
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1198323,1216091,1218459,1241052,1241112,1256906,1258568,CVE-2026-2757,CVE-2026-2758,CVE-2026-2759,CVE-2026-2760,CVE-2026-2761,CVE-2026-2762,CVE-2026-2763,CVE-2026-2764,CVE-2026-2765,CVE-2026-2766,CVE-2026-2767,CVE-2026-2768,CVE-2026-2769,CVE-2026-2770,CVE-2026-2771,CVE-2026-2772,CVE-2026-2773,CVE-2026-2774,CVE-2026-2775,CVE-2026-2776,CVE-2026-2777,CVE-2026-2778,CVE-2026-2779,CVE-2026-2780,CVE-2026-2781,CVE-2026-2782,CVE-2026-2783,CVE-2026-2784,CVE-2026-2785,CVE-2026-2786,CVE-2026-2787,CVE-2026-2788,CVE-2026-2789,CVE-2026-2790,CVE-2026-2791,CVE-2026-2792,CVE-2026-2793
This update for MozillaFirefox fixes the following issues:

- Firefox Extended Support Release 140.8.0 ESR (bsc#1258568)
- CVE-2026-2757: Incorrect boundary conditions in the WebRTC: Audio/Video component
- CVE-2026-2758: Use-after-free in the JavaScript: GC component
- CVE-2026-2759: Incorrect boundary conditions in the Graphics: ImageLib component
- CVE-2026-2760: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component
- CVE-2026-2761: Sandbox escape in the Graphics: WebRender component
- CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component
- CVE-2026-2763: Use-after-free in the JavaScript Engine component
- CVE-2026-2764: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component
- CVE-2026-2765: Use-after-free in the JavaScript Engine component
- CVE-2026-2766: Use-after-free in the JavaScript Engine: JIT component
- CVE-2026-2767: Use-after-free in the JavaScript: WebAssembly component
- CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component
- CVE-2026-2769: Use-after-free in the Storage: IndexedDB component
- CVE-2026-2770: Use-after-free in the DOM: Bindings (WebIDL) component
- CVE-2026-2771: Undefined behavior in the DOM: Core HTML component
- CVE-2026-2772: Use-after-free in the Audio/Video: Playback component
- CVE-2026-2773: Incorrect boundary conditions in the Web Audio component
- CVE-2026-2774: Integer overflow in the Audio/Video component
- CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component
- CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software
- CVE-2026-2777: Privilege escalation in the Messaging System component
- CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core HTML component
- CVE-2026-2779: Incorrect boundary conditions in the Networking: JAR component
- CVE-2026-2780: Privilege escalation in the Netmonitor component
- CVE-2026-2781: Integer overflow in the Libraries component in NSS
- CVE-2026-2782: Privilege escalation in the Netmonitor component
- CVE-2026-2783: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2026-2784: Mitigation bypass in the DOM: Security component
- CVE-2026-2785: Invalid pointer in the JavaScript Engine component
- CVE-2026-2786: Use-after-free in the JavaScript Engine component
- CVE-2026-2787: Use-after-free in the DOM: Window and Location component
- CVE-2026-2788: Incorrect boundary conditions in the Audio/Video: GMP component
- CVE-2026-2789: Use-after-free in the Graphics: ImageLib component
- CVE-2026-2790: Same-origin policy bypass in the Networking: JAR component
- CVE-2026-2791: Mitigation bypass in the Networking: Cache component
- CVE-2026-2792: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148
- CVE-2026-2793: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148

-----------------------------------------------------------------
Advisory ID: 392
Released:    Tue Mar 17 11:43:03 2026
Summary:     Recommended update for systemd-presets-branding-ALP-transactional
Type:        recommended
Severity:    important
References:  1236621,1236877,1238686,1238849,1238929,1240626,1240698,1242174,1243105,1243268,1243274,1243297,1243802,1244561,1244564,1244565,1244566,1244567,1244568,1244570,1244571,1244572,1244574,1244575,1252729,1256805,CVE-2024-38822,CVE-2024-38823,CVE-2024-38824,CVE-2024-38825,CVE-2025-22236,CVE-2025-22237,CVE-2025-22238,CVE-2025-22239,CVE-2025-22240,CVE-2025-22241,CVE-2025-22242,CVE-2025-22870,CVE-2025-47287,CVE-2026-0989
This update for systemd-presets-branding-ALP-transactional fixes the following issues:

Changes in systemd-presets-branding-ALP-transactional:

- disable cockpit.socket to override SUSE default (bsc#1252729)

-----------------------------------------------------------------
Advisory ID: 395
Released:    Tue Mar 17 13:51:10 2026
Summary:     Security update for python-maturin
Type:        security
Severity:    important
References:  1242844,1244596,1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,1257918,CVE-2025-15467,CVE-2025-4373,CVE-2025-6052,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796,CVE-2026-25727
This update for python-maturin fixes the following issue:

- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
  (bsc#1257918).

-----------------------------------------------------------------
Advisory ID: 396
Released:    Tue Mar 17 15:49:10 2026
Summary:     Security update for libpng16
Type:        security
Severity:    important
References:  1256483,1257364,1257365,1258020,619225,CVE-2022-31022,CVE-2023-42818,CVE-2024-10975,CVE-2025-0913,CVE-2025-1296,CVE-2025-22874,CVE-2025-25207,CVE-2025-25208,CVE-2025-28162,CVE-2025-28164,CVE-2025-4128,CVE-2025-4573,CVE-2025-46721,CVE-2025-4673,CVE-2025-47950,CVE-2025-49011,CVE-2025-49136,CVE-2025-49140,CVE-2026-25646
This update for libpng16 fixes the following issues:

- CVE-2026-25646: Heap buffer overflow vulnerability in png_set_dither/png_set_quantize (bsc#1258020)
- CVE-2025-28162: Fixed a memory leaks when running `pngimage`. (bsc#1257364)
- CVE-2025-28164: Fixed a memory leaks when running `pngimage`. (bsc#1257365)

-----------------------------------------------------------------
Advisory ID: 398
Released:    Tue Mar 17 16:51:45 2026
Summary:     Security update for snpguest
Type:        security
Severity:    important
References:  1240150,1241830,1242114,1243833,1244035,1246556,1248516,1257877,1257927,CVE-2025-22872,CVE-2026-25727
This update for snpguest fixes the following issues:

- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257927).
- Update to version 0.10.0 (bsc#1257877):
  * chore: updating tool version to 0.10.0
  * refactor(certs): remove redundant branch in file-write logic
  * Docs: Adding verify measure, host-data, report-data to docs
  * verify: verify measurent, host data, and report data attributes from the attestation report.
  * library: Updating sev library to 7.1.0
  * ci: replace deprecated gh actions
  * feat: multi-format integer parsing for key subcommand arguments
  * chore(main): remove unused import `clap::arg`
  * feat(fetch): add fetch crl subcommand
  * .github/lint: Bump toolchain version to 1.86
  * Bump rust version to 1.86
  * feat: bumping tool to version 0.9.2
  * fix(verify): silence mismatched_lifetime_syntaxes in SnpOid::oid
  * feat: support SEV-SNP ABI Spec 1.58 (bump sev to v6.3.0)
  * docs: restore and clarify Global Options section
  * doc: fix CL argument orders + address recent changes
  * fix(hyperv): downgrade VMPL check from error to warning
  * fix(report.rs): remove conflict check between --random flag and Hyper-V
  * fix(report.rs): Decouple runtime behavior from hyperv build feature
  * refactor: clarify --platform error message
  * docs: add Azure/Hyper-V build note for --platform
  * docs: Update README.md
  * report: Writing Req Data as Binary (#101)
  * deps: bump virtee/sev to 6.2.1 (fix TCB-serialization bug) (#99)

-----------------------------------------------------------------
Advisory ID: 401
Released:    Wed Mar 18 10:56:31 2026
Summary:     Security update for net-snmp
Type:        security
Severity:    important
References:  1236533,1243226,1255491,CVE-2023-45288,CVE-2025-6018,CVE-2025-68615
This update for net-snmp fixes the following issues:

- CVE-2025-68615: Fixed snmptrapd buffer overflow (bsc#1255491).

-----------------------------------------------------------------
Advisory ID: 405
Released:    Wed Mar 18 16:29:19 2026
Summary:     Security update for busybox
Type:        security
Severity:    important
References:  1243767,1254297,1254662,1254878,1257049,1257353,1257354,1257355,1258163,1258167,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512,CVE-2025-5278,CVE-2026-0988,CVE-2026-1484,CVE-2026-1485,CVE-2026-1489,CVE-2026-26157,CVE-2026-26158
This update for busybox fixes the following issues:

Changes in busybox:

- CVE-2026-26157: Fixed arbitrary file overwrite and potential code execution via incomplete path sanitization. (bsc#1258163)
- CVE-2026-26158: Fixed arbitrary file modification and privilege escalation via unvalidated tar archive entries. (bsc#1258167)

-----------------------------------------------------------------
Advisory ID: 407
Released:    Wed Mar 18 23:55:39 2026
Summary:     Recommended update for gcc15
Type:        recommended
Severity:    important
References:  1256389,1257396,1257463,CVE-2026-24882
This update for gcc15 fixes the following issues:

Changes in gcc15:

- Fixed bogus expression simplification (bsc#1257463)

-----------------------------------------------------------------
Advisory ID: 410
Released:    Thu Mar 19 09:11:15 2026
Summary:     Security update for librsvg
Type:        security
Severity:    moderate
References:  1229376,1229950,1243867,1245169,1257144,1257496,391434,CVE-2024-12224,CVE-2024-43806,CVE-2026-24515,CVE-2026-25210
This update for librsvg fixes the following issues:

Update to version 2.60.2:

- CVE-2024-12224: Fixed idna accepts Punycode labels that do not produce any non-ASCII when decoded (bsc#1243867).
- CVE-2024-43806: Fixed memory explosion in rustix (bsc#1229950).

-----------------------------------------------------------------
Advisory ID: 411
Released:    Thu Mar 19 09:11:15 2026
Summary:     Security update for poppler
Type:        security
Severity:    moderate
References:  1218459,1245985,1246038,1246466,1247054,1247690,1252337,1256525,1256526,1257364,1257365,1258020,CVE-2025-11896,CVE-2025-28162,CVE-2025-28164,CVE-2026-22695,CVE-2026-22801,CVE-2026-25646
This update for poppler fixes the following issues:

- CVE-2025-11896: infinite recursion leading to stack overflow due to object loop in PDF CMap (bsc#1252337).

-----------------------------------------------------------------
Advisory ID: 412
Released:    Thu Mar 19 09:18:59 2026
Summary:     Security update for keylime
Type:        security
Severity:    critical
References:  1240414,1257895,1258045,1258049,1258054,1258080,1258081,CVE-2025-31115,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968,CVE-2026-1709
This update for keylime fixes the following issues:

- Update to version 7.14.0+0 (CVE-2026-1709, bsc#1257895):
- CVE-2026-1709: Fixed an authentication bypass which may allow unauthorized administrative operations due to missing client-side TLS authentication. (bsc#1257895)

-----------------------------------------------------------------
Advisory ID: 416
Released:    Thu Mar 19 14:48:14 2026
Summary:     Security update for gstreamer-plugins-ugly
Type:        security
Severity:    important
References:  1242827,1243935,1247074,1253637,1254116,1259367,1259370,CVE-2025-4598,CVE-2026-2920,CVE-2026-2922
This update for gstreamer-plugins-ugly fixes the following issues:

- CVE-2026-2920: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability (bsc#1259367).
- CVE-2026-2922: GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability (bsc#1259370).

-----------------------------------------------------------------
Advisory ID: 417
Released:    Fri Mar 20 04:15:00 2026
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1240385,1244933,1246602,1246965,1256766,1256822,1257005,1258229,1259051,CVE-2025-15281,CVE-2025-53906,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:

- Update Vim to version 9.2.0110 that includes security fixes for:
* CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
* CVE-2026-26269: stack buffer overflow in Vim's NetBeans integration when processing the specialKeys command (bsc#1258229).
* CVE-2025-53906: path traversal in Vim's zip.vim plugin (bsc#1246602).

- Other changes:
* Add wayland-client to BuildRequires and enable Wayland support.
* Add Wayland include path to CFLAGS to fix clipboard compilation.
* Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8).

-----------------------------------------------------------------
Advisory ID: 419
Released:    Fri Mar 20 10:31:54 2026
Summary:     Security update for ImageMagick
Type:        security
Severity:    important
References:  1244057,1245309,1245310,1245311,1245312,1245314,1245317,1249049,1249128,1253783,1254353,1258790,1259446,1259447,1259448,1259450,1259451,1259452,1259455,1259456,1259457,1259463,1259464,1259466,1259467,1259468,1259469,1259497,1259528,CVE-2025-4877,CVE-2025-4878,CVE-2025-5318,CVE-2025-5351,CVE-2025-5372,CVE-2025-58060,CVE-2025-58364,CVE-2025-58436,CVE-2025-5987,CVE-2025-61915,CVE-2026-24484,CVE-2026-28493,CVE-2026-28494,CVE-2026-28686,CVE-2026-28687,CVE-2026-28688,CVE-2026-28689,CVE-2026-28690,CVE-2026-28691,CVE-2026-28692,CVE-2026-28693,CVE-2026-30883,CVE-2026-30929,CVE-2026-30931,CVE-2026-30935,CVE-2026-30936,CVE-2026-30937,CVE-2026-31853
This update for ImageMagick fixes the following issues:

- CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790).
- CVE-2026-28493: integer overflow in the SIXEL decoder leads to out-of-bounds write (bsc#1259446).
- CVE-2026-28494: missing bounds checks in the morphology kernel parsing functions can lead to a stack buffer overflow
  (bsc#1259447).
- CVE-2026-28686: undersized output buffer allocation in the PCL encoder can lead to a heap buffer overflow
  (bsc#1259448).
- CVE-2026-28687: heap use-after-free vulnerability in the MSL decoder via a crafted MSL file (bsc#1259450).
- CVE-2026-28688: heap use-after-free in the MSL encoder when a cloned image is destroyed twice (bsc#1259451).
- CVE-2026-28689: `domain='path'` authorization is checked before final file open/use and allows for read/write bypass
  via symlink swaps (bsc#1259452).
- CVE-2026-28690: missing bounds check in the MNG encoder can lead to a stack buffer overflow (bsc#1259456).
- CVE-2026-28691: missing check in the JBIG decoder can lead to an uninitialized pointer dereference (bsc#1259455).
- CVE-2026-28692: 32-bit integer overflow in MAT decoder can lead to a heap buffer over-read (bsc#1259457).
- CVE-2026-28693: integer overflow in the DIB coder can lead to an out-of-bounds read or write (bsc#1259466).
- CVE-2026-30883: missing bounds check when encoding a PNG image can lead to a heap buffer over-write (bsc#1259467).
- CVE-2026-30929: improper use of fixed-size stack buffer in `MagnifyImage`can lead to a stack buffer overflow
  (bsc#1259468).
- CVE-2026-30931: value truncation in the UHDR encoder can lead to a heap buffer overflow (bsc#1259469).
- CVE-2026-30935: heap-based buffer over-read in BilateralBlurImage (bsc#1259497).
- CVE-2026-30936: heap Buffer Overflow in WaveletDenoiseImage (bsc#1259464).
- CVE-2026-30937: heap buffer overflow in XWD encoder due to CARD32 arithmetic overflow (bsc#1259463).
- CVE-2026-31853: heap buffer overflow leads to crash in the SFW decoder of 32-bit systems when processing extremely
  large images (bsc#1259528).

-----------------------------------------------------------------
Advisory ID: 418
Released:    Fri Mar 20 10:36:45 2026
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1246360,1257908,1259362,1259363,1259364,1259365,CVE-2025-7424,CVE-2026-1965,CVE-2026-25727,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for curl fixes the following issues:

- CVE-2026-1965: bad reuse of HTTP Negotiate connection (bsc#1259362).
- CVE-2026-3783: token leak with redirect and netrc (bsc#1259363).
- CVE-2026-3784: wrong proxy connection reuse with credentials (bsc#1259364).
- CVE-2026-3805: use after free in SMB connection reuse (bsc#1259365).

-----------------------------------------------------------------
Advisory ID: 423
Released:    Fri Mar 20 16:26:24 2026
Summary:     Security update for harfbuzz
Type:        security
Severity:    moderate
References:  1256459,1258002,CVE-2021-21411,CVE-2024-44906,CVE-2025-44779,CVE-2025-47907,CVE-2025-50738,CVE-2025-53534,CVE-2025-53942,CVE-2025-54386,CVE-2025-54388,CVE-2025-54410,CVE-2025-54424,CVE-2025-54576,CVE-2025-54799,CVE-2025-54801,CVE-2025-54996,CVE-2025-54997,CVE-2025-54998,CVE-2025-54999,CVE-2025-55000,CVE-2025-55001,CVE-2025-55003,CVE-2025-5999,CVE-2025-6000,CVE-2025-6004,CVE-2025-6011,CVE-2025-6013,CVE-2025-6014,CVE-2025-6015,CVE-2025-6037,CVE-2025-7195,CVE-2025-8341,CVE-2026-22693
This update for harfbuzz fixes the following issues:

Update to version 11.4.5:

Security fixes:

  - CVE-2026-22693: Fixed a NULL pointer dereference in SubtableUnicodesCache::create (bsc#1256459).

Other fixes:

  - Bug fixes for “AAT” shaping, and other shaping micro
    optimizations.
  - Fix a shaping regression affecting mark glyphs in certain
    fonts.
  - Fix pruning of mark filtering sets when subsetting fonts, which
    caused changes in shaping behaviour.
  - Make shaping fail much faster for certain malformed fonts
    (e.g., those that trigger infinite recursion).
  - Fix undefined behaviour introduced in 11.4.2.
  - Fix detection of the “Cambria Math” font when fonts are scaled,
    so the workaround for the bad MATH table constant is applied.
  - Various performance and memory usage improvements.
  - The hb-shape command line tool can now be built with the
    amalgamated harfbuzz.cc source.
  - Fix regression in handling version 2 of avar table.
  - Increase various buffer length limits for better handling of
    fonts that generate huge number of glyphs per codepoint (e.g.
    Noto Sans Duployan).
  - Improvements to the harfrust shaper for more accurate testing.
  - Fix clang compiler warnings.
  - General shaping and subsetting speedups.
  - Fix in Graphite shaping backend when glyph advances became
    negative.
  - Subsetting improvements, pruning empty mark-attachment lookups.
  - Don't use the macro name _S, which is reserved by system
    liberaries.
  - Build fixes and speedup.
  - Add a kbts shaping backend that calls into the kb_text_shape
    single-header shaping library. This is purely for testing and
    performance evaluation and we do NOT recommend using it for any
    other purposes.
  - Fix bug in vertical shaping of fonts without the vmtx table.
  - Fix build with non-compliant C++11 compilers that don't
    recognize the 'and' keyword.
  - Fix crasher in the glyph_v_origin function introduced in
    11.3.0.
  - Speed up handling fonts with very large number of variations.
  - Speed up getting horizontal and vertical glyph advances by up
    to 24%.
  - Significantly speed up vertical text shaping.
  - Various documentation improvements.
  - Various build improvements.
  - Various subsetting improvements.
  - Various improvements to Rust font functions (fontations
    integration) and shaper (HarfRust integration).
  - Rename harfruzz option and shaper to harfrust following
    upstream rename.
  - Implement hb_face_reference_blob() for DirectWrite font
    functions.
  - Various build improvements.
  - Fix build with HB_NO_DRAW and HB_NO_PAINT.
  - Add an optional harfruzz shaper that uses HarfRuzz; an ongoing
    Rust port of HarfBuzz shaping. This shaper is mainly used for
    testing the output of the Rust implementation.
  - Fix regression that caused applying unsafe_to_break() to the
    whole buffer to be ignored.
  - Update USE data files.
  - Fix getting advances of out-of-rage glyph indices in
    DirectWrite font functions.
  - Painting of COLRv1 fonts without clip boxes is now about 10
    times faster.
  - Synthetic bold/slant of a sub font is now respected, instead of
    using the parent’s.
  - Glyph extents for fonts synthetic bold/slant are now accurately
    calculated.
  - Various build fixes.
  - Include bidi mirroring variants of the requested codepoints
    when subsetting. The new HB_SUBSET_FLAGS_NO_BIDI_CLOSURE can be
    used to disable this behaviour.
  - Various bug fixes.
  - Various build fixes and improvements.
  - Various test suite improvements.
  - The change in version 10.3.0 to apply “trak” table tracking
    values to glyph advances directly has been reverted as it
    required every font functions implementation to handle it,
    which breaks existing custom font functions. Tracking is
    instead back to being applied during shaping.
  - When directwrite integration is enabled, we now link to
    dwrite.dll instead of dynamically loading it.
  - A new experimental APIs for getting raw “CFF” and “CFF2”
    CharStrings.
  - We now provide manpages for the various command line utilities.
    Building manpages requires “help2man” and will be skipped if it
    is not present.
  - The command line utilities now set different return value for
    different kinds of failures. Details are provided in the
    manpages.
  - Various fixes and improvements to fontations font functions.
  - All shaping operations using the ot shaper have become memory
    allocation-free.
  - Glyph extents returned by hb-ot and hb-ft font functions are
    now rounded in stead of flooring/ceiling them, which also
    matches what other font libraries do.
  - Fix “AAT” deleted glyph marks interfering with fallback mark
    positioning.
  - Glyph outlines emboldening have been moved out of hb-ot and
    hb-ft font functions to the HarfBuzz font layer, so that it
    works with any font functions implementation.
  - Fix our fallback C++11 atomics integration, which seems to not
    be widely used.
  - Various testing fixes and improvements.
  - Various subsetting fixes and improvements.
  - Various other fixes and improvements.

-----------------------------------------------------------------
Advisory ID: 429
Released:    Tue Mar 24 06:43:06 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 4 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1244554,1244555,1244557,1244580,1244700,1246296,1247850,1247858,1250553,1256624,1256644,1256804,1256805,1256807,1256808,1256809,1256810,1256811,1256812,1257593,1257594,1257595,CVE-2025-10911,CVE-2025-49794,CVE-2025-49795,CVE-2025-49796,CVE-2025-6021,CVE-2025-6170,CVE-2025-68813,CVE-2025-71085,CVE-2025-7425,CVE-2025-8732,CVE-2026-0989,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.9.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256644).
- CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256624).

-----------------------------------------------------------------
Advisory ID: 428
Released:    Tue Mar 24 06:44:24 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 0 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1246597,1247240,1252752,1253584,1254041,1255052,1255053,1255378,1255402,1255895,1256624,1256644,1257669,CVE-2025-38488,CVE-2025-40214,CVE-2025-40258,CVE-2025-40284,CVE-2025-40297,CVE-2025-47913,CVE-2025-47914,CVE-2025-62725,CVE-2025-68284,CVE-2025-68285,CVE-2025-68813,CVE-2025-6965,CVE-2025-71085

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.5.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-38488: smb: client: fix use-after-free in crypt_message when using async crypto (bsc#1247240).
- CVE-2025-40214: af_unix: Initialise scc_index in unix_add_edge() (bsc#1255052).
- CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1255053).
- CVE-2025-40284: Bluetooth: MGMT: cancel mesh send timer when hdev removed (bsc#1257669).
- CVE-2025-40297: net: bridge: fix use-after-free due to MST port state bypass (bsc#1255895).
- CVE-2025-68284: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() (bsc#1255378).
- CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255402).
- CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256644).
- CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256624).

-----------------------------------------------------------------
Advisory ID: 432
Released:    Tue Mar 24 13:30:27 2026
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1216378,1245292,1247326,1247816,1258392,1259845,CVE-2023-45853,CVE-2026-27135,CVE-2026-27171
This update for nghttp2 fixes the following issue:

- CVE-2026-27135: assertion failure due to missing state validation can lead to DoS (bsc#1259845).

-----------------------------------------------------------------
Advisory ID: 436
Released:    Tue Mar 24 21:36:24 2026
Summary:     Security update for the initial kernel livepatch
Type:        security
Severity:    important
References:  1241114,1241680,1247819,1257912,CVE-2026-25727


This update contains initial livepatches for the SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel update.


-----------------------------------------------------------------
Advisory ID: 440
Released:    Wed Mar 25 06:44:30 2026
Summary:     Security update for the Linux Kernel (Live Patch 4 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1243419,1246995,1256624,1256644,1259362,1259363,1259364,1259365,CVE-2025-68813,CVE-2025-71085,CVE-2026-1965,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.9.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256644).
- CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256624).

-----------------------------------------------------------------
Advisory ID: 435
Released:    Wed Mar 25 09:49:52 2026
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1229122,1234634,1246118,1247719,1247720,1247816,1249590,1250748,1251135,1251966,1251971,1252008,1252266,1252911,1252924,1253129,1253691,1254817,1254928,1255129,1255144,1255148,1255311,1255490,1255572,1255721,1255868,1256640,1256675,1256679,1256708,1256732,1256784,1256802,1256865,1256867,1257154,1257174,1257209,1257222,1257228,1257231,1257246,1257332,1257466,1257472,1257473,1257551,1257552,1257553,1257554,1257556,1257557,1257559,1257560,1257561,1257562,1257565,1257570,1257572,1257573,1257576,1257579,1257580,1257581,1257586,1257600,1257631,1257635,1257679,1257682,1257686,1257687,1257688,1257704,1257705,1257706,1257707,1257709,1257714,1257715,1257716,1257718,1257722,1257723,1257726,1257729,1257730,1257732,1257734,1257735,1257737,1257739,1257740,1257741,1257742,1257743,1257745,1257749,1257750,1257755,1257757,1257758,1257759,1257761,1257762,1257763,1257765,1257768,1257770,1257772,1257775,1257776,1257788,1257789,1257790,1257805,1257808,1257809,1257811,1257813,1257814,1257815,1
 257816,1257817,1257818,1257830,1257942,1257952,1258153,1258181,1258184,1258222,1258232,1258234,1258237,1258245,1258249,1258252,1258256,1258258,1258259,1258272,1258273,1258276,1258277,1258279,1258286,1258289,1258290,1258297,1258298,1258299,1258303,1258304,1258308,1258309,1258313,1258317,1258321,1258323,1258324,1258326,1258331,1258338,1258349,1258354,1258355,1258358,1258374,1258376,1258377,1258379,1258389,1258394,1258395,1258397,1258411,1258415,1258419,1258421,1258422,1258424,1258429,1258430,1258442,1258455,1258461,1258464,1258465,1258468,1258469,1258483,1258484,1258489,1258517,1258518,1258519,1258520,1258524,1258544,1258660,1258672,1258824,1258859,1259329,CVE-2025-39753,CVE-2025-39964,CVE-2025-40099,CVE-2025-40103,CVE-2025-40230,CVE-2025-4674,CVE-2025-47906,CVE-2025-47907,CVE-2025-68173,CVE-2025-68186,CVE-2025-68292,CVE-2025-68295,CVE-2025-68329,CVE-2025-68371,CVE-2025-68745,CVE-2025-68785,CVE-2025-68810,CVE-2025-68818,CVE-2025-71071,CVE-2025-71104,CVE-2025-71125,CVE-2025-71134,CVE-2
 025-71161,CVE-2025-71182,CVE-2025-71183,CVE-2025-71184,CVE-2025-71185,CVE-2025-71186,CVE-2025-71188,CVE-2025-71189,CVE-2025-71190,CVE-2025-71191,CVE-2025-71192,CVE-2025-71193,CVE-2025-71194,CVE-2025-71195,CVE-2025-71196,CVE-2025-71197,CVE-2025-71198,CVE-2025-71199,CVE-2025-71200,CVE-2025-71222,CVE-2025-71224,CVE-2025-71225,CVE-2025-71229,CVE-2025-71231,CVE-2025-71232,CVE-2025-71233,CVE-2025-71234,CVE-2025-71235,CVE-2025-71236,CVE-2026-22979,CVE-2026-22980,CVE-2026-22998,CVE-2026-23003,CVE-2026-23004,CVE-2026-23010,CVE-2026-23017,CVE-2026-23018,CVE-2026-23021,CVE-2026-23022,CVE-2026-23023,CVE-2026-23024,CVE-2026-23026,CVE-2026-23030,CVE-2026-23031,CVE-2026-23033,CVE-2026-23035,CVE-2026-23037,CVE-2026-23038,CVE-2026-23042,CVE-2026-23047,CVE-2026-23049,CVE-2026-23050,CVE-2026-23053,CVE-2026-23054,CVE-2026-23055,CVE-2026-23056,CVE-2026-23057,CVE-2026-23058,CVE-2026-23059,CVE-2026-23060,CVE-2026-23061,CVE-2026-23062,CVE-2026-23063,CVE-2026-23064,CVE-2026-23065,CVE-2026-23066,CVE-2026-230
 68,CVE-2026-23069,CVE-2026-23070,CVE-2026-23071,CVE-2026-23073,CVE-2026-23074,CVE-2026-23076,CVE-2026-23078,CVE-2026-23080,CVE-2026-23082,CVE-2026-23083,CVE-2026-23084,CVE-2026-23085,CVE-2026-23086,CVE-2026-23088,CVE-2026-23089,CVE-2026-23090,CVE-2026-23091,CVE-2026-23094,CVE-2026-23095,CVE-2026-23096,CVE-2026-23097,CVE-2026-23099,CVE-2026-23100,CVE-2026-23101,CVE-2026-23102,CVE-2026-23104,CVE-2026-23105,CVE-2026-23107,CVE-2026-23108,CVE-2026-23110,CVE-2026-23111,CVE-2026-23112,CVE-2026-23116,CVE-2026-23119,CVE-2026-23121,CVE-2026-23123,CVE-2026-23128,CVE-2026-23129,CVE-2026-23131,CVE-2026-23133,CVE-2026-23135,CVE-2026-23136,CVE-2026-23137,CVE-2026-23139,CVE-2026-23141,CVE-2026-23142,CVE-2026-23144,CVE-2026-23145,CVE-2026-23146,CVE-2026-23148,CVE-2026-23150,CVE-2026-23151,CVE-2026-23152,CVE-2026-23154,CVE-2026-23155,CVE-2026-23156,CVE-2026-23157,CVE-2026-23158,CVE-2026-23161,CVE-2026-23163,CVE-2026-23166,CVE-2026-23167,CVE-2026-23169,CVE-2026-23170,CVE-2026-23171,CVE-2026-23172,CVE-
 2026-23173,CVE-2026-23176,CVE-2026-23177,CVE-2026-23178,CVE-2026-23179,CVE-2026-23182,CVE-2026-23188,CVE-2026-23189,CVE-2026-23190,CVE-2026-23191,CVE-2026-23198,CVE-2026-23202,CVE-2026-23207,CVE-2026-23208,CVE-2026-23209,CVE-2026-23210,CVE-2026-23213,CVE-2026-23214,CVE-2026-23221,CVE-2026-23222,CVE-2026-23223,CVE-2026-23224,CVE-2026-23229,CVE-2026-23230,CVE-2026-3184

The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues.

The following security issues were fixed:

- CVE-2025-39753: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops (bsc#1249590).
- CVE-2025-39964: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (bsc#1251966).
- CVE-2025-40099: cifs: parse_dfs_referrals: prevent oob on malformed input (bsc#1252911).
- CVE-2025-40103: smb: client: Fix refcount leak for cifs_sb_tlink (bsc#1252924).
- CVE-2025-40230: mm: prevent poison consumption when splitting THP (bsc#1254817).
- CVE-2025-68173: ftrace: Fix softlockup in ftrace_module_enable (bsc#1255311).
- CVE-2025-68186: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up (bsc#1255144).
- CVE-2025-68292: mm/memfd: fix information leak in hugetlb folios (bsc#1255148).
- CVE-2025-68295: smb: client: fix memory leak in cifs_construct_tcon() (bsc#1255129).
- CVE-2025-68329: tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs (bsc#1255490).
- CVE-2025-68371: scsi: smartpqi: Fix device resources accessed after device removal (bsc#1255572).
- CVE-2025-68745: scsi: qla2xxx: Clear cmds after chip reset (bsc#1255721).
- CVE-2025-68785: net: openvswitch: fix middle attribute validation in push_nsh() action (bsc#1256640).
- CVE-2025-68810: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot (bsc#1256679).
- CVE-2025-71071: iommu/mediatek: fix use-after-free on probe deferral (bsc#1256802).
- CVE-2025-71104: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer (bsc#1256708).
- CVE-2025-71125: tracing: Do not register unsupported perf events (bsc#1256784).
- CVE-2025-71134: mm/page_alloc: change all pageblocks migrate type on coalescing (bsc#1256732).
- CVE-2025-71161: dm-verity: disable recursive forward error correction (bsc#1257174).
- CVE-2025-71184: btrfs: tracepoints: use btrfs_root_id() to get the id of a root (bsc#1257635).
- CVE-2025-71193: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend (bsc#1257686).
- CVE-2025-71225: md: suspend array while updating raid_disks via sysfs (bsc#1258411).
- CVE-2026-22979: net: fix memory leak in skb_segment_list for GRO packets (bsc#1257228).
- CVE-2026-22998: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (bsc#1257209).
- CVE-2026-23003: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() (bsc#1257246).
- CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1257231).
- CVE-2026-23010: ipv6: Fix use-after-free in inet6_addr_del() (bsc#1257332).
- CVE-2026-23017: idpf: fix error handling in the init_task on load (bsc#1257552).
- CVE-2026-23022: idpf: fix memory leak in idpf_vc_core_deinit() (bsc#1257581).
- CVE-2026-23023: idpf: fix memory leak in idpf_vport_rel() (bsc#1257556).
- CVE-2026-23024: idpf: fix memory leak of flow steer list on rmmod (bsc#1257572).
- CVE-2026-23035: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv (bsc#1257559).
- CVE-2026-23042: idpf: fix aux device unplugging when rdma is not supported by vport (bsc#1257705).
- CVE-2026-23047: libceph: make calc_target() set t->paused, not just clear it (bsc#1257682).
- CVE-2026-23053: NFS: Fix a deadlock involving nfs_release_folio() (bsc#1257718).
- CVE-2026-23057: vsock/virtio: Coalesce only linear skb (bsc#1257740).
- CVE-2026-23064: net/sched: act_ife: avoid possible NULL deref (bsc#1257765).
- CVE-2026-23066: rxrpc: Fix recvmsg() unconditional requeue (bsc#1257726).
- CVE-2026-23068: spi: spi-sprd-adi: Fix double free in probe error path (bsc#1257805).
- CVE-2026-23069: vsock/virtio: fix potential underflow in virtio_transport_get_credit() (bsc#1257755).
- CVE-2026-23070: Octeontx2-af: Add proper checks for fwdata (bsc#1257709).
- CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1257749).
- CVE-2026-23083: tools: ynl-gen: use big-endian netlink attribute types (bsc#1257745).
- CVE-2026-23084: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list (bsc#1257830).
- CVE-2026-23085: irqchip/gic-v3-its: Avoid truncating memory addresses (bsc#1257758).
- CVE-2026-23086: vsock/virtio: cap TX credit to local buffer size (bsc#1257757).
- CVE-2026-23088: tracing: Fix crash on synthetic stacktrace field usage (bsc#1257814).
- CVE-2026-23095: gue: Fix skb memleak with inner IP protocol 0 (bsc#1257808).
- CVE-2026-23097: migrate: correct lock ordering for hugetlb file folios (bsc#1257815).
- CVE-2026-23099: bonding: limit BOND_MODE_8023AD to Ethernet devices (bsc#1257816).
- CVE-2026-23100: mm/hugetlb: fix hugetlb_pmd_shared() (bsc#1257817).
- CVE-2026-23102: arm64/fpsimd: signal: Fix restoration of SVE context (bsc#1257772).
- CVE-2026-23104: ice: fix devlink reload call trace (bsc#1257763).
- CVE-2026-23105: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag (bsc#1257775).
- CVE-2026-23107: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA (bsc#1257762).
- CVE-2026-23110: scsi: core: Wake up the error handler when final completions race against each other (bsc#1257761).
- CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258181).
- CVE-2026-23112: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec (bsc#1258184).
- CVE-2026-23116: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu (bsc#1258277).
- CVE-2026-23119: bonding: provide a net pointer to __skb_flow_dissect() (bsc#1258273).
- CVE-2026-23136: libceph: reset sparse-read state in osd_fault() (bsc#1258303).
- CVE-2026-23139: netfilter: nf_conncount: update last_gc only when GC has been performed (bsc#1258304).
- CVE-2026-23141: btrfs: send: check for inline extents in range_is_hole_in_parent() (bsc#1258377).
- CVE-2026-23142: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure (bsc#1258289).
- CVE-2026-23144: mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure (bsc#1258290).
- CVE-2026-23148: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference (bsc#1258258).
- CVE-2026-23154: net: fix segmentation of forwarding fraglist GRO (bsc#1258286).
- CVE-2026-23161: mm/shmem, swap: fix race of truncate and swap entry split (bsc#1258355).
- CVE-2026-23166: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues (bsc#1258272).
- CVE-2026-23169: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() (bsc#1258389).
- CVE-2026-23171: bonding: fix use-after-free due to enslave fail after slave array update (bsc#1258349).
- CVE-2026-23173: net/mlx5e: TC, delete flows only for existing peers (bsc#1258520).
- CVE-2026-23179: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() (bsc#1258394).
- CVE-2026-23189: ceph: fix NULL pointer dereference in ceph_mds_auth_match() (bsc#1258308).
- CVE-2026-23198: KVM: Don't clobber irqfd routing type when deassigning irqfd (bsc#1258321).
- CVE-2026-23208: ALSA: usb-audio: Prevent excessive number of frames (bsc#1258468).
- CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258518).
- CVE-2026-23210: ice: Fix PTP NULL pointer dereference during VSI rebuild (bsc#1258517).
- CVE-2026-23214: btrfs: reject new transactions if the fs is fully read-only (bsc#1258464).
- CVE-2026-23223: xfs: fix UAF in xchk_btree_check_block_owner (bsc#1258483).
- CVE-2026-23224: erofs: fix UAF issue for file-backed mounts w/ directio option (bsc#1258461).

The following non security issues were fixed:

- ALSA: usb-audio: Update the number of packets properly at receiving (stable-fixes).
- ALSA: usb-audio: fix broken logic in snd_audigy2nx_led_update() (git-fixes).
- ASoC: SOF: ipc4-control: If there is no data do not send bytes update (git-fixes).
- Add bugnumber to existing mana and mana_ib changes (bsc#1251135 bsc#1251971).
- HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list (bsc#1258455).
- HID: intel-ish-hid: Update ishtp bus match to support device ID table (stable-fixes).
- PCI/DOE: Poll DOE Busy bit for up to 1 second in pci_doe_send_req() (bsc#1255868).
- PCI: Add ASPEED vendor ID to pci_ids.h (bsc#1258672)
- PCI: Add PCI_BRIDGE_NO_ALIAS quirk for ASPEED AST1150 (bsc#1258672)
- PM: sleep: wakeirq: Update outdated documentation comments (git-fixes).
- Refresh and move upstreamed ath12k patch into sorted section
- Update 'drm/mgag200: fix mgag200_bmc_stop_scanout()' bug number (bsc#1258153)
- add bugnumber to existing mana change (bsc#1252266).
- arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS (bsc#1259329)
- bonding: only set speed/duplex to unknown, if getting speed failed (bsc#1253691).
- can: bcm: fix locking for bcm_op runtime updates (git-fixes).
- clk: qcom: gcc-sm8450: Update the SDCC RCGs to use shared_floor_ops (git-fixes).
- clocksource: Fix the CPUs' choice in the watchdog per CPU verification (bsc#1257818).
- clocksource: Print durations for sync check unconditionally (bsc#1257818).
- clocksource: Reduce watchdog readout delay limit to prevent false positives (bsc#1257818).
- clocksource: Use pr_info() for 'Checking clocksource synchronization' message (bsc#1257818).
- dm: Fix deadlock when reloading a multipath table (bsc#1254928).
- drm/i915/display: Add quirk to skip retraining of dp link (bsc#1253129).
- ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref (git-fixes).
- gpiolib-acpi: Update file references in the Documentation and MAINTAINERS (git-fixes).
- i3c: master: Update hot-join flag only on success (git-fixes).
- ktls, sockmap: Fix missing uncharge operation (bsc#1252008).
- media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() (git-fixes).
- modpost: Ensure exported symbol namespaces are not quoted (bsc#1258489).
- net: mana: Handle hardware recovery events when probing the device (bsc#1257466).
- net: mana: Implement ndo_tx_timeout and serialize queue resets per port (bsc#1257472).
- platform/x86/amd: amd_3d_vcache: Add AMD 3D V-Cache optimizer driver (jsc#PED-11563).
- sched/core: Avoid direct access to hrtimer clockbase (bsc#1234634).
- sched/deadline: Fix race in push_dl_task() (bsc#1234634).
- sched/deadline: Stop dl_server before CPU goes offline (bsc#1234634).
- sched/fair: Fix pelt clock sync when entering idle (bsc#1234634).
- sched/fair: Fix pelt lost idle time detection (bsc#1234634).
- staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure (stable-fixes).
- wifi: cfg80211: Fix use_for flag update on BSS refresh (git-fixes).

-----------------------------------------------------------------
Advisory ID: 449
Released:    Thu Mar 26 10:57:56 2026
Summary:     Security update for fetchmail
Type:        security
Severity:    moderate
References:  1247884,1247885,1251194,1259377,CVE-2025-54389,CVE-2025-54409,CVE-2025-61962,CVE-2026-3731
This update for fetchmail fixes the following issues:

- CVE-2025-61962: Fixed denial of service (bsc#1251194)

-----------------------------------------------------------------
Advisory ID: 455
Released:    Fri Mar 27 11:04:45 2026
Summary:     Security update for docker-compose
Type:        security
Severity:    important
References:  1176053,1232921,1232931,1252752,1253584,1254041,1254670,1259619,CVE-2025-47913,CVE-2025-47914,CVE-2025-62725,CVE-2025-70873,CVE-2025-7709
This update for docker-compose fixes the following issues:

- CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an unexpected message type in
  response to a key listing or signing request (bsc#1253584).
- CVE-2025-47914: golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds
  read (bsc#1254041).
- CVE-2025-62725: OCI compose artifacts can be used to escape the cache directory and overwrite arbitrary files
  (bsc#1252752).

-----------------------------------------------------------------
Advisory ID: 458
Released:    Fri Mar 27 13:17:58 2026
Summary:     Security update for GraphicsMagick
Type:        security
Severity:    important
References:  1248438,1258786,1259418,1259456,1259467,1259650,1259697,CVE-2025-20053,CVE-2025-20109,CVE-2025-22839,CVE-2025-22840,CVE-2025-22889,CVE-2025-26403,CVE-2025-32086,CVE-2026-25799,CVE-2026-28690,CVE-2026-29111,CVE-2026-30883,CVE-2026-4105
This update for GraphicsMagick fixes the following issues:

- CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786).
- CVE-2026-28690: missing bounds check in the MNG encoder can lead to a stack buffer overflow (bsc#1259456).
- CVE-2026-30883: missing bounds check when encoding a PNG image can lead to a heap buffer over-write (bsc#1259467).

-----------------------------------------------------------------
Advisory ID: 464
Released:    Mon Mar 30 16:36:07 2026
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1248502,1254132,1257960,1258083,1259845,CVE-2025-14831,CVE-2025-8067,CVE-2025-9820,CVE-2026-27135
This update for gnutls fixes the following issues:

- CVE-2025-14831: Fixed DoS via excessive resource consumption during certificate verification. (bsc#1257960)
- CVE-2025-9820: Fixed a buffer overflow in gnutls_pkcs11_token_init. (bsc#1254132)
- Add the functionality to allow to specify the hash algorithm for the PSK. This fixes a bug in the current implementation where the binder is always calculated with SHA256. (bsc#1258083, jsc#PED-15752, jsc#PED-15753)

-----------------------------------------------------------------
Advisory ID: 466
Released:    Mon Mar 30 16:59:16 2026
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1236217,1259711,1259726,1259729,1259963,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for expat fixes the following issues:

- CVE-2026-32776: NULL pointer dereference when processing empty external parameter entities inside an entity
  declaration value (bsc#1259726).
- CVE-2026-32777: denial of service due to infinite loop in DTD content parsing (bsc#1259711).
- CVE-2026-32778: NULL pointer dereference in `setContext` on retry after an out-of-memory condition
  (bsc#1259729).

-----------------------------------------------------------------
Advisory ID: 469
Released:    Tue Mar 31 11:11:58 2026
Summary:     Security update for gnome-online-accounts, gvfs
Type:        security
Severity:    important
References:  1241219,1258311,1258953,1258954,1259825,CVE-2025-3576,CVE-2026-28295,CVE-2026-28296
This update for gnome-online-accounts, gvfs fixes the following issues:

Changes for gvfs:

Update gvfs to 1.59.90:

- CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953).
- CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths
  (bsc#1258954).

Changelog:

Update to version 1.59.90:

 + client: Fix use-after-free when creating async proxy failed
 + udisks2: Emit changed signals from update_all()
 + daemon: Fix race on subscribers list when on thread
 + ftp: Validate fe_size when parsing symlink target
 + ftp: Check localtime() return value before use
 + gphoto2: Use g_try_realloc() instead of g_realloc()
 + cdda: Reject path traversal in mount URI host
 + client: Fail when URI has invalid UTF-8 chars
 + udisks2: Fix memory corruption with duplicate mount paths
 + build: Update GOA dependency to > 3.57.0
 + Some other fixes
 + ftp: Use control connection address for PASV data.
 + ftp: Reject paths containing CR/LF characters

Update to version 1.59.1:

 + mtp: replace Android extension checks with capability checks
 + dav: Add X-OC-Mtime header on push to preserve last modified
 time
 + udisks2: Use hash tables in the volume monitor to improve
 performance
 + onedrive: Check for identity instead of presentation identity
 + build: Disable google option and mark as deprecated

Update to version 1.58.2:

 + ftp: Use control connection address for PASV data
 + ftp: Reject paths containing CR/LF characters

Update to version 1.58.1:

 + cdda: Fix duration of last track for some media
 + build: Fix build when google option is disabled
 + Fix various memory leaks
 + Updated translations.

Update to version 1.58.0:

 + mtp: Allow cancelling ongoing folder enumerations
 + wsdd: Use socket-activated service if available
 + onedrive: Set emblem for remote data
 + fix: Add file rename support in MTP backend move operation
 + mtp: Fix -Wmaybe-uninitialized warning in pad_file
 + fuse: use fuse_(un)set_feature_flag for libfuse 3.17+
 + smbbrowse: Purge server cache for next auth try
 + metatree: Open files with O_CLOEXEC
 + cdda: Fix incorrect track duration for 99-track CDs
 + metadata: Fix journal file permissions inconsistency
 + dav: recognize 308 Permanent Redirect

Changes for gnome-online-accounts:

Update to version 3.58.0:

 + SMTP server without password cannot be configured
 + Remove unneeded SMTP password escaping
 + build: Disable google provider Files feature
 + MS365: Fix mail address and name
 + Google: Set mail name to presentation identity
 + Updated translations.

Update to version 3.57.1:

 + Default Microsoft 365 client is unverified
 + Microsoft 365: Make use of email for id
 + goadaemon: Allow manage system notifications
 + goamsgraphprovider: bump credentials generation
 + goaprovider: Allow to disable, instead of enable, selected
   providers

Changes from version 3.57.0:

 + Support for saving a Kerberos password to the keychain after
 the first login
 + changing expired kerberos password is not supported.
 + Provided Files URI does not override undiscovered endpoint
 + DAV client rejects 204 status in OPTIONS request handler
 + Include emblem-default-symbolic.svg
 + Connecting a Runbox CardDAV/CalDAV account hangs/freezes after
 sign in
 + i81n: fix translatable string
 + goaimapsmptprovider: fix accounts without SMTP or
   authentication-less SMTP
 + build: only install icons for the goabackend build
 + build: don't require goabackend to build documentation
 + ci: test the build without gtk4
 + DAV-client: Added short path for SOGo

Update to version 3.56.4:

 + Bugs fixed:
 - Unclear which part of 'IMAP+SMTP' account test failed
 - Adding nextcloud account which has a subfolder does not work
 - goadaemon: Handle broken account configs

Update to version 3.56.3:

 - Add DAV detection and configuration for SOGo
 - DAV discovery fails when certain SRV lookups fail

Update to version 3.56.1:

 - Support for saving a Kerberos password after the first login
 - Changing expired kerberos password is not supported
 - Provided Files URI does not override undiscovered endpoint
 - DAV client rejects 204 status in OPTIONS request handler

Update to version 3.56.0:

 + Code style and logging cleanups
 + Updated translations

Update to version 3.55.2:

 + goaoauth2provider: improve error handling for auth/token
   endpoints

Update to version 3.55.1:

 - Support Webflow authentication for Nextcloud
 - Rename dconf key in gnome-online-accounts settings
 - 'Account Name' GUI field is a bit ambiguous
 - Failed to generate a new POT file for the user interface of
   'gnome-online-accounts' (domain: 'po') and some missing files
    from POTFILES.in

Update to version 3.55.0:

 - Add progress spinner for OAuth2 dialogs
 - Remove Windows Live! option
 - Improve goa_oauth2_provider_ensure_credentials_sync
 - Authentication failure in goa IMAP accounts
 - Missing files from POTFILES.in
 - WebDAV not detected for mail.ru
 - goaoauth2provider: fix task chaining for subclasses
 - Always lowercase domains when looking up base
 - goadavclient: check Nextcloud fallback last
 - goabackend: add a composite widget for authflow links
 - goadavclient: fix the mailbox.org preconfig

Update to version 3.54.5:

 - Adding GOA account fails with sonic.net IMAP service
 - Cannot add a ProtonMail bridge with IMAP + TLS
 - Nextcloud login does not work anymore due to OPTIONS /login
   request
 - Linked online accounts no longer work
 - Invalid URI when adding Google account
 - goamsgraphprovider: ensure a valid PresentationIdentity
 - goadaemon: complete GTasks to avoid a scary debug warning

-----------------------------------------------------------------
Advisory ID: 471
Released:    Wed Apr  1 11:26:05 2026
Summary:     Feature update for himmelblau
Type:        feature
Severity:    important
References:  1247594,1247735,1248373,1249013,1257904,1258236,1259548,1259711,1259726,1259729,CVE-2025-54882,CVE-2025-58160,CVE-2026-25727,CVE-2026-31979,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for himmelblau fixes the following issues:

Update to himmelblau 2.3.8 (jsc#PED-14511):

Security issues:

- CVE-2025-54882: world readable cloud TGT token (bsc#1247735).
- CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249013).
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
  (bsc#1257904).
- CVE-2026-31979: race condition when accessiung /tmp/krb5cc_<uid> (bsc#1259548).

Non security issues:

- Fix SELinux module packaging to use standard policy macros (bsc#1258236).

Changelog:

Version 2.3.8:

 * Add PrivateTmp back to Tasks Daemon
 * Drop dead code
 * Drop krb5 ccache dir code
 * Add a TODO comment
 * Drop non working packaged krb5 snippet file
 * Write kerberos config snippet
 * Extend resolver interface to return kerberos config together with TGTs
 * Backport SELinux fixes from main
 * Use libkrimes to store TGTs

Version 2.3.7:

 * cargo vet
 * Fix AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
 * Revert dependency change which broke the nightly build
 * gen_dockerfiles: only himmelblaud has tpm feature, fix all others
 * fix(build): gen_dockerfiles.py mutates shared features list mid-loop

Version 2.3.5:

 * Better handle Intune API version
 * Update make vet from main branch
 * pam_himmelblau: call split_username once in chauthtok
 * pam_himmelblau: return PAM_IGNORE in chauthtok for local users
 * Don't attempt a DAG when Hello fails with SSPR demand

Version 2.3.4:

 * deps(rust): bump the all-cargo-updates group across 1 directory with 8 updates
 * Revert sketching update (which breaks SLE16 build)

Version 2.3.3:

 * /var/cache/private/himmelblaud should not be created tmpfiles
 * Updatee python vers for dataclasses dep
 * deps(rust): bump the all-cargo-updates group across 1 directory with 3 updates
 * Generate pin init service file systemd < 250
 * Checkin missing himmelblaud.if file for SELinux
 * Resolve typos in selinux package commands

Version 2.3.2:

 * Compile SELinux policy at install time for cross-distro compatibility
 * Improve PAM configuration on openSUSE/SLE
 * Fix SELinux policy
 * Add a git hook to ensure selinux policy is tested
 * Ignore generated himmelblau-hsm-pin-init service file
 * Refactor SELinux policy for cross-distro compatibility
 * Fix NSS lookup for mapped local users
 * Skip OS version compliance checks when min/max values are empty

Version 2.3.1:

 * Remove references to qrcodegen (these are 3.x features)
 * QR Greeter compatibility for old GNOME
 * Enable QR greeter automatically
 * ci: Use latest cargo-vet from git to fix CI
 * Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x

Version 2.3.0:

 * Autostart the daemons on fresh install or upgrade
 * Restart sshd when installing the ssh config
 * Allow tasks daemon to write krb ccache
 * Do not enumerate mapped users in NSS
 * Update libhimmelblau to latest version
 * Fix Tumbleweed build

Version 2.2.0:

 * Update libhimmelblau to 0.8.x series
 * deps(rust): bump the all-cargo-updates group with 17 updates
 * Only use OpenSSH bug workaround for ssh service
 * Fix debug noise from removing user from sudo group
 * systemd: install files to /usr/lib/, not /etc/

Version 2.1.0:

 * Fix nightly authselect build failure
 * Generate the authselect profiles for each distro
 * Improve pam config handling in aad-tool
 * Make `aad-tool configure-pam` detect location of pam files

Version 2.0.5:

 * /var/lib/private/himmelblaud should be owned by root
 * Use tmpfiles.d to create himmelblaud private data directory
 * deps(rust): bump the all-cargo-updates group with 13 updates

Version 2.0.4:

 * Update kanidm_build_profiles mask version
 * Utilize cargo vet from main
 * Add policies cache patch via systemd-tmpfiles

 * Fix man page comments about change idmap_range
 * Stub picky-krb for osc build
 * Stub a kanidm_build_profiles which builds in osc
 * Ensure nss cache is created on Ubuntu/Debian
 * Request a user token if NSS hasn't been called

Version 2.0.3:

 * Add nss cache patch via systemd-tmpfiles

Version 2.0.2:

 * Recommend `patch` with the pam package
 * Fix passwordless FIDO authentication not being used when available
 * Git workflow updates for stable-2.x
 * Only warn on Intune failure

Version 2.0.1:

 * Force o365 desktop files to always rebuild
 * Always rebuild the o365 apps
 * Add restart on-failure to systemd services
 * Clarify `domain` SHOULD match login domain
 * Remove warning about `domain` himmelblau.conf opt
 * Pseudo eliminate multi-tenant and domains section
 * Revert 'Fix Hello PIN lookup when an alias domain'
 * Comment out `KbdInteractiveAuthentication on` in sshd conf
 * Check the nxset sooner, to avoid unwanted errors
 * Recommend oddjob_mkhomedir with authselect
 * Pin libhimmelblau to 0.7.x
 * Deprecate Fedora 41
 * deps(rust): bump the all-cargo-updates group with 11 updates
 * Bump github/codeql-action from 4.30.8 to 4.31.2
 * Bump cachix/install-nix-action from 31.8.1 to 31.8.2
 * Bump actions/upload-artifact from 4.6.2 to 5.0.0
 * cargo clippy and rebase fix
 * fixup! add extra debug output to NotFound error code
 * force error output to show up in CI logs
 * wrap repeated sources of IdpError::NotFound in helper functions
 * add extra debug output to NotFound error code
 * use direnv for loading the nix devshell
 * We should still encourage mapping by name
 * Add support for Fedora 43
 * Provide a offline 'breakglass' mode
 * cargo clippy
 * Add warning about incorrect nsswitch configuration
 * Distinguish between online and offline token fail
 * Ensure user token uses original name
 * Fix alias domain in auth result causing failure
 * Resolve cargo clippy warnings
 * Only map on cn name for the primary domain
 * Install systemd in build scripts for gen service
 * Fix systemd version parsing
 * Update libhimmelblau to 0.7.19
 * Resolve SELinux build failures in nightly (part 2)
 * Rocky container image updates were failing
 * Warn instead of error when no idmap_range specified
 * deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates
 * Trim whitespace from local group names
 * Fix borrowing error
 * Fix reference to local_sudo_group in condition
 * Only run sudo_groups if local_groups does not contain local_sudo_group
 * Leave SELinux in permissive mode for Himmelblau
 * Resolve SELinux build failures in nightly
 * nix: add join_type option to nixos-module settings
 * Build host configuration changes
 * Ensure that hsm_pin isn't present decrypted
 * Document Soft HSM changes to TPM bound
 * Disable SELinux by default on NixOS
 * sh doesn't have `source`
 * Encrypt hsm-pin using systemd-creds
 * Recommend uuid id mapping
 * Improve himmelblau.conf man page formatting
 * Implement Local User Mapping
 * Add o365 dependency for jq
 * Add selinux rules for gdm login
 * Narrow the scope of selinux policy with audit2allow
 * Generate the systemd service files
 * Fix selinux build for SLE16
 * Resolve SLE16 build dependency failure
 * Fix the rawhide build
 * Mask the sshkey-attest package
 * Bump cachix/install-nix-action from 31.7.0 to 31.8.1
 * cargo vet dependency updates
 * deps(rust): bump the all-cargo-updates group across 1 directory with 13 updates
 * Bump actions/dependency-review-action from 4.8.0 to 4.8.1
 * Bump cachix/install-nix-action from 31.7.0 to 31.8.0
 * Bump github/codeql-action from 3.30.5 to 4.30.8
 * Bump ossf/scorecard-action from 2.4.2 to 2.4.3
 * SELinux improvements
 * Fix a typo in package gen scripts
 * cargo fmt
 * Permit NSS response for mapped primary fake group
 * Fix Nix Error With Fuzz
 * Decrease CI fuzzer setup time
 * Document join types
 * Support for Entra registered devices
 * Run `cargo test` in a container
 * Bump cachix/install-nix-action from 31.6.2 to 31.7.0
 * deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates
 * Bump github/codeql-action from 3.30.4 to 3.30.5
 * Use pastey crate instead of unmaintained paste
 * Pin unmaintained serde_cbor dep to serde_cbor_2
 * Resolve tower-http `cargo audit` warning
 * Replace unmaintained fxhash with own version
 * Resolve warning about workflow top level write permissions
 * Remove dependabot automerge
 * Resolve division by 0 in idmap code
 * [StepSecurity] ci: Harden GitHub Actions
 * Only idmap against initialized domains
 * Resolve invalid init of idmap with same domain
 * Add fuzzing of idmap code
 * Add basic fuzzing of the config options
 * Resolve error found by fuzzing
 * cargo vet prune
 * deps(rust): bump regex in the all-cargo-updates group
 * Bump actions/dependency-review-action from 4.7.3 to 4.8.0
 * Bump actions/checkout from 3.6.0 to 5.0.0
 * Bump cachix/cachix-action from 14 to 16
 * Bump ossf/scorecard-action from 2.4.0 to 2.4.2
 * Bump cachix/install-nix-action from 25 to 31
 * Add the OpenSSF Best Practices badge
 * Add scorecard badge
 * [StepSecurity] Apply security best practices
 * Fix group static mapping
 * Move aad-tool idmap cache clear to the idmap cmd
 * Resolve errant 'Hello key missing.' messages
 * Update flake.nix
 * Slow the dependabot update frequency
 * Audit dependabot updates
 * deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
 * feat: Add support for aarch64 on Debian-based distributions
 * Resolve possible invalid pointer dereferences
 * Avoid revealing account ids in debug log
 * Cause doc links to open in the correct apps
 * Permit opening multiple instances of Word/Excel
 * Modify systray and app close behavior
 * Don't use questionably licensed icons for o365
 * Resolve NixOS CI failure
 * Fix building w/out deprecated interactive feature
 * Update himmelblau.conf.5 sudo_groups example
 * Entra group based sudo access
 * Audited the cargo updates
 * deps(rust): bump the all-cargo-updates group with 6 updates
 * Vet libhimmelblau
 * Add `make vet` command
 * Update deny.toml
 * Remove incompatible licenses from deps
 * Fix RHEL8 package signing
 * Add SBOM generation
 * Add an IRP checklist for security incidents
 * Run the nixos build/release on the correct version
 * Add crate dependency auditing on MR
 * Add some exceptions
 * Initialize cargo vet
 * Remove in-tree kanidm dependencies
 * Fix Hello PIN lookup when an alias domain
 * Raise maximum group lookup from 100 to 999
 * Always work with lowercase account names
 * Modify FUNDING.yml for funding sources
 * Remove glib dependency
 * deps(rust): bump the all-cargo-updates group with 10 updates
 * Add CI check for licenses
 * Update dependabot.yml to target all stable branches
 * Add authselect module for Rocky/Fedora
 * Recommend packages, instead of require
 * Add a Contributing document
 * Add a Code of Conduct
 * add withSelinux flag to nix build, brings SELinux binaries into the build environment.
 * deps(rust): bump tracing-subscriber in the cargo group
 * Don't overwrite the himmelblau.conf on rpm upgrade
 * Add help output to the Makefile
 * Fix building packages with docker in root mode
 * Update to latest libhimmelblau and identity_dbus_broker
 * Make PRT SSO cookie via broker work as well for Edge
 * Make broker work for Edge
 * Generate Office 365 desktop apps
 * Update README
 * Add `make uninstall` command
 * Remove the deprecated tests suite
 * Himmelblau no longer has git submodules
 * Make install using packages
 * Add Debian 13 packages
 * Generate Dockerfiles automatically
 * Add SELinux configuration
 * Himmelblau daemon requires system tss user
 * Add cron dependency for Intune scripts
 * Do not mangle /usr/etc configuration files
 * deps(rust): bump the all-cargo-updates group with 7 updates
 * Add SLE16 (beta) build target
 * Automatically append to nsswitch.conf in postinst
 * Correct the RPM postinst script syntax
 * Fix Kerberos credential cache permissions
 * Set file owner and group before writing its content
 * Create SECURITY.md
 * Rev the dev version to 2.0.0
 * Ensure alias domains match when checking Intune device id
 * Debian 12 doesn't support ConditionPathExists and notify-reload
 * Write scripts policy to a readable directory
 * Apply Intune policies right after enrollment
 * Add more debug instrumentation
 * Provide device_id to Intune enrollment if not cached
 * Ensure nss cache directory is created during install
 * Remove /var/cache/himmelblaud access from tasks daemon
 * Resolve daemon startup absolute path warnings
 * Delay Intune enrollment on Device Auth fail
 * Do not leak the Intune IW service token in the logs

Version 1.4.2:

 * Revert libhimmelblau unstable update

Version 1.4.1:

 * Update Intune to use app version 1.2511.7

Version 1.4.0:

 * Resolve build failures
 * deps(rust): bump the all-cargo-updates group across 1 directory with 6 updates

Version 1.3.0:

 * Revert the self-hosted runner name
 * deps(rust): bump the all-cargo-updates group with 23 updates
 * Include latest branch in CI
 * Self hosted runners

Version 1.1.0:

 * Fix policy application
 * Add remaining Linux password compliance policies
 * Add custom compliance enforcement
 * deps(rust): bump the all-cargo-updates group with 3 updates
 * deps(rust): bump the all-cargo-updates group with 5 updates
 * Add SLE15SP7 build target
 * Add RHEL 10 build target
 * Fix Intermittent auth issue AADSTSError 16000
 * Remove old utf8proc dependency
 * Add `fedora42` build target
 * Handle PRT expiration and tie to offline auth
 * Correctly delete the Hello keys on bad pin count
 * Add ability to disable Hello PIN per-service
 * Update NixOS support to 25.05
 * Handle disabled device by attempting re-enrollment
 * Always attempt confidential client creds for aad-tool
 * Include HSM option defs in himmelblau.conf man page
 * Improve the aad-tool cache-clear command
 * Add `mfaSshWorkaroundFlag` configuration option to Nix Flake.
 * Add the ability to remove confidential client creds
 * If bad PIN count is exceeded, delete the Hello key
 * deps(rust): bump the all-cargo-updates group with 4 updates
 * Add instructions for creating developer builds
 * Fix GDM3 first time login password prompt
 * Default HsmType should be soft
 * Add himmelblaud to tss group for TPM startup
 * Enforce strict order for the systemd units
 * Update libhimmelblau and compact_jwt
 * Fix builds w/tpm
 * aad-tool Authentication flow improvements
 * Filter out irrelevant debug in aad-tool
 * Create a unified login experience for aad-tool
 * Utilize confidential creds for aad-tool enumerate
 * himmelblau should get posix attributes w/out delegate user access
 * Always use the Object Id for mapping Group to GID
 * Update enhancement-request.md for SPI donations
 * Update bug_report.md with SPI donation
 * Update build requires in README.md
 * Update FUNDING.yml with SPI Paypal donation button
 * Don't break from tasks loop when policies fail
 * Enroll in Intune as soon as it is enabled
 * Implement `decoupled hello` behavior
 * Cache encrypted PRT to disk for offline login SSO
 * Update to latest hsm-crypto
 * Enable tpm functionality
 * Allow altering the password and PIN prompt messages
 * Ensure Hello PIN lockout happens when online
 * Cache the build target output to improve build times
 * Easier build selection w/ Makefile
 * Revert mistaken removal from Makefile
 * Make the user wait longer with each incorrect PIN
 * Make the bad PIN count configurable
 * Improve aad-tool manpage
 * aad-tool fails if the user has FIDO2 enabled
 * Offline auth permits authentication with invalid Hello PIN
 * PIN complexity to match Windows
 * Update to latest SSSD idmap code
 * Add aad-tool options for setting posix attrs
 * Add scopes and redirect uris aad-tool application create
 * Add aad-tool commands for managaging extension attrs
 * Utilize the sidtoname call for object id mapping
 * Add commands for listing/creating App registrations
 * Potential fix for code scanning alert no. 2: Workflow does not contain permissions
 * Potential fix for code scanning alert no. 4: Workflow does not contain permissions
 * Potential fix for code scanning alert: Workflow does not contain permissions
 * Never write the app_id to the server config
 * Disable passwordless Fido by default
 * Stop using deprecated `users` crate
 * When group membership lookup fails, use cached groups
 * aad-tool command for enumerating users and groups
 * Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
 * Add the configure-pam option to aad-tool man page
 * Add static idmap cache for on-prem to cloud migration
 * Update bug_report.md with request for himmelblau.conf
 * deps(rust): bump the all-cargo-updates group with 2 updates
 * Update crates in a group
 * Update crate bumps
 * Utilize new Intune compliance enforcement via libhimmelblau
 * Correct the README regarding Intune policy compliance
 * Disable Chromium policy
 * Re-enable Intune policy and add scripts and compliance policies
 * himmelblau.conf alias `domain` as `domains`
 * Support Fido auth in pam passwd
 * Add TAP support to himmelblaud and pam passwd
 * Mixed case names should properly identify Hello Key
 * Update linux-entra-sso to latest version
 * Fix group lookup for Entra Id group name
 * Fix mixed case name lookup from PRT cache
 * Crate updates
 * Fix tasks daemon debug output
 * Remove write locks where unecessary
 * Fix deadlock in nss
 * systemd notify fixes
 * Console
 * Address Feedback
 * Order services before gdb/nss-user-target
 * deps(rust): bump rpassword from 7.3.1 to 7.4.0
 * deps(rust): bump tokio from 1.44.2 to 1.45.0
 * deps(rust): bump sha2 from 0.10.8 to 0.10.9
 * deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
 * deps(rust): bump clap from 4.5.31 to 4.5.38
 * Update notify-debouncer-full
 * Update opentelemetry
 * Update dependencies
 * deps(rust): bump time from 0.3.39 to 0.3.41
 * Replace source filter that blacklists files with filter that whitelists files.
 * Mark himmelblau.conf as config in rpm
 * Update README.md
 * Ensure only the base URL is printed to log
 * If unix_user_get fails, wait, and try again
 * Supplying a PRT cookie to SSO doesn't require network
 * Don't send a password prompt if the network is down
 * Auth via MFA if Hello PIN fails 3 times
 * Improve Hello PIN failed auth error
 * Fix rocky9 build
 * deps(rust): bump anyhow from 1.0.96 to 1.0.98
 * deps(rust): bump libc from 0.2.170 to 0.2.172
 * deps(rust): bump cc from 1.2.16 to 1.2.19
 * deps(rust): bump tokio from 1.43.0 to 1.44.2
 * deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
 * deps(rust): bump reqwest from 0.12.12 to 0.12.15
 * Update libhimmelblau in Cargo.lock
 * Fix nss and offline checks for domain aliases
 * Report error when MS Authenticator denies authorization
 * Bail out of invalid offline auth
 * Handle AADSTS errors from BeginAuth response
 * Never dump failed reqwests to the log
 * Update sccache-action version to use new cache service
 * Permit daemon to start when network is down
 * Add an nss cache for when daemon is down
 * Additional pam info cues
 * Proceed with Hello auth even with net down
 * Indicate to the user what the password and PIN are
 * Ensure pam messages are seen
 * Display the minimum PIN length during Hello setup
 * PAM should loop, not die on error
 * Ensure prompt msg remains for confirmation
 * Update bug_report.md
 * Ignore demands for setting up MS Authenticator
 * Login fails if Entra is configured to recommend MS authenticator
 * Add pam configure command to aad-tool
 * Update README.md with pam passwd instructions
 * aad-tool authtest needs to map names
 * Update demo video in README.md
 * Sign RPM packages
 * Ensure the pam module is installed correctly for SLE
 * Improve pam error handling and messaging
 * Only push cachix builds for stable releases
 * Terminate linux-entra-sso when browser terminates
 * On deb, push pam config after install
 * Increase priority of deb PAM passwd for Himmelblau
 * Improve offline state handling
 * Specify request for Entra Id password in PAM
 * QR Greeter also supports gnome-shell 47
 * Fix profile photo loading
 * Clarify pam_allow_groups in himmelblau.conf man page
 * Don't hide debug for pam_allow_groups miss
 * Handle failures in passwordless auth
 * build all root packages
 * split config options that can be defined per-domain from those which are global only
 * configure cachix signing and upload in ci
 * deps(rust): bump serde_json from 1.0.138 to 1.0.140
 * deps(rust): bump serde from 1.0.218 to 1.0.219
 * deps(rust): bump time from 0.3.37 to 0.3.39
 * deps(rust): bump bytes from 1.10.0 to 1.10.1
 * deps(rust): bump pkg-config from 0.3.31 to 0.3.32
 * Entra Id is case insensitive, cache lookup must match
 * deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
 * Support CompanionAppsNotification mfa method
 * QR code for gnome-shell greeter
 * Allow tasks to start if AccountsService dir missing
 * Remove invalid python dependency from sso package
 * Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
 * Clear server config when clearing cache
 * Update version in the Cargo.lock
 * deps(rust): bump async-trait from 0.1.86 to 0.1.87
 * deps(rust): bump chrono from 0.4.39 to 0.4.40
 * Fix himmelblau.conf man page cn_name_mapping entry
 * deps(rust): bump pem from 3.0.4 to 3.0.5
 * deps(rust): bump serde from 1.0.217 to 1.0.218

Version 1.0.0:

 * deps(rust): bump cc from 1.2.15 to 1.2.16
 * Update workflow versions

-----------------------------------------------------------------
Advisory ID: 477
Released:    Thu Apr  2 17:36:23 2026
Summary:     Recommended update for rust1.94
Type:        recommended
Severity:    moderate
References:  1246197,1249191,1249348,1249367,1260441,1260442,1260443,1260444,1260445,CVE-2025-10148,CVE-2025-9086,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789,CVE-2026-31790
This update for rust1.94 fixes the following issues:

This update adds rust1.94.

Release notes can be found externally: https://github.com/rust-lang/rust/releases/tag/1.94.0 
-----------------------------------------------------------------
Advisory ID: 478
Released:    Sun Apr  5 04:55:36 2026
Summary:     Security update for cockpit-repos
Type:        security
Severity:    important
References:  1243581,1248410,1248687,1258637,1260078,1260082,142461,544339,CVE-2025-46836,CVE-2026-26996,CVE-2026-4437,CVE-2026-4438
This update for cockpit-repos fixes the following issue:

- CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive wildcards followed by a literal character
  that doesn't appear in the test string (bsc#1258637).

-----------------------------------------------------------------
Advisory ID: 480
Released:    Tue Apr  7 13:57:38 2026
Summary:     Security update for libpng16
Type:        security
Severity:    important
References:  1084929,1257359,1260754,1260755,CVE-2025-9615,CVE-2026-33416,CVE-2026-33636
This update for libpng16 fixes the following issues:

- CVE-2026-33416: use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE` can lead to arbitrary code
  execution (bsc#1260754).
- CVE-2026-33636: out-of-bounds read/write in the palette expansion on ARM Neon can lead to information leak and
  crashes (bsc#1260755).

-----------------------------------------------------------------
Advisory ID: 479
Released:    Tue Apr  7 14:21:55 2026
Summary:     Security update for tigervnc
Type:        security
Severity:    important
References:  1248678,1260754,1260755,1260871,CVE-2026-33416,CVE-2026-33636,CVE-2026-34352
This update for tigervnc fixes the following issues:

- CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. (bsc#1260871)

-----------------------------------------------------------------
Advisory ID: 484
Released:    Tue Apr  7 16:33:05 2026
Summary:     Security update for libtasn1
Type:        security
Severity:    moderate
References:  1242170,1256341,1260876,CVE-2025-13151,CVE-2026-34073
This update for libtasn1 fixes the following issues:

- CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in
  `asn1_expend_octet_string` (bsc#1256341).

-----------------------------------------------------------------
Advisory ID: 485
Released:    Tue Apr  7 17:17:05 2026
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1159103,1211721,1219038,1221763,1227117,1255326,1257235,1258344,1259418,1259650,1259697,CVE-2026-24401,CVE-2026-29111,CVE-2026-4105
This update for systemd fixes the following issues:

Update to systemd v257.13:

Security issues:

- CVE-2026-4105: privilege escalation due to improper access control in RegisterMachine D-Bus method (bsc#1259650).
- CVE-2026-29111: local unprivileged user can trigger an assert in systemd (bsc#1259418).
- udev: local root execution via malicious hardware devices and unsanitized kernel output (bsc#1259697).

Non security issues:

- Avoid shipping (empty) directories and ghost files in /var (jsc#PED-14853).
- Sign systemd-boot EFI binary on aarch64 (bsc#1258344)
- terminal-util: stop doing 0/upper bound check in tty_is_vc() (bsc#1255326)

Changelog:

- 6941d92dc2 machined: reject invalid class types when registering machines (bsc#1259650 CVE-2026-4105)
- 03bb697b8d udev: check for invalid chars in various fields received from the kernel (bsc#1259697)
- 54588d2ded core: validate input cgroup path more prudently (bsc#1259418 CVE-2026-29111)
- fb9d92682b terminal-util: stop doing 0/upper bound check in tty_is_vc() (bsc#1255326)

For a complete list of changes, visit:
 https://github.com/openSUSE/systemd/compare/3c53ef3ea20bd43ef587cbdfa7107aeb1ef55654...d349fc5cd4f9ee2b7884c2610647e92806d14b28

-----------------------------------------------------------------
Advisory ID: 491
Released:    Thu Apr  9 10:48:26 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 0 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1246974,1249375,1252036,1252689,1253404,1256780,1257238,1258051,1258183,1258784,1261420,CVE-2025-39973,CVE-2025-40018,CVE-2025-40159,CVE-2025-71120,CVE-2025-8114,CVE-2025-8277,CVE-2026-22999,CVE-2026-23074,CVE-2026-23111,CVE-2026-23209,CVE-2026-35535

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.5.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-39973: i40e: add validation for ring_len param (bsc#1252036).
- CVE-2025-40018: ipvs: Defer ip_vs_ftp unregister during netns cleanup (bsc#1252689).
- CVE-2025-40159: xsk: Harden userspace-supplied xdp_desc validation (bsc#1253404).
- CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256780).
- CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257238).
- CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1258051).
- CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258183).
- CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258784).

-----------------------------------------------------------------
Advisory ID: 494
Released:    Thu Apr  9 10:56:02 2026
Summary:     Security update for patterns-glibc-hwcaps
Type:        security
Severity:    moderate
References:  1261809,CVE-2026-4878
This update for patterns-glibc-hwcaps fixes the following issues:

The pattern is moved from PackageHub to regular SLES.

It requires packages for the x86_64 v3 architecture and is automatically
pulled in when this architecture is present.

These packages are optimized for the x86_64 v3 architecture to increase performance.

-----------------------------------------------------------------
Advisory ID: 495
Released:    Thu Apr  9 12:58:55 2026
Summary:     Security update for perl-Authen-SASL
Type:        security
Severity:    moderate
References:  1222465,1234736,1246623,1250373,1250692,CVE-2025-40918,CVE-2025-41244
This update for perl-Authen-SASL fixes the following issues:

Changes in perl-Authen-SASL:

- CVE-2025-40918: use Crypt:URandom for generating nonces (bsc#1246623)

-----------------------------------------------------------------
Advisory ID: 496
Released:    Thu Apr  9 13:07:42 2026
Summary:     Recommended update for umoci
Type:        recommended
Severity:    moderate
References:  1230861,1239439,1241002,1244550,1249450,1250232,1252025,1257490,1257625,1257667,1257825,1261155,CVE-2025-9230
This update for umoci fixes the following issues:

Update to umoci v0.6.0. Upstream changelog is available from
  <https://github.com/opencontainers/umoci/releases/tag/v0.6.0> bsc#1252025

  * umoci now has automatic SOURCE_DATE_EPOCH support, improving the
    reproducibility of generated images.
  * 'umoci stat' now provides more information about theimage.
  * 'umoci config' now supports --platform.variant (architecture variants)
	which resolves issues with images on ARM (on ARM systems, 'umoci new' will
	auto-fill the host CPU variant).

Update to umoci v0.5.1. Upstream changelog is available from

  <https://github.com/opencontainers/umoci/releases/tag/v0.5.1> bsc#1249450

  * For images with an empty index.json, umoci will no longer incorrectly set
    the manifests entry to null.
  * umoci will now produce an error for images with negative-sized descriptors,
    based on recent discussions in the upstream image-spec.
  * Use go:embed to fill umoci --version information from VERSION.
  * Stop using oci-image-tools for integration tests, instead use some smoke
    tests and the docker-library-maintained meta-scripts.

-----------------------------------------------------------------
Advisory ID: 497
Released:    Thu Apr  9 13:07:42 2026
Summary:     Recommended update for kernel-firmware-ath12k
Type:        recommended
Severity:    moderate
References:  1221126,1244485,1249385,1250952,1258022,1259543
This update for kernel-firmware-ath12k fixes the following issues:

- amdgpu and ath12k firmware files drivers where missing (bsc#1250952).
- Version update 20250919

-----------------------------------------------------------------
Advisory ID: 499
Released:    Thu Apr  9 13:14:21 2026
Summary:     Recommended update for sg3_utils
Type:        recommended
Severity:    important
References:  1084929,1215720,1216355,1258664,1261957,CVE-2026-34757
This update for sg3_utils fixes the following issues:

- Update to version 1.48~20221101+5.c6a1f6b8:
    * rescan-scsi-bus.sh:
        + Fix invocation of udevadm (bsc#1258664)
        + Fix multipath issue when called with -s and without -u (bsc#1215720, bsc#1216355)

-----------------------------------------------------------------
Advisory ID: 500
Released:    Thu Apr  9 13:14:21 2026
Summary:     Recommended update for patterns-base
Type:        recommended
Severity:    moderate
References:  1249584,1259924,CVE-2025-59375,CVE-2025-69720
This update for patterns-base fixes the following issues:

Changes in patterns-base:

- Drop biosdevname, this is being replaced by systemd predictable
  network interface naming (jsc#PED-262).

-----------------------------------------------------------------
Advisory ID: 502
Released:    Thu Apr  9 13:18:30 2026
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,1234563,1239763,1239866,1243254,1243505,1250983,1258392,CVE-2023-45853,CVE-2024-45337,CVE-2025-11230,CVE-2026-27171
This update for zlib fixes the following issues:


- CVE-2026-27171: Fixed an infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths. (bsc#1258392)
- CVE-2023-45853: Fixed an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6. (bsc#1216378)

-----------------------------------------------------------------
Advisory ID: 504
Released:    Thu Apr  9 14:27:13 2026
Summary:     Security update for pgvector
Type:        security
Severity:    important
References:  1248586,1252217,1258945,1261998,CVE-2026-3172,CVE-2026-40393
This update for pgvector fixes the following issue:

Update to pgvector 0.8.2:

- CVE-2026-3172: Buffer overflow in parallel HNSW index build (bsc#1258945).

Changelog:

 * Fixed Index Searches in EXPLAIN output for Postgres 18

-----------------------------------------------------------------
Advisory ID: 509
Released:    Thu Apr  9 14:29:14 2026
Summary:     Recommended update for quota
Type:        recommended
Severity:    moderate
References:  1246934,1254310,1256498,1256499,1256500,CVE-2025-68276,CVE-2025-68468,CVE-2025-68471
This update for quota fixes the following issues:

- Remove `PrivateDevices` systemd hardening from quotad.service because it
  needs access to block devices in /dev (bsc#1254310).

-----------------------------------------------------------------
Advisory ID: 510
Released:    Thu Apr  9 15:00:19 2026
Summary:     Security update for util-linux
Type:        security
Severity:    moderate
References:  1222465,1250562,1254666,1258859,1261970,CVE-2025-11021,CVE-2025-14104,CVE-2026-3184,CVE-2026-3446
This update for util-linux fixes the following issues:

Security issues:

- CVE-2025-14104: heap buffer overread in setpwnam() when processing 256-byte usernames (bsc#1254666).
- CVE-2026-3184: access control bypass due to improper hostname canonicalization in `login` (bsc#1258859).

Non security issues:

- fdisk: Fix possible partition overlay and data corruption if EBR gap is missing  (bsc#1222465).
- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682).

-----------------------------------------------------------------
Advisory ID: 513
Released:    Thu Apr  9 16:40:05 2026
Summary:     Recommended update for linux-glibc-devel
Type:        recommended
Severity:    moderate
References:  1252376,1252543,1253334,1262144,CVE-2025-31133,CVE-2025-52565,CVE-2025-52881,CVE-2026-5958
This update for linux-glibc-devel fixes the following issues:

Changes in linux-glibc-devel:

- Sync with SLES 16.0 update kernel (6.12.0-160000.6) (bsc#1253334)

-----------------------------------------------------------------
Advisory ID: 516
Released:    Fri Apr 10 08:36:43 2026
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1239718,1246504,1252025,1253193,1258319,1259706,1259842,1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:

Security fixes:

- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).

Other fixes:

- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319).

-----------------------------------------------------------------
Advisory ID: 517
Released:    Fri Apr 10 10:14:40 2026
Summary:     Security update for the Linux Kernel (Live Patch 4 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1253126,1253132,1256780,1257238,1258051,1258183,1258784,1259362,1262631,1262632,1262635,1262636,1262638,CVE-2024-25621,CVE-2025-64329,CVE-2025-71120,CVE-2026-1965,CVE-2026-22999,CVE-2026-23074,CVE-2026-23111,CVE-2026-23209,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.9.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256780).
- CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257238).
- CVE-2026-23074: net/sched: Enforce that teql can only be used as root qdisc (bsc#1258051).
- CVE-2026-23111: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (bsc#1258183).
- CVE-2026-23209: macvlan: fix error recovery in macvlan_common_newlink() (bsc#1258784).

-----------------------------------------------------------------
Advisory ID: 522
Released:    Fri Apr 10 13:27:11 2026
Summary:     Security update for python-cryptography
Type:        security
Severity:    important
References:  1250471,1258074,1260876,1263366,1263367,CVE-2025-5791,CVE-2026-26007,CVE-2026-34073,CVE-2026-40355,CVE-2026-40356
This update for python-cryptography fixes the following issues:

- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)
- CVE-2026-26007: missing validation can lead to security issues for signature verification (ECDSA) and shared key negotiation (ECDH) (bsc#1258074).

-----------------------------------------------------------------
Advisory ID: 525
Released:    Fri Apr 10 15:02:04 2026
Summary:     Recommended update for kernel-firmware-bluetooth
Type:        recommended
Severity:    moderate
References:  1248093,1253029,1261938,CVE-2025-55199,CVE-2026-35206
This update for kernel-firmware-bluetooth fixes the following issues:

Changes in kernel-firmware-bluetooth:

- Update to version 20251202 (git commit 685171356137):

  * linux-firmware: Update firmware file for Intel Scorpius core
  * linux-firmware: Update firmware file for Intel BlazarIGfP core
  * linux-firmware: Update firmware file for Intel BlazarI core
  * linux-firmware: Update firmware file for Intel BlazarU-HrPGfP core
  * linux-firmware: Update firmware file for Intel BlazarU core

- Update to version 20251125 (git commit 23568a4b9420):

  * QCA: Add Bluetooth firmware for WCN685x uart interface

- Update to version 20251121 (git commit ff6418d18552):

  * rtl_bt: Update RTL8852B BT USB FW to 0x42D3_4E04

- Update to version 20251111 (git commit 6fc940781a01):

  * rtl_bt: Update RTL8922A BT USB firmware to 0x41C0_C905

- Update to version 20251106 (git commit b055b3e24542):

  * linux-firmware: Update firmware file for Intel BlazarU core
  * linux-firmware: Update firmware file for Intel BlazarI core

- Update to version 20251029 (git commit bfc84303530a):

  * rtl_bt: Add firmware and config files for RTL8761CUV

- Update to version 20251024 (git commit 9b899c779b8a):

  * QCA: Update Bluetooth WCN6856 firmware 2.1.0-00653 to 2.1.0-00659

- Update to version 20251010 (git commit fef0b3bbf494):

  * linux-firmware: Update firmware file for Intel Magnetar core
  * linux-firmware: Update firmware file for Intel BlazarU core
  * linux-firmware: Update firmware file for Intel BlazarI core

- Update to version 20251010 (git commit 49fafa182b23):

  * qca: Update Bluetooth WCN6750 1.1.3-00091 firmware to 1.1.3-00100

- Update to version 20251004 (git commit 757854f42d83):

  * rtl_bt: Update RTL8852BT/RTL8852BE-VT BT USB FW to 0x3BAC_ADBA

- Update to version 20250903 (git commit c784990ba3d2):

  * rtl_bt: Update RTL8822C BT USB firmware to 0x2B66_D962

- Update to version 20250820 (git commit 70dda28e5098):

  * Link rtl8723b_config.bin to rtl8723bs

- Update to version 20250808 (git commit 8f1ce114de6c):

  * qca: Update Bluetooth WCN6750 1.1.3-00069 firmware to 1.1.3-00091

-----------------------------------------------------------------
Advisory ID: 527
Released:    Fri Apr 10 16:31:00 2026
Summary:     Recommended update for scanner-databases
Type:        recommended
Severity:    moderate
References:  1084929,1244325,1251827,1262223,CVE-2025-11561,CVE-2026-41035
This update for scanner-databases fixes the following issues:

Changes in scanner-databases:

- database refresh on 2026-03-09 (bsc#1084929)

-----------------------------------------------------------------
Advisory ID: 528
Released:    Fri Apr 10 20:29:30 2026
Summary:     Security update for pcre2
Type:        security
Severity:    moderate
References:  1248842,1253741,1261206,1262464,1262465,CVE-2025-58050,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for pcre2 fixes the following issue:

- CVE-2025-58050: integer overflow leads to heap buffer overread in match_ref due to missing boundary restoration in SCS
  (bsc#1248842).

-----------------------------------------------------------------
Advisory ID: 529
Released:    Fri Apr 10 20:56:55 2026
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1248586,1252217,1253757,1254670,1259619,CVE-2025-11563,CVE-2025-70873,CVE-2025-7709
This update for sqlite3 fixes the following issues:

Update sqlite3 to version 3.51.3:

Security issues:

- CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670).
- CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619).

Non security issue:

- sqlite3 won't build when using --with icu (bsc#1248586).

Changelog:

Update to version 3.51.3:
 * Fix the WAL-reset database corruption bug:
   https://sqlite.org/wal.html#walresetbug
 * Other minor bug fixes.

Update to version 3.51.2:

 * Fix an obscure deadlock in the new broken-posix-lock detection
   logic.
 * Fix multiple problems in the EXISTS-to-JOIN optimization.

Update to version 3.51.1:
 * Fix incorrect results from nested EXISTS queries caused by the
   optimization in item 6b in the 3.51.0 release.
 * Fix a latent bug in fts5vocab virtual table, exposed by new
   optimizations in the 3.51.0 release

Update to version 3.51.0:
 * New macros in sqlite3.h:
 - SQLITE_SCM_BRANCH -> the name of the branch from which the
 source code is taken.
 - SQLITE_SCM_TAGS -> space-separated list of tags on the source
 code check-in.
 - SQLITE_SCM_DATETIME -> ISO-8601 date and time of the source
 * Two new JSON functions, jsonb_each() and jsonb_tree() work the
 same as the existing json_each() and json_tree() functions
 except that they return JSONB for the 'value' column when the
 'type' is 'array' or 'object'.
 * The carray and percentile extensions are now built into the
 amalgamation, though they are disabled by default and must be
 activated at compile-time using the -DSQLITE_ENABLE_CARRAY
 and/or -DSQLITE_ENABLE_PERCENTILE options, respectively.
 * Enhancements to TCL Interface:
 - Add the -asdict flag to the eval command to have it set the
 row data as a dict instead of an array.
 - User-defined functions may now break to return an SQL NULL.
 * CLI enhancements:
 - Increase the precision of '.timer' to microseconds.
 - Enhance the 'box' and 'column' formatting modes to deal with
 double-wide characters.
 - The '.imposter' command provides read-only imposter tables
 that work with VACUUM and do not require the --unsafe-testing
 option.
 - Add the --ifexists option to the CLI command-line option and
 to the .open command.
 - Limit columns widths set by the '.width' command to 30,000 or
 less, as there is not good reason to have wider columns, but
 supporting wider columns provides opportunity to malefactors.
 * Performance enhancements:
 - Use fewer CPU cycles to commit a read transaction.
 - Early detection of joins that return no rows due to one or
 more of the tables containing no rows.
 - Avoid evaluation of scalar subqueries if the result of the
 subquery does not change the result of the overall expression.
 - Faster window function queries when using
 'BETWEEN :x FOLLOWING AND :y FOLLOWING' with a large :y.
 * Add the PRAGMA wal_checkpoint=NOOP; command and the
 SQLITE_CHECKPOINT_NOOP argument for sqlite3_wal_checkpoint_v2().
 * Add the sqlite3_set_errmsg() API for use by extensions.
 * Add the sqlite3_db_status64() API, which works just like the
 existing sqlite3_db_status() API except that it returns 64-bit
 results.
 * Add the SQLITE_DBSTATUS_TEMPBUF_SPILL option to the
 sqlite3_db_status() and sqlite3_db_status64() interfaces.
 * In the session extension add the sqlite3changeset_apply_v3()
 interface.
 * For the built-in printf() and the format() SQL function, omit
 the leading '-' from negative floating point numbers if the '+'
 flag is omitted and the '#' flag is present and all displayed
 digits are '0'. Use '%#f' or similar to avoid outputs like
 '-0.00' and instead show just '0.00'.
 * Improved error messages generated by FTS5.
 * Enforce STRICT typing on computed columns.
 * Improved support for VxWorks
 * JavaScript/WASM now supports 64-bit WASM. The canonical builds
 continue to be 32-bit but creating one's own 64-bit build is
 now as simple as running 'make'.
 * Improved resistance to database corruption caused by an
 application breaking Posix advisory locks using close().

-----------------------------------------------------------------
Advisory ID: 531
Released:    Sat Apr 11 10:22:09 2026
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1253177,1253178,1258002,1263254,CVE-2025-59777,CVE-2025-62689,CVE-2026-41066
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.84 state (bsc#1258002):
    * Removed:
        + Baltimore CyberTrust Root
        + CommScope Public Trust ECC Root-01
        + CommScope Public Trust ECC Root-02
        + CommScope Public Trust RSA Root-01
        + CommScope Public Trust RSA Root-02
        + DigiNotar Root CA
    * Added:
        + e-Szigno TLS Root CA 2023
        + OISTE Client Root ECC G1
        + OISTE Client Root RSA G1
        + OISTE Server Root ECC G1
        + OISTE Server Root RSA G1
        + SwissSign RSA SMIME Root CA 2022 - 1
        + SwissSign RSA TLS Root CA 2022 - 1
        + TrustAsia SMIME ECC Root CA
        + TrustAsia SMIME RSA Root CA
        + TrustAsia TLS ECC Root CA
        + TrustAsia TLS RSA Root CA

-----------------------------------------------------------------
Advisory ID: 537
Released:    Mon Apr 13 10:18:45 2026
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    important
References:  1204562,1224386,1234383,1243005,1244449,1245551,1248356,1248501,1248660,1254324,1254563,1258423,CVE-2024-58251
This update for systemd-presets-branding-SLE fixes the following issues:

Changes in systemd-presets-branding-SLE:

- Disable firewalld during migration if it was disabled before (bsc#1258423).

-----------------------------------------------------------------
Advisory ID: 536
Released:    Mon Apr 13 11:24:35 2026
Summary:     Recommended update for libzypp, zypper, libsolv
Type:        recommended
Severity:    important
References:  1158038,1221342,1231775,1231776,1243992,1243997,1247948,1252744,1253740,1254157,1254158,1254159,1254160,1254480,1257010,1257882,1258193,1259311,CVE-2025-64505,CVE-2025-64506,CVE-2025-64720,CVE-2025-65018,CVE-2025-66293
This update for libzypp, zypper, libsolv fixes the following issues:

Changes in libzypp:

- Update to version 17.38.5:
    * Fix preloader not caching packages from arch specific subrepos (bsc#1253740)
    * Deprioritize invalid mirrors
- Update to version 17.38.4:
    * Fix Product::referencePackage lookup (bsc#1259311)
      Use a provided autoproduct() as hint to the package name of the release package.
      It might be that not just multiple versions of the same release package provide
      the same product version, but also different release packages.
- Update to version 17.38.3:
    * specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir} is undefined
      This will set '-DZYPPCONFDIR=%{zyppconfdir}' for cmake.
    * Fall back to a writable location when precaching packages without root (bsc#1247948)

Changes in zypper:

- Update to version 1.14.95:
    * Report download progress for command line rpms
    * Hint to '-vv ref' to see the mirrors used to download the metadata (bsc#1257882)
    * Service: Allow 'zypper ls SERVICE ...' to test whether a service with this alias is defined (bsc#1252744)
      The command prints an abstract of all services passed on the command line.
      It returns 3-ZYPPER_EXIT_ERR_INVALID_ARGS if some argument does not name an existing service.
    * Keep repo data when updating the service settings (bsc#1252744)
    * info: Enhance pattern content table (bsc#1158038)
      Alternatives are now listed as a single entry in the content table.
      The entry shows either the installed package which satisfies the requirement or
      the requirement itself as type 'Provides'.

Changes in libsolv:

- bump version to 0.7.36:
    * respect the 'default' attribute in environment optionlist in the comps parser
    * support suse namespace deps in boolean dependencies (bsc#1258193)
    * support for the Elbrus2000 (e2k) architecture
    * support language() suse namespace rewriting

-----------------------------------------------------------------
Advisory ID: 539
Released:    Mon Apr 13 11:41:21 2026
Summary:     Security update for python313
Type:        security
Severity:    important
References:  1254441,1255027,1257181,1259240,1259611,1259734,1259735,1259989,1260026,1262223,1264511,1264512,1264513,1264514,1264515,1265296,CVE-2025-10158,CVE-2025-13462,CVE-2026-1299,CVE-2026-2297,CVE-2026-29518,CVE-2026-3479,CVE-2026-3644,CVE-2026-41035,CVE-2026-4224,CVE-2026-43617,CVE-2026-43618,CVE-2026-43619,CVE-2026-43620,CVE-2026-4519,CVE-2026-45232
This update for python313 fixes the following issues:

Update to version 3.13.13.

- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
  misinterpretation of tar archives (bsc#1259611).
- CVE-2026-2297: incorrectly handled hook in FileLoader can lead to validation bypass (bsc#1259240).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
  (bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
  command line option injection (bsc#1260026).

-----------------------------------------------------------------
Advisory ID: 540
Released:    Mon Apr 13 13:47:50 2026
Summary:     Security update for webkit2gtk3
Type:        security
Severity:    important
References:  1196933,1206608,1207543,1208928,1232351,1241284,1244003,1244011,1244937,1245667,1246011,1246025,1249657,1250224,1252318,1254425,1259934,1259935,1259936,1259937,1259938,1259939,1259940,1259941,1259942,1259943,1259944,1259945,1259946,1259947,1259948,1259949,1259950,1261172,1261173,1261174,1261175,1261176,1261177,1261178,1261179,1261606,CVE-2023-43010,CVE-2025-31223,CVE-2025-31277,CVE-2025-43213,CVE-2025-43214,CVE-2025-43433,CVE-2025-43438,CVE-2025-43441,CVE-2025-43457,CVE-2025-43511,CVE-2025-46299,CVE-2026-20608,CVE-2026-20635,CVE-2026-20636,CVE-2026-20643,CVE-2026-20644,CVE-2026-20652,CVE-2026-20664,CVE-2026-20665,CVE-2026-20676,CVE-2026-20691,CVE-2026-27456,CVE-2026-28857,CVE-2026-28859,CVE-2026-28861,CVE-2026-28871
This update for webkit2gtk3 fixes the following issues:

Update to version 2.52.1.

Security issues fixed:

- CVE-2025-43213: processing maliciously crafted web content may lead to an unexpected crash due to improper memory
  handling (bsc#1259947).
- CVE-2025-43214: processing maliciously crafted web content may lead to an unexpected crash due to improper memory
  handling (bsc#1259946).
- CVE-2025-43457: processing maliciously crafted web content may lead to an unexpected crash due to use-after-free
  (bsc#1259942).
- CVE-2025-43511: processing maliciously crafted web content may lead to an unexpected process crash due to
  use-after-free (bsc#1259941).
- CVE-2025-46299: processing maliciously crafted web content may disclose internal states of an app due to improper
  memory initialization (bsc#1259940).
- CVE-2026-20608: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  state management (bsc#1259939).
- CVE-2026-20635: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  memory handling (bsc#1259938).
- CVE-2026-20636: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  memory handling (bsc#1259937).
- CVE-2026-20643: processing maliciously crafted web content may bypass Same Origin Policy due to improper input
  validation (bsc#1261172).
- CVE-2026-20644: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  memory handling (bsc#1259936).
- CVE-2026-20652: a remote attacker may be able to cause a denial-of-service due to improper memory handling
  (bsc#1259935).
- CVE-2026-20664: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  memory handling (bsc#1261173).
- CVE-2026-20665: processing maliciously crafted web content may prevent Content Security Policy from being enforced
  due to improper state management (bsc#1261174).
- CVE-2026-20676: a website may be able to track users through web extensions due to improper state management
  (bsc#1259934).
- CVE-2026-20691: a maliciously crafted webpage may be able to fingerprint users due to improper state management
  (bsc#1261175).
- CVE-2026-28857: processing maliciously crafted web content may lead to an unexpected process crash due to improper
  memory handling (bsc#1261176).
- CVE-2026-28859: a malicious website may be able to process restricted web content outside the sandbox due to improper
  memory management (bsc#1261177).
- CVE-2026-28861: a malicious website may be able to access script message handlers intended for other origins due to
  improper state management (bsc#1261178).
- CVE-2026-28871: visiting a maliciously crafted website may lead to a cross-site scripting attack due to missing checks
  (bsc#1261179).

Other updates and bugfixes:

- Version 2.52.1:
  * Reduce the amount of useless MPRIS notifications produced by MediaSession when the information about media being
    played is incomplete.
  * Support turning off USE_GSTREAMER to configure the build with all multimedia features disabled.
  * Add Sysprof marks for mouse events.
  * Fix MediaSession icon for iheart.com not being displayed.
  * Fix the build with USE_GSTREAMER_GL disabled.
  * Fix the build with librice version 0.3.0 or newer.
  * Fix several crashes and rendering issues.
  * Translation updates: Georgian.

- Version 2.52.0:
  * Make scrolling with touch input smoother for small movements.
  * Fix estimated load progress of downloads when Content-Length value is wrong.
  * Ensure that 'scrollend' events are correctly emitted after scroll animations.

-----------------------------------------------------------------
Advisory ID: 541
Released:    Mon Apr 13 14:29:51 2026
Summary:     Security update for nodejs24
Type:        security
Severity:    important
References:  1205588,1247432,1254336,1254679,1256572,1256576,1260455,1260460,1260462,1260463,1260480,1260482,1260494,1261280,CVE-2024-2312,CVE-2025-59464,CVE-2026-21637,CVE-2026-21710,CVE-2026-21712,CVE-2026-21713,CVE-2026-21714,CVE-2026-21715,CVE-2026-21716,CVE-2026-21717,CVE-2026-34743
This update for nodejs24 fixes the following issues:

Update to version 24.14.1.

Security issues fixed:

- CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for
  performance degradation via a crafted request (bsc#1260494).
- CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file
  permissions and ownership on already-open file descriptors (bsc#1260462).
- CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and
  filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482).
- CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent
  on stream 0 (bsc#1260480).
- CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and
  potential MAC forgery (bsc#1260463).
- CVE-2026-21712: assertion error caused by flaw in URL processing allows for a process crash via a URL with a
  malformed IDN (bsc#1260460).
- CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a
  header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455).
- CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or
  `ALPNCallback` are in use (bsc#1256576).
- CVE-2025-59464: memory leak allows for remote denial of service against applications processing TLS client
  certificates (bsc#1256572).

Other updates and bugfixes:

- Version 24.14.0:
  * async_hooks: add trackPromises option to createHook()
  * build,deps: replace cjs-module-lexer with merve
  * deps: add LIEF as a dependency
  * events: repurpose events.listenerCount() to accept EventTargets
  * fs: add ignore option to fs.watch
  * http: add http.setGlobalProxyFromEnv()
  * module: allow subpath imports that start with #/
  * process: preserve AsyncLocalStorage in queueMicrotask only when needed
  * sea: split sea binary manipulation code
  * sqlite: enable defensive mode by default
  * sqlite: add sqlite prepare options args
  * src: add initial support for ESM in embedder API
  * stream: add bytes() method to node:stream/consumers
  * stream: do not pass readable.compose() output via Readable.from()
  * test: use fixture directories for sea tests
  * test_runner: add env option to run function
  * test_runner: support expecting a test-case to fail
  * util: add convertProcessSignalToExitCode utility
  * For details, see https://nodejs.org/en/blog/release/v24.14.0


-----------------------------------------------------------------
Advisory ID: 544
Released:    Mon Apr 13 15:10:32 2026
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    moderate
References:  1218879,1218880,1252696,1253025,1263704,1263705,1263707,1263708,1263709,1263710,1263711,1263712,1263713,1263714,1263715,1263716,CVE-2023-45229,CVE-2023-45230,CVE-2026-33845,CVE-2026-33846,CVE-2026-3833,CVE-2026-42009,CVE-2026-42010,CVE-2026-42011,CVE-2026-42012,CVE-2026-42013,CVE-2026-42014,CVE-2026-42015,CVE-2026-5260,CVE-2026-5419
This update for crypto-policies fixes the following issues:

- Fix the testsuite:
    * Port all the policy changes to the config files in the test suite.
    * Use the newly introduced SKIP_LINTING=1 option.
- Adapt the manpages to SUSE/openSUSE:
    * Add crypto policies SUSE manpages
    * Compress all the man pages for update-crypto-policies.8.gz,
      crypto-policies.7.gz, fips-finish-install.8.gz and
      fips-mode-setup.8.gz into man-crypto-policies.tar.xz
- Update to version 20250714.cd6043a: (bsc#1253025, bsc#1252696)
    * gnutls: enable ML-DSA, for both secure-sig and secure-sig-for-cert
    * python, policies, tests: alias X25519-MLKEM768 to MLKEM768-X25519
    * FIPS: disable MLKEM768-X25519 for openssh (no-op)
    * FIPS: deprioritize X25519-MLKEM768 over P256-MLKEM768 for openssl...
    * TEST-PQ: be more careful with the ordering
    * openssl: send one PQ and one classic key_share; prioritize PQ groups
    * sequoia: Generate AEAD policy
    * Do not include EdDSA in FIPS policy
    * sequoia: Add PQC algorithm
    * sequoia: Run tests against PQC capable policy-config-check
    * Revert 'openssl, policies: implement group_key_share option'
    * openssl, policies: implement group_key_share option
    * FIPS: enable hybrid ML-KEM (TLS only) and pure ML-DSA
    * python/build-crypto-policies: output diffs on --test mismatches
    * sequoia, rpm-sequoia: use ignore_invalid with sha3, x25519, ...
    * policies, alg_lists, openssl: remove KYBER from allowed values
    * openssl: stricter enabling of Ciphersuites
    * openssl: make use of -CBC and -AESGCM keywords
    * openssl: add TLS 1.3 Brainpool identifiers
    * fix warning on using experimental key_exchanges
    * update-crypto-policies: don't output FIPS warning in fips mode
    * openssh: map mlkem768x25519-sha256 to KEM-ECDH and MLKEM768-X25519 and SHA2-256
    * openssh, libssh: refactor kx maps to use tuples
    * alg_lists: mark MLKEM768/SNTRUP kex experimental
    * nss: revert enabling mlkem768secp256r1
    * nss: add mlkem768x25519 and mlkem768secp256r1, remove xyber
    * gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
    * openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768
    * openssh, TEST-PQ: rename MLKEM key_exchange to MLKEM768
    * openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256
    * LEGACY: enable 192-bit ciphers for nss pkcs12/smime
    * openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384...
    * nss: be stricter with new purposes
    * python/update-crypto-policies: pacify pylint
    * fips-mode-setup: tolerate fips dracut module presence w/o FIPS
    * fips-mode-setup: small Argon2 detection fix
    * SHA1: add __openssl_block_sha1_signatures = 0
    * fips-mode-setup: block if LUKS devices using Argon2 are detected
    * update-crypto-policies: skip warning on --set=FIPS if bootc
    * fips-setup-helper: skip warning, BTW
    * fips-mode-setup: force --no-bootcfg when UKI is detected
    * fips-crypto-policy-overlay: automount FIPS policy
    * nss: rewrite backend for 3.101
    * cryptopolicies: parent scopes for dumping purposes
    * policygenerators: move scoping inside generators
    * openssh: make dss no longer enableble, support is dropped
    * gnutls: wire GROUP-X25519-KYBER768 to X25519-KYBER768
    * TEST-PQ: disable pure Kyber768
    * DEFAULT: switch to rh-allow-sha1-signatures = no...
    * java: drop unused javasystem backend
    * java: stop specifying jdk.tls.namedGroups in javasystem
    * ec_min_size: introduce and use in java, default to 256
    * java: use and include jdk.disabled.namedCurves
    * BSI: Update BSI policy for new 2024 minimum recommendations
    * fips-mode-setup: flashy ticking warning upon use
    * fips-mode-setup: add another scary 'unsupported'
    * BSI: switch to 3072 minimum RSA key size
    * java: make hash, mac and sign more orthogonal
    * java: specify jdk.tls.namedGroups system property
    * java: respect more key size restrictions
    * java: disable anon ciphersuites, tying them to NULL...
    * java: start controlling / disable DTLSv1.0
    * nss: wire KYBER768 to XYBER768D00
- Update to version 20250425.9267dee:
    * openssl: fix mistakes in integrity-only cipher definitions
    * NO-PQ, cryptopolicies: add experimental value suppression
    * nss: add mlkem768x25519 and mlkem768secp256r1
    * gnutls: 'allow-rsa-pkcs1-encrypt = false' everywhere but in LEGACY
    * TEST-PQ, openssh: add support for MLKEM768 key_exchange
    * LEGACY: drop cipher at pkcs12 = SEED-CBC
    * fips-crypto-policy-overlay: automount FIPS policy, follow-up fixes
    * nss: TLS-REQUIRE-EMS in FIPS
    * DEFAULT: disable RSA key exchange
    * LEGACY: disable sign = *-SHA1
    * nss: wire XYBER768D00 to X25519-KYBER768, not KYBER768
- Add the FIPS scripts fips-finish-install and fips-mode-setup as
  sources in the spec file as they have been removed upstream.
    * We will maintain these scripts downstream.
    * Update the man pages for update-crypto-policies.8.gz
    * Add crypto policies FIPS output
    * Add man pages in text file in compressed form in the file
      man-fips-scripts.tar.xz and add them to the Makefile.
- Update to version 20250324.3714354:
    * NO-PQ: introduce
    * LEGACY/DEFAULT/FUTURE: enable hybrid ML-KEM and pure ML-DSA
    * _openssl_block_sha1_signatures: flip the default to 1
    * sequoia: add sha3, x25519, ed25519, x448, ed448, but not for rpm-sequoia
    * sequoia: refactor a bit
    * openssl: specify default key size for req
    * gnutls: support P384-MLKEM1024
    * openssl: stop generating `openssl` in favour of `opensslcnf`
    * gnutls: drop kyber (switching to leancrypto took it away)
    * openssl: use both names for P384-MLKEM1024
    * Detect the presence of nss-policy-check
    * Don't use hardcoded python3 path
    * Make xsltproc settable as XSLTPROC
    * python/cryptopolicies/validation/scope.py: fix new ruff rule RUF021
    * Update the info in the README.SUSE file
    * Remove the FEDORA policies and directories

-----------------------------------------------------------------
Advisory ID: 546
Released:    Mon Apr 13 17:02:47 2026
Summary:     Recommended update for libnvidia-egl-wayland, libnvidia-egl-x11
Type:        recommended
Severity:    moderate
References:  1247907,1255731,1255732,1255733,1255734,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224
This update for libnvidia-egl-wayland, libnvidia-egl-x11 fixes the following issues:

Changes in libnvidia-egl-wayland:

- update to version 1.1.22:
    * egl-wayland: remove extraneous call to wl_display_rou
- update to version 1.1.21:
    * fix loading libdrm when wl_drm is not available
    * add FP16 DRM format - requires some fixes to the core driver to fully work however
- fixed build against sle15-sp6/Leap 15.6
- update to version 1.1.20 (needed by 580.76.05 driver, bsc#1247907):
    * Add support for tegradisp-drm

Changes in libnvidia-egl-x11:

- bump version number to 1.0.5:
    * fix building on FreeBSD
    * rename a patch
- update to v1.0.4 tarball/version 1.0.5:
    * fix attribute handling for eglCreateWindowPixmapSur
    * handle eglQuerySurface EGL_RENDER_BUFFER
    * enable implicit sync if we re-talking to the NVIDIA
- updated to v1.0.2 tarball/version 1.0.3 (needed by 580.76.05 driver, bsc#1247907):
    * increment the version number to 1.0.3
    * egl-x11: add support for tegradisp drm

-----------------------------------------------------------------
Advisory ID: 547
Released:    Mon Apr 13 17:48:00 2026
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1217877,1259652,1260264,1260441,1260442,1260443,1260444,1260445,1261678,CVE-2023-45866,CVE-2026-2673,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-31789,CVE-2026-31790,CVE-2026-33186
This update for openssl-3 fixes the following issues:

Security issues fixed:

- CVE-2026-2673: TLS 1.3 servers may choose unexpected key agreement group (bsc#1259652).
- CVE-2026-28387: potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL pointer dereference when processing a delta (bsc#1260442).
- CVE-2026-28389: possible NULL pointer dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
  KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).

Other updates and bugfixes:

- Enable MD2 in legacy provider (jsc#PED-15724).

-----------------------------------------------------------------
Advisory ID: 551
Released:    Tue Apr 14 13:18:14 2026
Summary:     Security update for Botan
Type:        security
Severity:    critical
References:  1254441,1261880,1265578,1265580,1265581,1265582,1265583,1265584,1265585,1265586,1265587,1265588,1265589,CVE-2025-10158,CVE-2026-32792,CVE-2026-33278,CVE-2026-34582,CVE-2026-40622,CVE-2026-41292,CVE-2026-42534,CVE-2026-42923,CVE-2026-42944,CVE-2026-42959,CVE-2026-42960,CVE-2026-44390,CVE-2026-44608
This update for Botan fixes the following issues:

- CVE-2026-34582: Fixed a client authentication bypass in TLS 1.3 implementation (bsc#1261880)

-----------------------------------------------------------------
Advisory ID: 553
Released:    Tue Apr 14 13:46:47 2026
Summary:     Recommended update for elfutils
Type:        recommended
Severity:    moderate
References:  1255765,1265413,CVE-2025-11961,CVE-2026-45409
This update for elfutils fixes the following issues:

- Move debuginfod homedir creation to tmpfiles.d

-----------------------------------------------------------------
Advisory ID: 556
Released:    Tue Apr 14 16:33:17 2026
Summary:     Security update for pam
Type:        security
Severity:    moderate
References:  1231494,1232234,1255372,1259767,CVE-2024-10041,CVE-2026-4271
This update for pam fixes the following issue:

- CVE-2024-10041: libpam: vulnerable to read hashed password (bsc#1232234).

-----------------------------------------------------------------
Advisory ID: 558
Released:    Tue Apr 14 17:02:17 2026
Summary:     Security update for plexus-utils
Type:        security
Severity:    important
References:  1255400,1256341,1256484,1258509,1259079,1259080,1260588,1262089,CVE-2025-13151,CVE-2025-14876,CVE-2025-67030,CVE-2026-0665,CVE-2026-2243,CVE-2026-3195,CVE-2026-3196,CVE-2026-3842
This update for plexus-utils fixes the following issue:

- CVE-2025-67030: directory traversal via the `extractFile` method of `org.codehaus.plexus.util.Expand` (bsc#1260588).

-----------------------------------------------------------------
Advisory ID: 561
Released:    Tue Apr 14 21:29:51 2026
Summary:     Recommended update for libzypp-testsuite-tools
Type:        recommended
Severity:    moderate
References:  1241826,1241857,1251511,1251679,1253581,1253901,1254079,1254629,1254900,1257583,1257831,1259554,1259700,CVE-2025-22872,CVE-2025-47911,CVE-2025-47913,CVE-2025-47914,CVE-2025-58181,CVE-2025-58190,CVE-2026-31958
This update for libzypp-testsuite-tools fixes the following issues:

Changes in libzypp-testsuite-tools:

- Require CMake 3.5
- version 5.0.7

-----------------------------------------------------------------
Advisory ID: 569
Released:    Thu Apr 16 10:36:38 2026
Summary:     Recommended update for AppStream
Type:        recommended
Severity:    moderate
References:  1239941,1256105,1267426,1267874,CVE-2025-14017,CVE-2026-44941,CVE-2026-44942
This update for AppStream fixes the following issues:

Changes in AppStream:

- Make qt6 the default qt flavor and qt5 the flavor built
  separately and disable the qt5 flavor in SLE16 where we don't
  want to have Qt5 libraries.

Update to 1.0.5:

  Features:

  * qt: Expose markup conversion utils
  * desktop-styles: Add android and iOS
  * validator: Check for xml:lang='en' being used on description
    template elements
  * validator: Flag cases of raw text in 'description' elements
  * metadata: Add more known extensions into
    as_metadata_file_guess_style()
  Specification:
  * docs: Clarify that the style segment of a screenshot
    environment is optional
  * docs: Explain consequences of defining an icon for
    desktop-app metainfo
  * docs: Clarify that description content must be in p/li
    elements
  Bugfixes:
  * validator: mark as_validator_issue_tag_list static
  * docs: Add workaround for gi-docgen misnaming devhelp files
  * compose: Do not permit SVG images as screenshots
  * compose: Don't 'forget' to scan remaining paths when
    re-encountering a dir
  * pool: Try explicit singular term match if we only have
    low-quality tokens
  * utils: Provide compatibility with Fedora icon tarballs when
    installing them
  * utils: Remove leftover g_chmod()
  * zstd-decompressor: Pass output/written data when decompression
    finished
  * utils: Expect a dash in icons file name
  * utils: Recognize .yml* and .yaml* file extension variants,
    and .zst extension
  * utils: Rename the appstream file when re-saving it on install

-----------------------------------------------------------------
Advisory ID: 570
Released:    Thu Apr 16 11:06:50 2026
Summary:     Security update for strongswan
Type:        security
Severity:    important
References:  1254666,1257359,1259472,1260277,1266187,1267168,CVE-2025-14104,CVE-2025-9615,CVE-2026-25075,CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-33186,CVE-2026-39827,CVE-2026-39828,CVE-2026-39829,CVE-2026-39830,CVE-2026-39831,CVE-2026-39832,CVE-2026-39833,CVE-2026-39834,CVE-2026-39835,CVE-2026-42502,CVE-2026-42506,CVE-2026-42508,CVE-2026-46595,CVE-2026-46597,CVE-2026-46598
This update for strongswan fixes the following issues:

Update to strongswan 6.0.4:

- CVE-2025-9615: NetworkManager File Access (bsc#1257359).
- CVE-2026-25075: Integer Underflow When Handling EAP-TTLS AVP (bsc#1259472).

Changes for strongswan:

- Fixed a vulnerability in the NetworkManager plugin that potentially
 allows using credentials of other local users. This vulnerability
 has been registered as CVE-2025-9615.
- The maximum supported length for section names in swanctl.conf
 has been increased to the upper limit of 256 characters that's
 enforced by VICI.
- Prevent a crash if a confused peer rekeys a Child SA twice before
 sending a delete.
- Fixed a memory leak if a peer's self-signed certificate is untrusted.

-----------------------------------------------------------------
Advisory ID: 572
Released:    Thu Apr 16 12:03:54 2026
Summary:     Recommended update for rpmlint
Type:        recommended
Severity:    important
References:  1244485,1245878,1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,1261696,1264394,1267442,1267444,1267450,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796,CVE-2026-27145,CVE-2026-42504,CVE-2026-42507
This update for rpmlint fixes the following issues:

- Update to version 2.7.0+git20260415.44ca4797:
    * Update openSUSE's licenses.toml
    * ZipCheck: fix utf8 decoding erros in jarfile manifest (bsc#1261696)

-----------------------------------------------------------------
Advisory ID: 576
Released:    Thu Apr 16 15:10:27 2026
Summary:     Recommended update for opensm
Type:        recommended
Severity:    important
References:  1230698,1257144,1257496,1258143,1260446,1261678,1266340,1266341,1266342,1266344,1266349,1266353,1266355,1266356,1266357,CVE-2024-41996,CVE-2026-24515,CVE-2026-25210,CVE-2026-28390,CVE-2026-34180,CVE-2026-34182,CVE-2026-42766,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for opensm fixes the following issue:

Change in opensm:

- Fix issue with NDR switches (bsc#1258143).
-----------------------------------------------------------------
Advisory ID: 578
Released:    Fri Apr 17 09:57:12 2026
Summary:     Security update for google-cloud-sap-agent
Type:        security
Severity:    important
References:  1256805,1259816,1260265,1268012,1268013,CVE-2026-0989,CVE-2026-11822,CVE-2026-11824,CVE-2026-33186
This update for google-cloud-sap-agent fixes the following issue:

Update to google-cloud-sap-agent 3.12 (bsc#1259816):

- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
  header (bsc#1260265).

Changes for google-cloud-sap-agent:

 * Collect WLM metric `saphanasr_angi_installed` for all OS types.
 * Failure handling: Remove attached disks from CG
 * OTE Status checks for Parameter Manager (SAP Agent)
 * Log command-line arguments in configureinstance.
 * Minor multiple reliability checks and fixes
 * Support custom names for restored disks in hanadiskrestore
 * Add newAttachedDisks to Restorer and detach them on restore failure.
 * Improve unit test coverage for hanadiskbackup and hanadiskrestore
 * Add support for refresh point tests.
 * Refactor HANA disk backup user validation and physical path parsing.
 * Auto updated compiled protocol buffers
 * Parameter Manager integration to SAP Agent
 * Modify collection logic for SAP HANA configuration files.
 * Update workloadagentplatform version and hash.
 * Update WLM Validation metrics to support SAPHanaSR-angi setups.
 * Increment agent version to 3.12.
 * SAP HANA Pacemaker failover settings can come from `SAPHanaController`.
 * Update collection for WLM metric `ha_sr_hook_configured`.
 * Refactor CheckTopology to accept instance number.
 * Use constant backoff with max retries for snapshot group operations.
 * Update workloadagentplatform dependency

-----------------------------------------------------------------
Advisory ID: 585
Released:    Fri Apr 17 12:37:59 2026
Summary:     Feature update for libgcrypt, libgpg-error
Type:        feature
Severity:    moderate
References:  1255764,1256070,CVE-2024-2236,CVE-2025-15444,CVE-2025-69277
This update for libgcrypt, libgpg-error fixes the following issues:

Update libgcrypt to 1.12.1 (jsc#PED-15059):

* New and extended interfaces:
 - Allow access to the FIPS service indicator via the new
 GCRYCTL_FIPS_SERVICE_INDICATOR control code.
 - Make SHA-1 non-FIPS internally for the 1.12 API
 - Add Dilithium (ML-DSA) support
 - Support optional random-override and support byte string data

* Bug fixes:
 - Use secure MPI in _gcry_mpi_assign_limb_space.
 - Use CSIDL_COMMON_APPDATA instead of /etc on Windows.
 - Apply a Kyber patch from upstream.
 - Fix an edge case in Jent initialization.
 - mceliece6688128f: Fix stack overflow crash on win64/wine
 * Performance:
 - Many performance improvements, new AVX512 implementations for modern CPUs.
 - Add RISC-V Zbb+Zbc implementation of CRC.
 - Add RISC-V vector cryptography implementation of GHASH, AES, SHA256 and SHA512
 - Add AVX2 and AVX512 code paths to improve CRC.

For a full changelog, see:
https://dev.gnupg.org/source/libgcrypt/history/master/;libgcrypt-1.12.0

Update libgpg-error to 1.58:

 * New src/gpg-error.c (main): New command 'fconcat'.
 * Rename src/spawn-posix.c (struct gpgrt_spawn_actions): Rename the field to
 ENVP.
 * argparse: Use SYSCONFDIR for /etc.
 * Update translations for Portugese, German
 * src/estream.c (parse_mode): Fix parsing of 'share'. Set sysopen
 flag.
 * syscfg: Add 64-bit Android arch.

-----------------------------------------------------------------
Advisory ID: 594
Released:    Mon Apr 20 16:02:24 2026
Summary:     Security update for go1.25
Type:        security
Severity:    important
References:  1244485,1258045,1258049,1258054,1258080,1258081,1261653,1261654,1261655,1261656,1261657,1261658,1261659,1261660,1261661,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968,CVE-2026-27140,CVE-2026-27143,CVE-2026-27144,CVE-2026-32280,CVE-2026-32281,CVE-2026-32282,CVE-2026-32283,CVE-2026-32288,CVE-2026-32289
This update for go1.25 fixes the following issues:

- Update to version go1.25.9 (bsc#1244485).
- CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG (bsc#1261653).
- CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination (bsc#1261654).
- CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking (bsc#1261655).
- CVE-2026-32280: crypto/x509: unexpected work during chain building (bsc#1261656).
- CVE-2026-32281: crypto/x509: inefficient policy validation (bsc#1261657).
- CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux (bsc#1261658).
- CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock (bsc#1261659).
- CVE-2026-32288: archive/tar: unbounded allocation when parsing old format GNU sparse map (bsc#1261660).
- CVE-2026-32289: html/template: JS template literal context incorrectly tracked (bsc#1261661).

-----------------------------------------------------------------
Advisory ID: 593
Released:    Mon Apr 20 16:46:54 2026
Summary:     Security update for rust1.94
Type:        security
Severity:    moderate
References:  1256525,1256526,1257364,1257365,1258020,1259623,1261876,CVE-2025-28162,CVE-2025-28164,CVE-2026-22695,CVE-2026-22801,CVE-2026-25646,CVE-2026-31812
This update for rust1.94 fixes the following issues:

Changes in rust1.94:

- Don't force gcc-15 on SLE-16 and higher (bsc#1261876)

Update to rust1.94.1:

- Release notes can be found externally: https://github.com/rust-lang/rust/releases/tag/1.94.1

- Avoid unwrapping varint decoding during parameters parsing
  (bsc#1259623 CVE-2026-31812).

- Release notes can be found externally: https://github.com/rust-lang/rust/releases/tag/1.94.0

-----------------------------------------------------------------
Advisory ID: 597
Released:    Mon Apr 20 17:50:21 2026
Summary:     Recommended update for the initial kernel livepatch
Type:        recommended
Severity:    important
References:  1246965,1256766,1256822,1257005,CVE-2025-15281,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915


This update contains initial livepatches for the SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel update.


-----------------------------------------------------------------
Advisory ID: 603
Released:    Tue Apr 21 11:59:18 2026
Summary:     Security update for libpng16
Type:        security
Severity:    moderate
References:  1257325,1261957,CVE-2025-13465,CVE-2026-34757
This update for libpng16 fixes the following issue:

- CVE-2026-34757: libpng: Information disclosure and data corruption via use-after-free vulnerability (bsc#1261957).

-----------------------------------------------------------------
Advisory ID: 604
Released:    Tue Apr 21 12:26:17 2026
Summary:     Recommended update for gdb
Type:        recommended
Severity:    important
References:  1238724,1249147,1251213,1257111,1258002
This update for gdb fixes the following issues:

Changes in gdb:

- Re-enable ptype /o for flexible array member types (swo#33966, bsc#1249147).
- Fix TUI crash when encountering a debuginfod query while entering TUI (swo#31449, swo#33794).
- Fix a case on x86_64/-m32 where displaced stepping steps out of the displaced stepping buffer (swo#33997).
- Fix generation of core files using gcore for glibc 2.42 (swo#33855).
- Fix slow symbol lookup with dwz-compressed debuginfo (swo#33825, bsc#1257111).
- Fix failure to list source file with dwz-compressed debuginfo (brc#2403580).
- Fix slow symbol table reading with dwz-compressed debuginfo (swo#33777).
- Fix heap-use-after-free, reported by TSAN.
- Fix backtrace through signal trampoline on s390x (swo#33708).
- Work around recursively defined sle_version on openSUSE Leap 16.0 (bsc#1238724).

-----------------------------------------------------------------
Advisory ID: 608
Released:    Tue Apr 21 17:49:23 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 2 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1247850,1247858,1250553,1255066,1256804,1256805,1256807,1256808,1256809,1256810,1256811,1256812,1257593,1257594,1257595,1259859,CVE-2025-10911,CVE-2025-40309,CVE-2025-8732,CVE-2026-0989,CVE-2026-0990,CVE-2026-0992,CVE-2026-1757,CVE-2026-23268

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.7.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-40309: Bluetooth: SCO: Fix UAF on sco_conn_free (bsc#1255066).
- CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).

-----------------------------------------------------------------
Advisory ID: 610
Released:    Tue Apr 21 20:19:42 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 1 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1216378,1255066,1258392,1259859,CVE-2023-45853,CVE-2025-40309,CVE-2026-23268,CVE-2026-27171

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.6.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-40309: Bluetooth: SCO: Fix UAF on sco_conn_free (bsc#1255066).
- CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).

-----------------------------------------------------------------
Advisory ID: 617
Released:    Wed Apr 22 12:03:51 2026
Summary:     Security update for openexr
Type:        security
Severity:    important
References:  1259362,1259363,1259364,1259365,1261621,1261622,1261624,1261634,CVE-2026-1965,CVE-2026-34379,CVE-2026-34380,CVE-2026-34588,CVE-2026-34589,CVE-2026-3783,CVE-2026-3784,CVE-2026-3805
This update for openexr fixes the following issues:

- CVE-2026-34379: misaligned memory write during file decoding can cause a denial of service (bsc#1261621).
- CVE-2026-34380: lack of proper check can lead to integer overflow in image decoding (bsc#1261622).
- CVE-2026-34588: crafted EXR file can lead to out of bound read and write (bsc#1261624).
- CVE-2026-34589: crafted scanline DWAA file can lead to arbitrary code execution or denial of service (bsc#1261634).

-----------------------------------------------------------------
Advisory ID: 625
Released:    Wed Apr 22 12:22:37 2026
Summary:     Security update for libcap
Type:        security
Severity:    important
References:  1259051,1261809,CVE-2026-28417,CVE-2026-4878
This update for libcap fixes the following issues:

- CVE-2026-4878: local privilege escalation through file capability injection due to TOCTOU race condition in
  `cap_set_file()` (bsc#1261809).

-----------------------------------------------------------------
Advisory ID: 631
Released:    Thu Apr 23 08:55:28 2026
Summary:     Security update for the Linux Kernel (Live Patch 1 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1254670,1255066,1259619,1259859,CVE-2025-40309,CVE-2025-70873,CVE-2025-7709,CVE-2026-23268

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.6.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-40309: Bluetooth: SCO: Fix UAF on sco_conn_free (bsc#1255066).
- CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).

-----------------------------------------------------------------
Advisory ID: 637
Released:    Fri Apr 24 12:00:57 2026
Summary:     Recommended update for grub2
Type:        recommended
Severity:    important
References:  1221126,1259543,1259803,CVE-2026-30922
This update for grub2 fixes the following issues:

- Fix missing install device check in grub2-install on PowerPC which could lead
  to bootlist corruption (bsc#1221126)
    * add mandatoryminstallmdevicemcheckmformPowerPC
- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
    * btrfs: add ability to boot from subvolumes
    * btrfs: get default subvolume

-----------------------------------------------------------------
Advisory ID: 638
Released:    Fri Apr 24 12:02:01 2026
Summary:     Security update for the Linux Kernel (Live Patch 5 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1228081,1254293,1256427,1259418,1259650,1259697,1259859,CVE-2026-23268,CVE-2026-29111,CVE-2026-4105

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.26.1 fixes one security issue

The following security issue was fixed:

- CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy management (bsc#1259859).

-----------------------------------------------------------------
Advisory ID: 642
Released:    Fri Apr 24 12:10:11 2026
Summary:     Recommended update for cryptsetup, s390-tools
Type:        recommended
Severity:    important
References:  1241612,1258506,1259616,1261772,1261824,1262221,CVE-2026-32597
This update for cryptsetup, s390-tools fixes the following issues:

Changes in cryptsetup:

- Update to 2.8.4: (jsc#PED-15889)
  * Fix integritysetup resize (grow) of the device if integrity bitmap
    mode is used. Increasing the integrity device in bitmap mode did
    not work as integritysetup incorrectly used journal settings that
    were not applicable.
  * Fix device size status reports in cryptsetup and integritysetup.
    If the device uses a sector size larger than 512 bytes, the newly
    reported byte sizes (introduced in 2.8.0) in the status report
    were incorrectly displayed.
  * BITLK: Fix unlocking BitLocker device with recovery passphrase.
    If the recovery passphrase was present in the first keyslot, the
    device failed to unlock. This bug was introduced in 2.8.2 with
    Clear Key support.

- Update to 2.8.3:
  * Stable bug-fix release with minor extensions.

- Update to 2.8.2:
  * BITLK: Fix for BitLocker metadata validation on big-endian systems.

- Update to 2.8.1:
  * Fix status and deactivation of TCRYPT (VeraCrypt compatible) devices that use chained ciphers.
  * Fix unlocking BITLK (BitLocker compatible) devices with multibyte UTF8 characters in the passphrase.
  * Do not allow activation of the LUKS2 device if the used keyslot is not encrypted (it uses a null cipher).
    - Such a configuration cannot be created by cryptsetup, but can be crafted outside of it.
    - Null cipher is sometimes used to create an empty container for later reencryption.
    - Only an empty passphrase can activate such a container (the same as in LUKS1).
  * Do not silently decrease PBKDF parallel cost (threads) if set by an option.
    - The maximum parallel cost is limited to 4 threads.
  * Fixes to configuration and installation scripts.
    - Meson and autoconf tools now properly support --prefix option for temporary directory installation.
    - Multiple fixes and cleanups to config.h for compatibility between Meson and autoconf.
    - Fix the luks2-external-tokens-path Meson option to work the same as in autoconf.
    - Fix Meson install for tool binaries, install fvault2Open man page and include test/fuzz/meson.build in release.
  * Major update to manual pages.
    - Try to explain the PBKDF hardcoded limits.
    - Add a better explanation for automatic integrity tag recalculation.
    - Mention crypt/verity/integritytab.
    - Remove or reformulate some misleading warnings present only with old and no longer supported kernels.
    - Clarify that some commands do not wipe data and unify OPAL reset wording.
    - Clarify the --label option.
    - There are also many other grammar and stylistic fixes to unify the man-page style.
  * Fixes for false-positive and annoying (optional) warnings added in recent compilers.

- Update to 2.8.0:
  * Full release notes in:
    - https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.8/v2.8.0-ReleaseNotes
  * Introduce support for inline mode (use HW sectors with additional hardware
    metadata space).
  * Finalize use of keyslot context API.
  * Make all keyslot context types fully self-contained.
  * Add --key-description and --new-key-description cryptsetup options.
  * Support more precise keyslot selection in reencryption initialization.
  * Allow reencryption to resume using token and volume keys.
  * Cryptsetup repair command now tries to check LUKS keyslot areas for corruption.
  * Opal2 SED: PSID keyfile is now expected to be 32 alphanumeric characters.
  * Opal2: Avoid the Erase method and use Secure Erase for locking range.
  * Opal2: Fix some error description (in debug only).
  * Opal2: Do not allow deferred deactivation.
  * Allow --reduce-device-size and --device-size combination for reencryption
    (encrypt) action.
  * Fix the userspace storage backend to support kernel 'capi:' cipher specification format.
  * Disallow conversion from LUKS2 to LUKS1 if kernel 'capi:' cipher specification is used.
  * Explicitly disallow kernel 'capi:' cipher specification format for LUKS2
    keyslot encryption.
  * Do not allow conversion of LUKS2 to LUKS1 if an unbound keyslot is present.
  * cryptsetup: Adjust the XTS key size for kernel 'capi:' cipher specification.
  * Remove keyslot warning about possible failure due to low memory.
  * Do not limit Argon2 KDF memory cost on systems with more than 4GB of available memory.
  * Properly report out of memory error for cryptographic backends implementing Argon2.
  * Avoid KDF2 memory cost overflow on 32-bit platforms.
  * Do not use page size as a fallback for device block size.
  * veritysetup: Check hash device size in advance.
  * Print a better error message for unsupported LUKS2 AEAD device resize.
  * Optimize LUKS2 metadata writes.
  * veritysetup: support --error-as-corruption option.
  * Report all sizes in status and dump command output in the correct units.
  * Add --integrity-key-size option to cryptsetup.
  * Support trusted and encrypted keyrings for plain devices.
  * Support plain format resize with a keyring key.
  * TCRYPT: Clear mapping of system-encrypted partitions.
  * TCRYPT: Print all information from the decrypted metadata header in
    the tcryptDump command.
  * Always lock the volume key structure in memory.
  * Do not run direct-io read check on block devices.
  * Fix a possible segfault in deferred deactivation.
  * Exclude cipher allocation time from the cryptsetup benchmark.
  * Add Mbed-TLS optional crypto backend.
  * Fix the wrong preprocessor use of #ifdef for config.h processed by Meson.
  * Reorganize license files. The license text files are now in docs/licenses.
    The COPYING file in the root directory is the default license.
  * Remove cc-by-sa-4.0.txt as already shipped now in docs/licenses
    and named as COPYING.CC-BY-SA-4.0.
  * Libcryptsetup API extensions. The libcryptsetup API is backward compatible
    with all existing symbols. Due to the self-contained memory allocation,
    these symbols have the new version:
    - crypt_keyslot_context_init_by_passphrase;
    - crypt_keyslot_context_init_by_keyfile;
    - crypt_keyslot_context_init_by_token;
    - crypt_keyslot_context_init_by_volume_key;
    - crypt_keyslot_context_init_by_signed_key;
    - crypt_keyslot_context_init_by_keyring;
    - crypt_keyslot_context_init_by_vk_in_keyring;
  * New symbols:
    - crypt_format_inline
    - crypt_get_old_volume_key_size
    - crypt_reencrypt_init_by_keyslot_context
    - crypt_safe_memcpy
  * New defines:
    - CRYPT_ACTIVATE_HIGH_PRIORITY
    - CRYPT_ACTIVATE_ERROR_AS_CORRUPTION
    - CRYPT_ACTIVATE_INLINE_MODE
    - CRYPT_REENCRYPT_CREATE_NEW_DIGEST
  * New requirement flag:
    - CRYPT_REQUIREMENT_INLINE_HW_TAGS

- Add a dependency on device-mapper to libcryptsetup12 to install
  the required device-mapper udev rules. [bsc#1241612]

Changes in s390-tools:

- Applied a patch to remove phmac_s390 kernel module load from dracut
- Applied tools-combined modified patch (bsc#1262221)
- Amended SUSE's 'pkey.conf'
- Re-vendor-ed vendor.tar.zst

- Applied patches (bsc#1261824, bsc#1261772)
  * Replace sort_field option with sort
  * hyptop opts Fix long command line option abbreviations
- Refactored the spec file for transactional and immutable OS
  * Modernized the .spec file for transactional and immutable OS environments.
  * Removed legacy suse_version and sle_version conditionals, standardizing on UsrMerge paths.
  * Replaced manual %pre group creations with systemd-sysusers configuration for ts-shell, zkeyadm, and cpacfstats.
  * Replaced hardcoded /var/log directory management with systemd-tmpfiles configuration.
  * Removed obsolete systemctl daemon-reload calls and consolidate standard %service_* systemd macros.
  * Dropped brittle dynamic file list generation (find/grep) in favor of explicit and deterministic %files declarations.
  * Resolved 'File listed twice' conflicts between the main package and chreipl-fcp-mpath subpackage.
  * Added missing BuildRequires for systemd-rpm-macros and sysuser-tools.
  * Fixed unpackaged files errors for mdevctl callouts, shell completions, and root /lib helpers.
  * Changed BuildArch to noarch for the chreipl-fcp-mpath subpackage.
- Added files (renamed from *.opensuse)
  * 59-graf.rules
  * dasd_configure
  * dasd_reload
  * detach_disks.sh
  * iucv_configure
  * killcdl
  * mkdump.pl
  * README.SUSE
  * virtsetup.sh
  * vmlogrdr.service
- Removed obolete files
  * 59-graf.rules.opensuse
  * 59-graf.rules.suse
  * dasd_configure.opensuse
  * dasd_configure.suse
  * dasd_reload.opensuse
  * dasd_reload.suse
  * detach_disks.sh.opensuse
  * detach_disks.sh.suse
  * iucv_configure.opensuse
  * iucv_configure.suse
  * killcdl.opensuse
  * killcdl.suse
  * mkdump.pl.opensuse
  * mkdump.pl.suse
  * README.SUSE.opensuse
  * README.SUSE.suse
  * virtsetup.sh.opensuse
  * virtsetup.sh.suse
  * vmlogrdr.service.opensuse
  * vmlogrdr.service.suse

- Upgrade s390-tools to version 2.41.0 (jsc#PED-14586, jsc#PED-15488)
- Changes of existing tools:
  * chreipl: Make --bootparms work for ECKD re-IPL
  * cpacfstats: Add 'unauthorized' state to CPU-MF counters
  * cpictl: Detect RHCOS using VARIANT_ID
  * hsci: Automatically set appropriate MTU for HSCI
  * libutil: Add util_readlink() and util_readlinkat() helpers
  * libutil: Add util_startswith() to util_str
  * libutil: Add utility parsing functions
  * lschp: Add support for structured output (--format)
  * lsreipl: Suppress 'clear' output if not supported
  * pvimg: Add '--format text' support to 'pvimg info'
  * pvimg: Add '--print-schema ' option to 'pvimg info'
  * pvimg: Add '--show-secrets' flag to 'pvimg info'
  * pvimg: Provide improved JSON output to 'pvimg info --format json'
  * pvinfo: Improve User experience on non-SE enabled systems
  * zipl/ngdump: Ensure ext4 file system is used on dump partition
  * zkey: Add support for integrity protected disks using HMAC keys
- Bug Fixes:
  * cpumf/pai: Handle different size of perf_event_attr
  * lscss: Fix memory leak
  * zipl: Fix dump job on tape devices
- Amended the .spec file (bsc#1258506)
  * 'Installing' all shipped rules from etc/udev/rules.d to /usr/lib/udev/rules.d
  * BuildRequires:  cryptsetup-devel >= 2.8.2
- Updated the code for IBM z17 machine type 9176:
  * read_values.c
  * cputype
  * Renamed cputype.1 to cputype.8 and amended
  * Amended read_values.8
- 'Improved' the read_values.c:
  * Added functionalities for '-a' and '-L attributes'
- Reworked and combined all s390-tools patches (jsc#PED-14586)
- Applied new combined patches
- Removed obsolete patches

-----------------------------------------------------------------
Advisory ID: 644
Released:    Mon Apr 27 13:20:01 2026
Summary:     Security update for container-suseconnect
Type:        security
Severity:    moderate
References:  1259845,CVE-2026-27135
This update for container-suseconnect fixes the following issues:

Changes in container-suseconnect:

- switch to build with go 1.25

-----------------------------------------------------------------
Advisory ID: 651
Released:    Tue Apr 28 18:18:32 2026
Summary:     Security update for glibc-livepatches
Type:        security
Severity:    important
References:  1258311,1259825,1261209,CVE-2026-4046
This update for glibc-livepatches fixes the following issue:

- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261209).

-----------------------------------------------------------------
Advisory ID: 650
Released:    Tue Apr 28 18:22:53 2026
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1246399,CVE-2025-45582
This update for xfsprogs fixes the following issues:

- update to 6.19.0:
    * xfs_io:
        + print more realtime subvolume related information in statfs
        + fix fsmap help
    * mkfs:
        + fix log sunit automatic configuration
        + fix protofile data corruption when in/out file block sizes don't match
        + remove unnecessary return value affectation
        + quiet down warning about insufficient write zones
        + set rtstart from user-specified dblocks
    * libxfs: fix data corruption bug in libxfs_file_write
    * misc: fix a few memory leaks
    * mkfs.xfs fix sunit size on 512e and 4kN disks.
    * xfs_scrub_all: fix non-service-mode arguments to xfs_scrub
    * xfs: use blkdev_report_zones_cached()
    * include blkzoned.h in platform_defs.h
    * xfs_mdrestore: fix restoration on filesystems with 4k sectors
    * xfs_logprint: print log data to the screen in host-endian order

-----------------------------------------------------------------
Advisory ID: 654
Released:    Wed Apr 29 11:45:23 2026
Summary:     Security update for PackageKit
Type:        security
Severity:    important
References:  1259711,1259726,1259729,1262220,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778,CVE-2026-41651
This update for PackageKit fixes the following issues:

- CVE-2026-41651: race condition allows for arbitrary RPM package installation as root and can lead to LPE
  (bsc#1262220).

-----------------------------------------------------------------
Advisory ID: 655
Released:    Wed Apr 29 13:20:23 2026
Summary:     Security update for libssh
Type:        security
Severity:    moderate
References:  1246974,1249375,1258045,1258049,1258054,1258080,1258081,1260589,CVE-2025-8114,CVE-2025-8277,CVE-2026-0964,CVE-2026-0965,CVE-2026-0966,CVE-2026-0967,CVE-2026-0968,CVE-2026-25645
This update for libssh fixes the following issues:

- Update to version 0.11.4:
- CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049)
- CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files (bsc#1258045)
- CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054)
- CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081)
- CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080)
- CVE-2025-8114: Fix NULL pointer dereference after allocation failure (bsc#1246974)
- CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX (bsc#1249375)

-----------------------------------------------------------------
Advisory ID: 657
Released:    Wed Apr 29 16:14:51 2026
Summary:     Recommended update for python-urllib3
Type:        recommended
Severity:    moderate
References:  1254867,1260441,1260442,1260443,1260444,1260445,CVE-2025-66471,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-31789,CVE-2026-31790
This update for python-urllib3 fixes the following issue:

- Fix regression in CVE-2025-66471.patch (bsc#1254867)

-----------------------------------------------------------------
Advisory ID: 659
Released:    Wed Apr 29 16:19:47 2026
Summary:     Security update for ntfs-3g_ntfsprogs
Type:        security
Severity:    important
References:  1260078,1260082,1262216,CVE-2026-40706,CVE-2026-4437,CVE-2026-4438
This update for ntfs-3g_ntfsprogs fixes the following issue:

- CVE-2026-40706: heap buffer overflow in ntfs_build_permissions_posix() in acls.c (bsc#1262216).

-----------------------------------------------------------------
Advisory ID: 660
Released:    Wed Apr 29 16:35:24 2026
Summary:     Security update for openexr
Type:        security
Severity:    important
References:  1260754,1260755,1262425,1262426,CVE-2026-33416,CVE-2026-33636,CVE-2026-40244,CVE-2026-40250
This update for openexr fixes the following issues:

- CVE-2026-40244: integer overflow in DWA setupChannelData planarUncRle pointer arithmetic (bsc#1262426).
- CVE-2026-40250: integer overflow in DWA decoder outBufferEnd pointer arithmetic (bsc#1262425).

-----------------------------------------------------------------
Advisory ID: 672
Released:    Mon May  4 12:45:50 2026
Summary:     Security update for php-composer2
Type:        security
Severity:    important
References:  1255768,1261678,1262254,1262255,CVE-2025-67746,CVE-2026-28390,CVE-2026-40176,CVE-2026-40261
This update for php-composer2 fixes the following issues:

- CVE-2025-67746: ANSI control characters injection in terminal output of various Composer commands via attacker
  controlled remote sources (bsc#1255768).
- CVE-2026-40176: arbitrary command injection via malicious Perforce repository definition (bsc#1262254).
- CVE-2026-40261: arbitrary command injection via malicious Perforce source reference/url (bsc#1262255).

-----------------------------------------------------------------
Advisory ID: 675
Released:    Tue May  5 02:19:27 2026
Summary:     Security update for openssl-3-x86_64-v3-livepatches
Type:        security
Severity:    critical
References:  1250410,1256876,1256878,1256880,1259271,1261809,CVE-2025-11187,CVE-2025-15467,CVE-2025-15468,CVE-2025-9230,CVE-2026-4878
This update for openssl-3-x86_64-v3-livepatches fixes the following issues:

Changes in openssl-3-x86_64-v3-livepatches:

- Add package for libopenssl3-x86-64-v3-3.5.0 (bsc#1259271).

Fixed:

- CVE-2025-11187: Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification  (bsc#1256878).
- CVE-2025-15467: Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256876).
- CVE-2025-15468: Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (bsc#1256880).
- CVE-2025-9230: Fixed Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) (bsc#1250410).

-----------------------------------------------------------------
Advisory ID: 676
Released:    Tue May  5 02:33:21 2026
Summary:     Security update for mozjs128
Type:        security
Severity:    important
References:  1222465,1234736,1259713,1259728,1259731,CVE-2026-32776,CVE-2026-32777,CVE-2026-32778
This update for mozjs128 fixes the following issues:

- CVE-2026-32776: libexpat: NULL pointer dereference when processing empty external parameter entities inside an entity
  declaration value (bsc#1259728).
- CVE-2026-32777: libexpat: denial of service due to infinite loop in DTD content parsing (bsc#1259713).
- CVE-2026-32778: libexpat: NULL pointer dereference in `setContext` on retry after an out-of-memory condition
  (bsc#1259731).

-----------------------------------------------------------------
Advisory ID: 680
Released:    Tue May  5 09:18:26 2026
Summary:     Security update for strongswan
Type:        security
Severity:    important
References:  1261705,1261706,1261708,1261712,1261717,1261718,1261720,1261957,CVE-2026-34757,CVE-2026-35328,CVE-2026-35329,CVE-2026-35330,CVE-2026-35331,CVE-2026-35332,CVE-2026-35333,CVE-2026-35334
This update for strongswan fixes the following issues:

Update to version 6.0.6 (jsc#PED-16145).

Security issued fixed:

- CVE-2026-35328: infinite loop when handling supported versions TLS extension (bsc#1261712).
- CVE-2026-35329: NULL pointer dereference when processing padding in PKCS#7 (bsc#1261717).
- CVE-2026-35330: integer underflow when handling EAP-SIM/AKA attributes (bsc#1261705).
- CVE-2026-35331: acceptance of certificates violating X.509 name constraints (bsc#1261718).
- CVE-2026-35332: NULL pointer dereference when handling ECDH public value in TLS (bsc#1261708).
- CVE-2026-35333: integer underflow when handling RADIUS attributes (bsc#1261706).
- CVE-2026-35334: possible NULL pointer dereference in RSA decryption (bsc#1261720).

Other updates and bugfixes:

- Version 6.0.6.
  * Enhancements and Optimizations
    * Added the unique ID to the log messages when creating an IKE SA as responder and when deleting such a half-open
      SA
    * The credential factory now enforces an upper limit of 10 when creating nested credentials.
    * Added Georgian translation to the NM plugin.
  * Fixes
    * IKEv2 fragments with a total fragment count lower than before are now dropped as mandated by the RFC .
    * Fixed a potential out-of-bounds read when parsing EAP-SIM/AKA attributes with actual length field.
    * Fixed a potential out-of-bounds read when enumerating hashes in OCSP CERTREQ payloads .
    * Fixed a potential crash in the vici plugin when parsing messages that encode the length of a VICI_LIST_ITEM
      incorrectly.
    * Avoid allocating a large buffer for TLS cipher suites on the stack using alloca().
    * Ensure TLS 1.3 CertificateRequest structures are valid on the client.
    * Prevent an infinite loop if the EAP-SIM version list on the client contains more than one entry .
    * Fixed a crash in the tnccs_11 plugin if TNCCS-ReasonStrings is empty or only contains empty nodes .
    * Fixed verification of RSA signatures with SHA3-224 via botan plugin.
    * Close the internal IPv6 socket when a tun_device_t is destroyed .
    * Update the address family in the SA selector when the addresses of a tunnel mode IPsec SA change in the
      kernel-netlink plugin.
- Version 6.0.5:
  * Fixed a vulnerability in the eap-ttls plugin related to processing EAP-TTLS AVPs that can lead to resource
    exhaustion or a crash.
  * The new `icmp` option enables the forwarding of certain ICMP error messages (e.g. Fragmentation Needed), even if
    their source address doesn't match the negotiated traffic selectors, when running on Linux kernels that support this
    (v6.9+).
  * charon-cmd now supports childless IKE SA initiation with the `--childless` option.
  * The dhcp plugin now keeps track of address leases across make-before-break reauthentications to avoid releasing the
    address when the old SA is terminated
  * Added support for `organizationIdentifier` RDNs, which are used in e.g. eIDAS certificates, when parsing ASN.1 DN
    identities from strings.

-----------------------------------------------------------------
Advisory ID: 681
Released:    Tue May  5 11:00:09 2026
Summary:     Recommended update for translate-suse-desktop
Type:        recommended
Severity:    moderate
References:  1259924,CVE-2025-69720
This update for translate-suse-desktop fixes the following issue:

- Provide translate-suse-desktop to released products (PED-13823)

-----------------------------------------------------------------
Advisory ID: 688
Released:    Tue May  5 19:30:28 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 7 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1261630,1261845,1262144,1263689,CVE-2026-23437,CVE-2026-31406,CVE-2026-31431,CVE-2026-5958

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.28.1 fixes various security issues

The following security issues were fixed:

- CVE-2026-23437: net: shaper: protect late read accesses to the hierarchy (bsc#1261845).
- CVE-2026-31406: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() (bsc#1261630).
- CVE-2026-31431: crypto: algif_aead - Revert to operating out-of-place (bsc#1263689).


-----------------------------------------------------------------
Advisory ID: 695
Released:    Tue May  5 22:45:33 2026
Summary:     Security update for the Linux Kernel RT (Live Patch 3 for SUSE Linux Enterprise 16)
Type:        security
Severity:    important
References:  1252048,1258005,1258655,1259126,1259362,1261630,1261845,1262631,1262632,1262635,1262636,1262638,1263689,CVE-2025-39977,CVE-2025-71066,CVE-2026-1965,CVE-2026-23004,CVE-2026-23204,CVE-2026-23437,CVE-2026-31406,CVE-2026-31431,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.8.1 fixes various security issues

The following security issues were fixed:

- CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252048).
- CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
  (bsc#1258005).
- CVE-2026-23004: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() (bsc#1258655).
- CVE-2026-23204: net/sched: cls_u32: use skb_header_pointer_careful() (bsc#1259126).
- CVE-2026-23437: net: shaper: protect late read accesses to the hierarchy (bsc#1261845).
- CVE-2026-31406: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() (bsc#1261630).
- CVE-2026-31431: crypto: algif_aead - Revert to operating out-of-place (bsc#1263689).


-----------------------------------------------------------------
Advisory ID: 701
Released:    Wed May  6 02:05:54 2026
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1263366,1263367,CVE-2026-40355,CVE-2026-40356
This update for apparmor fixes the following issues:

Changes in apparmor:

- Use systemd-tmpfiles for path creation (jsc#PED-14916, jsc#PED-14917)
- Update to AppArmor 4.1.7
  - profile updates
  - minor fixes in parser and program utilities
  - update %files for new python LibAppArmor location
- Fix file list to match all possible LibAppArmor module names
- Updating kerberosclient utility
- Removed dovecot upstreamed patches

-----------------------------------------------------------------
Advisory ID: 708
Released:    Wed May  6 12:44:56 2026
Summary:     Recommended update for libselinux
Type:        recommended
Severity:    moderate
References:  1261639,1262223,CVE-2026-41035
This update for libselinux fixes the following issues:

- Backport commit 'libselinux: retain LIFO order for path substitutions' (bsc#1261639)
    * otherwise we can not add equivalencies that overload each other in the policy
    * libselinux: retain LIFO order for path substitutions

-----------------------------------------------------------------
Advisory ID: 710
Released:    Wed May  6 14:43:17 2026
Summary:     Recommended update for python-hatchling
Type:        recommended
Severity:    moderate
References:  1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for python-hatchling fixes the following issues:

Changes in python-hatchling:

- Convert to libalternatives on SLE-16-based and newer systems only

-----------------------------------------------------------------
Advisory ID: 720
Released:    Thu May  7 18:05:16 2026
Summary:     Recommended update for gtk-vnc
Type:        recommended
Severity:    moderate
References:  1201840,1202970,1204538,1234100,1234101,1234102,1234103,1234104,1235475,1251850,1254441,1262223,1264511,1264512,1264513,1264514,1264515,1265296,CVE-2022-29154,CVE-2024-12084,CVE-2024-12085,CVE-2024-12086,CVE-2024-12087,CVE-2024-12088,CVE-2024-12747,CVE-2025-10158,CVE-2026-29518,CVE-2026-41035,CVE-2026-43617,CVE-2026-43618,CVE-2026-43619,CVE-2026-43620,CVE-2026-45232
This update for gtk-vnc fixes the following issues:

- Fixed that removal of spice led to a regression in functionality, specifically for graphical console copy paste (bsc#1251850)

-----------------------------------------------------------------
Advisory ID: 721
Released:    Thu May  7 18:13:26 2026
Summary:     Recommended update for elemental-toolkit
Type:        recommended
Severity:    moderate
References:  1261606,CVE-2026-27456
This update for elemental-toolkit fixes the following issues:

Changes in elemental-toolkit:

- Drop upstream reproducible build patch.

-----------------------------------------------------------------
Advisory ID: 723
Released:    Fri May  8 10:01:26 2026
Summary:     Recommended update for suseconnect-ng
Type:        recommended
Severity:    important
References:  1230861,1239439,1241002,1244550,1257490,1257625,1257667,1257825,1261155,1261280,CVE-2026-34743
This update for suseconnect-ng fixes the following issues:

- Update version to 1.21.1:
    * Fix nil token handling (bsc#1261155)
    * Switch to using go1.24-openssl as the default Go version to
      install to support building the package (jsc#SCC-585).
- Update version to 1.21:
    * Add expanded metric collection for kernel modules and hardware detection (jsc#TEL-226).
    * Support new profile based metric collection
    * Fix ignored --root parameter hanbling when reading and writing configuration (bsc#1257667)
    * Add expanded metric collection for system vendor/manfacturer (jsc#TEL-260).
    * Removed backport patch
    * Add missing product id to allow yast2-registration to not break (bsc#1257825)
    * Fix libsuseconnect APIError detection logic (bsc#1257825)
- Regressions found during QA test runs:
    * Ignore product in announce call (bsc#1257490)
    * Registration to SMT server with failed (bsc#1257625)
- Update version to 1.20:
    * Update error message for Public Cloud instances with registercloudguest  installed.
      SUSEConnect -d is disabled on PYAG and BYOS when the registercloudguest command is available. (bsc#1230861)
    * Enhanced SAP detected. Take TREX into account and remove empty values when
      only /usr/sap but no installation exists (bsc#1241002)
    * Fixed modules and extension link to point to version less documentation. (bsc#1239439)
    * Fixed SAP instance detection (bsc#1244550)
    * Remove link to extensions documentation (bsc#1239439)
    * Migrate to the public library
- Version 1.14 public library release:
  This version is only available on Github as a tag to release the
  new golang public library which can be consumed without the need
  to interface with SUSEConnect directly.

-----------------------------------------------------------------
Advisory ID: 741
Released:    Wed May 13 11:32:25 2026
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    important
References:  1210938,1239334,1239944,1243254,1243505,1245759,1253889,1257010,1260264,1261822,1262134,1262926,1265762,CVE-2025-22868,CVE-2025-22869,CVE-2025-58181,CVE-2026-33186,CVE-2026-33814,CVE-2026-34986
This update for systemd-presets-branding-SLE fixes the following issues:

- change %pretrans script from shell to lua, as we cannot guarantee a shell on %pretrans at all (bsc#1261822)
- fix escaping for migration_flag (bsc#1262134)
- unify the presets between traditional and immutable modes (with some exceptions) (jsc#PED-16082)

-----------------------------------------------------------------
Advisory ID: 749
Released:    Thu May 14 18:43:27 2026
Summary:     Security update for rsync
Type:        security
Severity:    important
References:  1254441,1260277,1262223,1266187,1267168,CVE-2025-10158,CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-33186,CVE-2026-39827,CVE-2026-39828,CVE-2026-39829,CVE-2026-39830,CVE-2026-39831,CVE-2026-39832,CVE-2026-39833,CVE-2026-39834,CVE-2026-39835,CVE-2026-41035,CVE-2026-42502,CVE-2026-42506,CVE-2026-42508,CVE-2026-46595,CVE-2026-46597,CVE-2026-46598
This update for rsync fixes the following issues

- CVE-2025-10158: Out of bounds array access via negative index (bsc#1254441).
- CVE-2026-41035: count of entries mismatch can lead to a use-after-free (bsc#1262223).

-----------------------------------------------------------------
Advisory ID: 752
Released:    Fri May 15 13:23:14 2026
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1252890,1261427,1261430,1262555,1266340,1266341,1266342,1266344,1266349,1266353,1266355,1266356,1266357,CVE-2026-34180,CVE-2026-34182,CVE-2026-35385,CVE-2026-35414,CVE-2026-42766,CVE-2026-42770,CVE-2026-45445,CVE-2026-45446,CVE-2026-45447,CVE-2026-7383,CVE-2026-9076
This update for openssh fixes the following issues

Security issues fixed:

- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).

Other issues fixed:

- SSH port not reachable on SLES-16.0-CHOST-BYOS since build 1.32 for both x86_64 and aarch64 (bsc#1262555).
- OpenSSH audit support causes connection lost with parallel sessions (bsc#1252890).

-----------------------------------------------------------------
Advisory ID: 761
Released:    Mon May 18 07:38:10 2026
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1255111,1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues

- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).

-----------------------------------------------------------------
Advisory ID: 803
Released:    Tue May 26 14:14:16 2026
Summary:     Security update for xz
Type:        security
Severity:    important
References:  1261280,CVE-2026-34743
This update for xz fixes the following issue

- CVE-2026-34743: buffer overflow in lzma_index_append() (bsc#1261280).

-----------------------------------------------------------------
Advisory ID: 808
Released:    Wed May 27 18:43:58 2026
Summary:     Recommended update for dbus-broker
Type:        recommended
Severity:    moderate
References:  1255678
This update for dbus-broker fixes the following issues:

- Fix timeout on ssh due to not handling ESRCH (bsc#1255678)

-----------------------------------------------------------------
Advisory ID: 824
Released:    Fri May 29 11:59:18 2026
Summary:     Recommended update for crypto-policies
Type:        recommended
Severity:    important
References:  1258311,1259825,1262315
This update for crypto-policies fixes the following issues:

Changes in crypto-policies:

- Allow X25519 as required for sntrup761x25519-sha512 at openssh.com
  and sntrup761x25519-sha512 in the DEFAULT policy again. (bsc#1259825)

- Add PQC support for OpenSSH (bsc#1258311, bsc#1259825)
  * Enable sntrup761x25519-sha512 for OpenSSH by default

- Modify the output of fips-mode-setup to hint the user when
  setting the FIPS mode in transactional systems to use the
  command 'transactional-update setup-fips'. (bsc#1262315)

-----------------------------------------------------------------
Advisory ID: 861
Released:    Tue Jun  2 09:22:47 2026
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  
This update for aaa_base fixes the following issues:

- Update to version 84.87+git20260529.c4391e5:
    * $status to $?
    * Simplifying the sh part too
    * Addressing review comments and simplifying a bit
    * Handle javas managed by libalternatives and by update-alternatives alike

-----------------------------------------------------------------
Advisory ID: 867
Released:    Tue Jun  2 11:13:41 2026
Summary:     Security update for rsync
Type:        security
Severity:    important
References:  1254441,1262223,1264511,1264512,1264513,1264514,1264515,1265296,CVE-2025-10158,CVE-2026-29518,CVE-2026-41035,CVE-2026-43617,CVE-2026-43618,CVE-2026-43619,CVE-2026-43620,CVE-2026-45232
This update for rsync fixes the following issues

- CVE-2025-10158: Out of bounds array access via negative index (bsc#1254441).
- CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no) (bsc#1264511).
- CVE-2026-41035: count of entries mismatch can lead to a use-after-free (bsc#1262223).
- CVE-2026-43617: Authorization Bypass via Hostname Resolution (bsc#1264515).
- CVE-2026-43618: Integer Overflow Information Disclosure (bsc#1264512).
- CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls (bsc#1264514).
- CVE-2026-43620: Out-of-Bounds Array Read via recv_files() (bsc#1264513).
- CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing (bsc#1265296).

-----------------------------------------------------------------
Advisory ID: 885
Released:    Wed Jun  3 11:47:33 2026
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  
This update for aaa_base fixes the following issues:

- Fix a typo and follow symlinks in alljava

-----------------------------------------------------------------
Advisory ID: 889
Released:    Fri Jun  5 10:15:29 2026
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1257955,1258960
This update for dracut fixes the following issues:

- Always include a defined set of kernel modules for aarch64 (bsc#1257955):
    * fix(kernel-modules): always include arm/aarch64 specific modules in sloppy mode
    * fix(kernel-modules): make sure block modules are always included
- Other:
    * test(BTRFSRAID): simplify and rework to avoid intermittent errors (bsc#1258960)

-----------------------------------------------------------------
Advisory ID: 903
Released:    Mon Jun  8 16:12:20 2026
Summary:     Security update for elemental-toolkit
Type:        security
Severity:    important
References:  1251679,1260277,1266187,1267168,CVE-2026-33186
This update for elemental-toolkit fixes the following issue

- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo-
  header (bsc#1260277).

Changes:

- Update to v2.3.4:
 * 974af043 Bump golang.org/x/net to v0.55.0 (bsc#1267168 bsc#1251679)
 * ae39c90f Bump golang.org/x/crypto to v0.52.0 (bsc#1266187)
- Update to v2.3.3:
 * 8b4af274 Avoid pulling binaries with curl
 * d46e30f4 Bump golangci/golangci-lint-action to v9
 * 02caf200 Bump github.com/spf13/cobra library
 * e29e1fbf Bump github.com/jaypipes/ghw library
 * 652654e1 Bump github.com/bramvdbogaerde/go-scp library
 * f94a0c58 Bump google.golang.org/grpc library (bsc#1260277 CVE-2026-33186)
 * dc1a2056 Bump github.com/ulikunitz/xz library
 * 337a986c Update headers to 2026
 * d6aac085 Switch from TW to Leap 16.0 for green flavor

-----------------------------------------------------------------
Advisory ID: 925
Released:    Fri Jun 12 14:46:46 2026
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1267423
This update for aaa_base fixes the following issues:

- Add missing '=' in alljava.csh (bsc#1267423)

-----------------------------------------------------------------
Advisory ID: 938
Released:    Wed Jun 17 10:47:34 2026
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1262631,1262632,1262635,1262636,1262638,CVE-2026-4873,CVE-2026-5545,CVE-2026-6253,CVE-2026-6276,CVE-2026-6429
This update for curl fixes the following issues:

- CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631).
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632).
- CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635).
- CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636).
- CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638).


The following package changes have been done:

- boost-license1_86_0-1.86.0-160000.2.2 added
- btrfsprogs-udev-rules-6.14-160000.2.2 added
- compat-usrmerge-tools-84.87-160000.2.2 added
- crypto-policies-20250714.cd6043a-160000.2.1 added
- dbus-broker-block-restart-36-160000.3.1 added
- elemental-httpfy1.9-1.9.2-160000.1.2 added
- elemental-seedimage-hooks1.9-1.9.2-160000.1.2 added
- file-magic-5.46-160000.2.2 added
- libldap-data-2.6.10+10-160000.3.1 added
- libsemanage-conf-3.8.1-160000.2.2 added
- pkgconf-m4-2.2.0-160000.2.2 added
- system-user-root-20190513-160000.2.2 added
- systemd-default-settings-branding-upstream-0.10-160000.2.2 added
- filesystem-84.87-160000.2.2 added
- glibc-2.40-160000.5.1 added
- glibc-gconv-modules-extra-2.40-160000.5.1 added
- terminfo-base-6.5.20250531-160000.2.2 added
- libncurses6-6.5.20250531-160000.2.2 added
- ncurses-utils-6.5.20250531-160000.2.2 added
- libzstd1-1.5.7-160000.2.2 added
- libz1-1.2.13-160000.3.1 added
- libxxhash0-0.8.3-160000.2.2 added
- libverto1-0.3.2-160000.2.2 added
- libuuid1-2.41.1-160000.3.1 added
- liburcu8-0.14.0-160000.2.2 added
- libunistring5-1.3-160000.3.2 added
- libtextstyle0-0.22.5-160000.2.2 added
- libtasn1-6-4.21.0-160000.1.1 added
- libsqlite3-0-3.51.3-160000.1.1 added
- libsmartcols1-2.41.1-160000.3.1 added
- libsepol2-3.8.1-160000.2.2 added
- libseccomp2-2.6.0-160000.2.2 added
- libsasl2-3-2.1.28-160000.3.1 added
- libpopt0-1.19-160000.2.2 added
- libpkgconf5-2.2.0-160000.2.2 added
- libpcre2-8-0-10.45-160000.3.1 added
- libparted-fs-resize0-3.6-160000.2.2 added
- libnss_usrfiles2-2.27.1-160000.3.2 added
- libnghttp2-14-1.64.0-160000.3.1 added
- libmpdec4-4.0.1-160000.2.2 added
- liblzo2-2-2.10-160000.3.2 added
- liblzma5-5.8.1-160000.3.1 added
- liblz4-1-1.10.0-160000.3.1 added
- liblz1-1.15-160000.2.2 added
- liblua5_4-5-5.4.7-160000.2.2 added
- libkeyutils1-1.6.3-160000.3.2 added
- libkbdfile1-2.7.1-160000.2.2 added
- libjson-c5-0.17-160000.2.2 added
- libjitterentropy3-3.6.3-160000.2.2 added
- libgpg-error0-1.58-160000.1.1 added
- libgmp10-6.3.0-160000.2.2 added
- libgcc_s1-15.2.0+git10201-160000.2.1 added
- libfuse3-3-3.16.2-160000.2.2 added
- libffi8-3.4.6-160000.2.2 added
- libexpat1-2.7.1-160000.5.1 added
- libeconf0-0.7.9-160000.2.2 added
- libcrypt1-4.4.38-160000.3.2 added
- libcom_err2-1.47.0-160000.3.2 added
- libcap2-2.73-160000.3.1 added
- libcap-ng0-0.8.5-160000.3.2 added
- libbz2-1-1.0.8-160000.2.2 added
- libburn4-1.5.6-160000.2.2 added
- libbtrfsutil1-6.14-160000.2.2 added
- libbtrfs0-6.14-160000.2.2 added
- libbrotlicommon1-1.1.0-160000.2.2 added
- libaudit1-4.0-160000.2.2 added
- libattr1-2.5.2-160000.2.2 added
- libalternatives1-1.2+30.a5431e9-160000.2.2 added
- libaio1-0.3.113-160000.3.2 added
- libacl1-2.3.2-160000.2.2 added
- glibc-locale-base-2.40-160000.5.1 added
- fillup-1.42-160000.2.2 added
- envsubst-0.22.5-160000.2.2 added
- dosfstools-4.2-160000.2.2 added
- diffutils-3.12-160000.2.2 added
- libreadline8-8.2.13-160000.2.2 added
- libedit0-20210910.3.1-160000.2.2 added
- pigz-2.8-160000.2.2 added
- libpng16-16-1.6.44-160000.7.1 added
- libelf1-0.192-160000.3.1 added
- libidn2-0-2.3.8-160000.2.2 added
- liblastlog2-2-2.41.1-160000.3.1 added
- pkgconf-2.2.0-160000.2.2 added
- libselinux1-3.8.1-160000.3.1 added
- netcfg-11.6-160000.2.2 added
- libxml2-2-2.13.8-160000.4.1 added
- squashfs-4.6.1-160000.2.2 added
- libkfont0-2.7.1-160000.2.2 added
- libkeymap1-2.7.1-160000.2.2 added
- libgcrypt20-1.12.1-160000.1.1 added
- libmpfr6-4.2.1-160000.2.2 added
- libstdc++6-15.2.0+git10201-160000.2.1 added
- libp11-kit0-0.25.5-160000.2.2 added
- libblkid1-2.41.1-160000.3.1 added
- perl-base-5.42.0-160000.2.2 added
- libext2fs2-1.47.0-160000.3.2 added
- libudev1-257.13-160000.1.1 added
- libsystemd0-257.13-160000.1.1 added
- libzio1-1.09-160000.2.2 added
- libmagic1-5.46-160000.2.2 added
- libjte2-1.22-160000.2.2 added
- libbrotlidec1-1.1.0-160000.2.2 added
- alts-1.2+30.a5431e9-160000.2.2 added
- permctl-1699_20250120-160000.2.2 added
- bash-5.2.37-160000.2.2 added
- bash-sh-5.2.37-160000.2.2 added
- libdw1-0.192-160000.3.1 added
- libpsl5-0.21.5-160000.3.2 added
- sed-4.9-160000.2.2 added
- libsubid5-4.17.2-160000.2.2 added
- libsemanage2-3.8.1-160000.2.2 added
- findutils-4.10.0-160000.2.2 added
- libinih0-58-160000.2.2 added
- libboost_thread1_86_0-1.86.0-160000.2.2 added
- gptfdisk-1.0.10-160000.2.2 added
- p11-kit-0.25.5-160000.2.2 added
- p11-kit-tools-0.25.5-160000.2.2 added
- libmount1-2.41.1-160000.3.1 added
- libfdisk1-2.41.1-160000.3.1 added
- file-5.46-160000.2.2 added
- libisofs6-1.5.6-160000.2.2 added
- libfreetype6-2.13.3-160000.3.1 added
- zstd-1.5.7-160000.2.2 added
- xz-5.8.1-160000.3.1 added
- pkgconf-pkg-config-2.2.0-160000.2.2 added
- mtools-4.0.45-160000.2.2 added
- login_defs-4.17.2-160000.2.2 added
- libssh-config-0.11.4-160000.1.1 added
- libdevmapper1_03-2.03.29_1.02.203-160000.3.1 added
- gzip-1.13-160000.2.2 added
- grep-3.11-160000.2.2 added
- gettext-runtime-0.22.5-160000.2.2 added
- gawk-5.3.2-160000.2.2 added
- cpio-2.15-160000.2.2 added
- coreutils-9.6-160000.2.2 added
- ALP-dummy-release-0.1-160000.2.2 added
- libasm1-0.192-160000.3.1 added
- libisoburn1-1.5.6-160000.3.2 added
- libparted2-3.6-160000.2.2 added
- libdevmapper-event1_03-2.03.29_1.02.203-160000.3.1 added
- info-7.1-160000.2.2 added
- thin-provisioning-tools-1.1.0-160000.2.2 added
- systemd-rpm-macros-26-160000.2.2 added
- systemd-presets-common-SUSE-15-160000.2.2 added
- rpm-config-SUSE-20250328-160000.2.2 added
- rpm-4.20.1-160000.2.2 added
- permissions-config-1699_20250120-160000.2.2 added
- e2fsprogs-1.47.0-160000.3.2 added
- ca-certificates-2+git20240805.fd24d50-160000.2.2 added
- ca-certificates-mozilla-2.84-160000.1.1 added
- btrfsprogs-6.14-160000.2.2 added
- elfutils-0.192-160000.3.1 added
- parted-3.6-160000.2.2 added
- liblvm2cmd2_03-2.03.29-160000.3.1 added
- xorriso-1.5.6-160000.3.2 added
- device-mapper-2.03.29_1.02.203-160000.3.1 added
- systemd-presets-branding-SLE-15.1-160000.4.1 added
- permissions-1699_20250120-160000.2.2 added
- libopenssl3-3.5.0-160000.7.1 added
- grub2-common-2.12-160000.6.1 added
- pam-1.7.1-160000.3.1 added
- rsync-3.4.1-160000.4.1 added
- python313-base-3.13.13-160000.1.1 added
- libpython3_13-1_0-3.13.13-160000.1.1 added
- libldap-2-2.6.10+10-160000.3.1 added
- libkmod2-34.2-160000.3.2 added
- libcryptsetup12-2.8.4-160000.1.1 added
- krb5-1.21.3-160000.2.2 added
- grub2-i386-pc-2.12-160000.6.1 added
- util-linux-2.41.1-160000.3.1 added
- shadow-4.17.2-160000.2.2 added
- pam-extra-1.7.1-160000.3.1 added
- kbd-2.7.1-160000.2.2 added
- xfsprogs-6.19.0-160000.1.1 added
- libssh4-0.11.4-160000.1.1 added
- grub2-2.12-160000.6.1 added
- libsnapper7-0.12.1-160000.2.2 added
- sysuser-shadow-3.3-160000.2.2 added
- pam-config-2.13+git.20250715-160000.2.2 added
- libcurl4-8.14.1-160000.6.1 added
- system-user-lp-20170617-160000.2.2 added
- system-group-kvm-20170617-160000.2.2 added
- system-group-hardware-20170617-160000.2.2 added
- dbus-1-common-1.14.10-160000.2.2 added
- curl-8.14.1-160000.6.1 added
- libdbus-1-3-1.14.10-160000.2.2 added
- dbus-1-tools-1.14.10-160000.2.2 added
- aaa_base-84.87+git20260610.3b5a868c-160000.1.1 added
- systemd-257.13-160000.1.1 added
- dbus-broker-36-160000.3.1 added
- dbus-1-1.14.10-160000.2.2 added
- util-linux-systemd-2.41.1-160000.3.1 added
- suse-module-tools-16.0.64-160000.1.1 added
- kmod-34.2-160000.3.2 added
- udev-257.13-160000.1.1 added
- dracut-059+suse.720.g64cb9fbf-160000.1.1 added
- snapper-0.12.1-160000.2.2 added
- lvm2-2.03.29-160000.3.1 added
- elemental-toolkit-2.3.4-160000.1.1 added
- container:bci-bci-base-16.0-3327ce232ff17c6439252dbc165087dc6d05ddfe3a2cb938ebfc3785c4d4bc75-0 updated


More information about the sle-container-updates mailing list