Packages changed: MicroOS-release (20260423 -> 20260425) blog (2.38 -> 2.40) coreutils (9.10 -> 9.11) coreutils-systemd (9.10 -> 9.11) crypto-policies highway (1.3.0 -> 1.4.0) ncurses (6.6.20260328 -> 6.6.20260418) ntfs-3g_ntfsprogs python-Mako (1.3.10 -> 1.3.11) xdg-user-dirs (0.18 -> 0.20) zlib === Details === ==== MicroOS-release ==== Version update (20260423 -> 20260425) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== blog ==== Version update (2.38 -> 2.40) Subpackages: libblogger2 - Update to version 2.40 * Protect password data stream on 3270 console as well On S390 the 3270 console is also logged and the passwords, even if hidden on the 3270 console, would be logged as well. - Update to version 2.39 * New feature to protect passwords to be logged On S390 now blogd use for 3215 console the command [#]CP SPOOL CONSOLE STOP to stop logging the plain password at prompting for the password. Also a warning is written out to warn the user that the password will be visible. With getting the password the CONSOLE log is enabled again if it was enabled before. ==== coreutils ==== Version update (9.10 -> 9.11) - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== coreutils-systemd ==== Version update (9.10 -> 9.11) - Update to 9.11: Bug fixes * 'dd' now always diagnoses partial writes correctly upon write failure. Previously it may have indicated that only full writes were performed. [This bug was present in "the beginning".] * 'fold' will no longer truncate output when encountering 0xFF bytes. [bug introduced in coreutils-9.8] * 'fold' is again responsive to its input. Previously it would have delayed processing until 256KiB was read from the input. [bug introduced in coreutils-9.8] * 'kill --help' now has links to valid anchors in the html manual. [bug introduced in coreutils-9.10] * When configured with --enable-systemd, the commands 'pinky', 'uptime', 'users', and 'who' no longer consider the systemd session classes 'greeter', 'lock-screen', 'background', 'background-light', and 'none' to be users. [bug introduced in coreutils-9.4] * 'pwd' on ancient systems will no longer overflow a buffer when operating in deep paths longer than twice the system PATH_MAX. [bug introduced in coreutils-9.6] * 'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE environment variable. [bug introduced in coreutils-8.26] * 'timeout' no longer exits abruptly when its parent is the init process, e.g., when started by the entrypoint of a container. [bug introduced in coreutils-9.10] New Features * 'cut' now supports multi-byte input and delimiters. Consequently the -c option is now honored, and no longer an alias for -b, and the -n option is now honored, and no longer ignored. Also the -d option supports multi-byte delimiters. * 'cut' adds new options for better compatibility: The -w,--whitespace-delimited option was added to support blank aligned fields and for better compatibility with FreeBSD/macOS. The -O option was added as an alias for the --output-delimiter option, for better compatibility with busybox/toybox. The -F option was added as an alias for -w -O ' ' for better compatibility with busybox/toybox. * 'date --date' now parses dot delimited dd.mm.yy format common in Europe. This is in addition to the already supported mm/dd/yy and yy-mm-dd formats. Changes in behavior * 'cksum --check' now uses shell quoting when required, to more robustly escape file names output in diagnostics. This also affects md5sum, sha*sum, and b2sum. Improvements * 'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput. E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system. * 'df --local' recognises more file system types as remote. Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs. * 'df' improves duplicate mount suppression, by checking each mount against all previously kept entries for the same device, not just the latest one. * 'expand' and 'unexpand' now support multi-byte characters. * 'groups' and 'id' will now exit sooner after a write error, which is significant when listing information for many users. * 'install' now allows the combination of the --compare and - -preserve-timestamps options. * 'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character determination on non GLIBC platforms. For example \u3000 (ideographic space) will be considered a blank character on all platforms. * 'nl' now supports multi-byte --section-delimiter characters. * 'shuf -i' now operates up to two times faster on systems with unlocked stdio functions. * 'tac' will now exit sooner after a write error, which is significant when operating on a file with many lines. * 'timeout' now properly detects when it is reparented by a subreaper process on Linux instead of init, e.g., the 'systemd --user' process. * 'wc -l' now operates up to four and a half times faster on hosts that support Neon instructions. * 'wc -m' now operates up to 2.6 times faster on GLIBC when processing non-ASCII UTF-8 characters. * 'yes' now uses zero-copy I/O on Linux to significantly increase throughput. E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system. Build-related * ./configure --enable-single-binary=hardlinks is now supported on systems with dash as the system shell at /bin/sh. [issue introduced in coreutils-9.10] * The test suite may have failed with a "Hangup" error if run non-interactively. [issue introduced in coreutils-9.10] - coreutils-i18n.patch: Refresh patch. Remove now-upstream I18N patches for cut(1), expand(1) and unexpand(1). - Refresh all other patches. ==== crypto-policies ==== - Modify the output of fips-mode-setup to hint the user when setting the FIPS mode in transactional systems to use the command 'transactional-update setup-fips'. (bsc#1262315) ==== highway ==== Version update (1.3.0 -> 1.4.0) - Update to release 1.4.0 * Added Fast* math functions, sum_array example, HWY_ARCH_MAX_BYTES, HWY_MIN_BYTES, HWY_NATIVE_MASK, HWY_REGISTERS HWY_EXPORT_AND_TEST_BEST_P, InterleaveLower/UpperBlocks, Lookup8, XorAndNot, MinMax algo, AtomicBitSet, RVV and LSX/LASX runtime dispatch. ==== ncurses ==== Version update (6.6.20260328 -> 6.6.20260418) Subpackages: libncurses6 ncurses-utils terminfo-base - Disable fix-mouse.patch as it conflicts with current patch level. Mask patch fix-mouse.patch as source to not lose it. - The fix-bsc1259924.patch is NOT required as at this patch level already included. In fact fix-bsc1259924.patch is a backport. - Add ncurses patch 20260418 + note in manpage that wgetch/wget_wch consistently set errno to EBADF for poll/select configurations when the input is closed. + improve check in test/ncurses for errors by limiting it to the latest wgetch/wget_wch (cf: 20260404). > fixes for problems found by Anthropic (report by David Korczynski): + correct a limit-check in _nc_write_object + correct a source-pointer in _nc_trim_sgr0 + add limit-check in read_SGR - Add ncurses patch 20260411 + if POLLNVAL is set in revents, set errno to EBADF to improve handling of closed input for poll() configuration. + cancel bce and rep in some screen.X's -TD - Add ncurses patch 20260404 + use xterm+direct in konsole-direct, add several features to konsole (report by Xu Che) + use dec+sl in mintty (prompted by Thomas Wolff) -TD + add linux-alt1049 (report by Sebastien Hinderer) -TD + add a limit-check in _nc_mouse_parse in case there are no valid events (report by Giorgos Xou, cf: 20260301). + amend recent change to test/ncurses to check errno before deciding to exit. ==== ntfs-3g_ntfsprogs ==== Subpackages: libntfs-3g89 ntfs-3g ntfsprogs - Add ntfs3g-heap-overflow.patch: bsc#1262216 CVE-2026-40706. ==== python-Mako ==== Version update (1.3.10 -> 1.3.11) - Update to 1.3.11 * Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization. (bsc#1262716, CVE-2026-41205) ==== xdg-user-dirs ==== Version update (0.18 -> 0.20) - Update to version 0.20: + Features: - user-dirs.defaults: add PROJECTS directory - Replace xdg-user-dir shell script with C implementation - Make printable-char validation for dir names stricter + Bugfixes: - build: Unhardcode bindir in .service file - Fix length accounting in concat_strings - Escape " as well when shell-escaping - Check that user dir name does not contain line breaks - git-tp-sync: prevent handling POT files + Miscellaneous: - Remove Automake support - Clean up user-dir lookup code a bit, split sources and data - Stop mixing tabs & spaces - Changes from version 0.19: + Features: - Add a systemd service to run xdg-user-dirs-update - Add initial Meson buildsystem support + Bugfixes: Fix autopoint invocation + Miscellaneous: - Update automake boilerplate - Update information in README + Updated translations. - Switch to meson buildsystem. - Drop 0001-Add-a-systemd-service-to-run-xdg-user-dirs-update.patch Fixed upstream. ==== zlib ==== Subpackages: libminizip1 libz1 - Fix CVE-2026-27171, infinite loop via the crc32_combine64 and crc32_combine_gen64 functions due to missing checks for negative lengths (bsc#1258392) * CVE-2026-27171.patch