Packages changed: MicroOS-release (20260213 -> 20260214) libssh (0.11.3 -> 0.11.4) libzio (1.09 -> 1.10) libzypp (17.37.18 -> 17.38.2) python-cryptography (46.0.2 -> 46.0.5) systemd (258.3 -> 258.4) udisks2 (2.10.91 -> 2.11.0) util-linux util-linux-systemd === Details === ==== MicroOS-release ==== Version update (20260213 -> 20260214) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== libssh ==== Version update (0.11.3 -> 0.11.4) Subpackages: libssh-config libssh4 - Update to 0.11.4: * Security fixes: - CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049) - CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files (bsc#1258045) - CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054) - CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081) - CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080) - libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP extensions * Other fixes: - Stability and compatibility improvements of ProxyJump * Remove patch upstream: libssh-cmake-Add-option-WITH_HERMETIC_USR.patch ==== libzio ==== Version update (1.09 -> 1.10) - Version 1.10: Allow fdzopen() to detect magic bytes as well in the stream of the file descriptor. Note that this does not work if reading from a pipe or socketpair as it is not possible to reset the reposition of the file descriptor. Today it is impossible to use fdzopen in a pipe. ==== libzypp ==== Version update (17.37.18 -> 17.38.2) - Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the ZYPP.CONF(5) man page for details. - Fix runtime check for broken rpm --runposttrans (bsc#1257068) - version 17.38.2 (35) - Avoid libcurl-mini4 when building as it does not support ftp protocol. - Translation: updated .pot file. - version 17.38.1 (35) - zypp.conf: follow the UAPI configuration file specification (PED-14658) In short terms it means we will no longer ship an /etc/zypp/zypp.conf, but store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config file settings completely, or - the preferred way - to overwrite specific settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the ZYPP.CONF(5) man page for details. - cmake: correctly detect rpm6 (fixes #689) - Use 'zypp.tmp' as temp directory component to ease setting up SELinux policies (bsc#1249435) - zyppng: Update Provider to current MediaCurl2 download approach, drop Metalink ( fixes #682 ) - version 17.38.0 (35) ==== python-cryptography ==== Version update (46.0.2 -> 46.0.5) - Update to 46.0.5 (fixes CVE-2026-26007, bsc#1258074) * An attacker could create a malicious public key that reveals portions of your private key when using certain uncommon elliptic curves (binary curves). This version now includes additional security checks to prevent this attack. This issue only affects binary elliptic curves, which are rarely used in real-world applications. Credit to XlabAI Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine for reporting the issue. CVE-2026-26007 * Support for SECT* binary elliptic curves is deprecated and will be removed in the next release. - Update to 46.0.4 * Dropped support for win_arm64 wheels. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5. - Update to 46.0.3 * Fixed compilation when using LibreSSL 4.2.0. ==== systemd ==== Version update (258.3 -> 258.4) Subpackages: libsystemd0 libudev1 systemd-boot udev - Import commit 8838beb6f391a98ba74c4b4ab2880271af443c54 8838beb6f3 units: restore runlevel[0-6].target aliases 2b9447c81d getty: remove --issue-file parameter (bsc#1257587) - Restore the runlevel[0-6].target aliases in the systemd-sysvcompat sub-package. These targets will remain supported until the SysV init script support is officially removed. - Avoid shipping (empty) directories and ghost files in /var (jsc#PED-14853) This was originally intended to ensure these paths had a designated package owner. However the existing list was neither exhaustive nor up to date. To better support immutable images, we are removing these entries and will now keep only /var/lib/systemd as owned by the systemd package. Maintaining the broader list provided little value due to its ongoing inconsistency anyways. - Move systemd-bless-boot from systemd-boot to udev subpackage, as it is used by grub2-bls as well - Import commit 3f291a53256445d192243b71332c3602ef6ee93a (merge of v258.4) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/2ffdb7879d1913b91d75fb7638023689ad49d6ff...3f291a53256445d192243b71332c3602ef6ee93a ==== udisks2 ==== Version update (2.10.91 -> 2.11.0) Subpackages: libudisks2-0 - Update to version 2.11.0: + ATA SMART handling has been ported over to libblockdev which now offers two plugins, based on libatasmart (default, recommended) and smartmontools (experimental). There is an additional attribute validation layer in place in libblockdev, some attributes may now be reported as 'unknown' or 'untrusted'. Drive temperature reporting has been reworked as well. + ATA SMART functionality has been made optional through the --disable-smart configure switch (default: Enabled). + ATA SMART can be also selectively turned off for some drives by setting ID_ATA_SMART_ACCESS udev property to none. In such a case, the Drive.Ata.SmartUpdated property will remain set to zero to indicate it was never updated for a particular drive. + ATA feature flags are now mostly retrieved from udev, skipping additional probing done by UDisks in case of udev >= 257. ==== util-linux ==== Subpackages: libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 - Fix bsc#1222465. - Add patch: * util-linux-bsc-1222465.patch - Patch has already been merged upstream, and may be deleted during the next release. ==== util-linux-systemd ==== Subpackages: lastlog2 liblastlog2-2 - Fix bsc#1222465. - Add patch: * util-linux-bsc-1222465.patch - Patch has already been merged upstream, and may be deleted during the next release.