Packages changed:
  glib2 (2.86.3 -> 2.86.4)
  microos-tools (4.0+git21 -> 4.0+git23)
  openSUSE-release (20260217 -> 20260218)
  openjph (0.26.0 -> 0.26.3)
  python-rich (14.2.0 -> 14.3.1)
  python311
  python311-core
  python313 (3.13.11 -> 3.13.12)
  python313-core (3.13.11 -> 3.13.12)

=== Details ===

==== glib2 ====
Version update (2.86.3 -> 2.86.4)
Subpackages: glib2-lang glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libglib-2_0-0-32bit libgmodule-2_0-0 libgobject-2_0-0 libgthread-2_0-0 typelib-1_0-GIRepository-3_0 typelib-1_0-GLib-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0

- Update to version 2.86.4:
  + Fix several security vulnerabilities of varying severity
  + Updated translations.
- Drop patches fixed upstream:
  + glib2-CVE-2026-1484.patch
  + glib2-CVE-2026-1485.patch
  + glib2-CVE-2026-1489.patch

==== microos-tools ====
Version update (4.0+git21 -> 4.0+git23)

- Update to version 4.0+git23:
  * zypp-*: require libzypp(econf)
  * test: Work around missing 9pnet_virtio in the initrd (boo#1258314)

==== openSUSE-release ====
Version update (20260217 -> 20260218)
Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd

- automatically generated by openSUSE-release-tools/pkglistgen

==== openjph ====
Version update (0.26.0 -> 0.26.3)

- Update to 0.26.3:
  * Bug fix out of range values #248
    Using versions 0.26.1 and 0.26.2 is not recommended
- Update to 0.26.2:
  * Fix a bug when the number of tiles is 0, and, in
    resilient mode, when the the start of tile-part segment
    (SOT) has an incorrect index, Isot #245
- Update to 0.26.1:
  * Add ARM CPU feature detection for FreeBSD and OpenBSD #238
  * Bug fix: some HTJ2K codestream parameters are now qualified before being
    used #244

==== python-rich ====
Version update (14.2.0 -> 14.3.1)

- update to 14.3.1:
  * Fixed characters out of unicode range reporting a cell size
    if 0
  * IPython now respects when a `Console` instance is passed to
    `pretty.install`
  * Fixed extraneous blank line on non-interactive disabled
    `Progress`
  * Fixed extra padding on first cell in columns
  * Fixed trailing whitespace removed when soft_wrap=True
  * Fixed style new-lines when soft_wrap = True and a print style
    is set
  * Added support for some multi-codepopint glyphs (will fix
    alignment issues for these characters)
  * Added support for `UNICODE_VERSION` environment variable
  * Added `last_render_height` property to LiveRender
  * Expose locals_max_depth and locals_overflow in
    traceback.install
  * Added `Segment.split_lines_terminator`
  * `cells.cell_len` now has a `unicode_version` parameter (that
    you probably should never change)
  * Live will not write a new line if there was nothing rendered
  * Changed style of Markdown headers
  * Changed style of Markdown tables, added
    `markdown.table.header` and `markdown.table.border` styles
  * Changed style of Markdown rules

==== python311 ====
Subpackages: python311-curses python311-dbm python311-x86-64-v3

- CVE-2025-11468: preserving parens when folding comments in
  email headers (bsc#1257029, gh#python/cpython#143935).
  CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15282: basically the same as the previous patch for
  urllib library. (bsc#1257046, gh#python/cpython#143925)
  CVE-2025-15282-urllib-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch
- CVE-2025-12781: fix decoding with non-standard Base64 alphabet
  (bsc#1257108, gh#python/cpython#125346)
  CVE-2025-12781-b64decode-alt-chars.patch

==== python311-core ====
Subpackages: libpython3_11-1_0 libpython3_11-1_0-x86-64-v3 python311-base python311-base-x86-64-v3

- CVE-2025-11468: preserving parens when folding comments in
  email headers (bsc#1257029, gh#python/cpython#143935).
  CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15282: basically the same as the previous patch for
  urllib library. (bsc#1257046, gh#python/cpython#143925)
  CVE-2025-15282-urllib-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch
- CVE-2025-12781: fix decoding with non-standard Base64 alphabet
  (bsc#1257108, gh#python/cpython#125346)
  CVE-2025-12781-b64decode-alt-chars.patch

==== python313 ====
Version update (3.13.11 -> 3.13.12)
Subpackages: python313-curses python313-dbm python313-tk python313-x86-64-v3

- Update to 3.13.12: Python 3.13.12 final Release date:
  2026-02-03
  - Tools/Demos
  - gh-142095: Make gdb ‘py-bt’ command use frame from thread
    local state when available. Patch by Sam Gross and Victor
    Stinner.
  - Tests
  - gh-144415: The Android testbed now distinguishes between
    stdout/stderr messages which were triggered by a newline,
    and those triggered by a manual call to flush. This fixes
    logging of progress indicators and similar content.
  - gh-65784: Add support for parametrized resource wantobjects
    in regrtests, which allows to run Tkinter tests with the
    specified value of tkinter.wantobjects, for example -u
    wantobjects=0.
  - gh-143553: Add support for parametrized resources, such as
  - u xpickle=2.7.
  - gh-142836: Accommodated Solaris in
    test_pdb.test_script_target_anonymous_pipe.
  - gh-129401: Fix a flaky test in test_repr_rlock that checks
    the representation of multiprocessing.RLock.
  - bpo-31391: Forward-port test_xpickle from Python 2 to
    Python 3 and add the resource back to test’s command line.
  - Security
  - gh-144125: BytesGenerator will now refuse to serialize
    (write) headers that are unsafely folded or delimited; see
    verify_generated_headers. (Contributed by Bas Bloemsaat and
    Petr Viktorin in gh-121650).
  - gh-143935: Fixed a bug in the folding of comments when
    flattening an email message using a modern email policy.
    Comments consisting of a very long sequence of non-foldable
    characters could trigger a forced line wrap that omitted
    the required leading space on the continuation line,
    causing the remainder of the comment to be interpreted as
    a new header field. This enabled header injection with
    carefully crafted inputs (bsc#1257029, CVE-2025-11468).
  - gh-143925: Reject control characters in data: URL media
    types (bsc#1257046, CVE-2025-15282).
  - gh-143919: Reject control characters in http.cookies.Morsel
    fields and values (bsc#1257031, CVE-2026-0672).
  - gh-143916: Reject C0 control characters within
    wsgiref.headers.Headers fields, values, and parameters
    (bsc#1257042, CVE-2026-0865).
  - Library
  - gh-144380: Improve performance of io.BufferedReader line
    iteration by ~49%.
  - gh-144169: Fix three crashes when non-string keyword
    arguments are supplied to objects in the ast module.
  - gh-144100: Fixed a crash in ctypes when using a deprecated
    POINTER(str) type in argtypes. Instead of aborting, ctypes
    now raises a proper Python exception when the pointer
    target type is unresolved.
  - gh-144050: Fix stat.filemode() in the pure-Python
    implementation to avoid misclassifying invalid mode values
    as block devices.
  - gh-144023: Fixed validation of file descriptor 0 in posix
    functions when used with follow_symlinks parameter.
  - gh-143999: Fix an issue where inspect.getgeneratorstate()
    and inspect.getcoroutinestate() could fail for generators
    wrapped by types.coroutine() in the suspended state.
  - gh-143706: Fix multiprocessing forkserver so that sys.argv
    is correctly set before __main__ is preloaded. Previously,
    sys.argv was empty during main module import in forkserver
    child processes. This fixes a regression introduced in
    3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
    provided by Thomas Watson, thanks!
  - gh-143638: Forbid reentrant calls of the pickle.Pickler and
    pickle.Unpickler methods for the C implementation.
    Previously, this could cause crash or data corruption, now
    concurrent calls of methods of the same object raise
    RuntimeError.
  - gh-78724: Raise RuntimeError’s when user attempts to call
    methods on half-initialized Struct objects, For example,
    created by Struct.__new__(Struct). Patch by Sergey
    B Kirpichev.
  - gh-143602: Fix a inconsistency issue in write() that leads
    to unexpected buffer overwrite by deduplicating the buffer
    exports.
  - gh-143547: Fix sys.unraisablehook() when the hook raises an
    exception and changes sys.unraisablehook(): hold a strong
    reference to the old hook. Patch by Victor Stinner.
  - gh-143378: Fix use-after-free crashes when a BytesIO object
    is concurrently mutated during write() or writelines().
  - gh-143346: Fix incorrect wrapping of the Base64 data in
    plistlib._PlistWriter when the indent contains a mix of
    tabs and spaces.
  - gh-143310: tkinter: fix a crash when a Python list is
    mutated during the conversion to a Tcl object (e.g., when
    setting a Tcl variable). Patch by Bénédikt Tran.
  - gh-143309: Fix a crash in os.execve() on non-Windows
    platforms when given a custom environment mapping which is
    then mutated during parsing. Patch by Bénédikt Tran.
  - gh-143308: pickle: fix use-after-free crashes when
    a PickleBuffer is concurrently mutated by a custom buffer
    callback during pickling. Patch by Bénédikt Tran and Aaron
    Wieczorek.
  - gh-143237: Fix support of named pipes in the rotating
    logging handlers.
  - gh-143249: Fix possible buffer leaks in Windows overlapped
    ... changelog too long, skipping 212 lines ...
  encoding EOL possibly hidden in email headers (bsc#1257181).

==== python313-core ====
Version update (3.13.11 -> 3.13.12)
Subpackages: libpython3_13-1_0 libpython3_13-1_0-x86-64-v3 python313-base python313-base-x86-64-v3 python313-devel

- Update to 3.13.12: Python 3.13.12 final Release date:
  2026-02-03
  - Tools/Demos
  - gh-142095: Make gdb ‘py-bt’ command use frame from thread
    local state when available. Patch by Sam Gross and Victor
    Stinner.
  - Tests
  - gh-144415: The Android testbed now distinguishes between
    stdout/stderr messages which were triggered by a newline,
    and those triggered by a manual call to flush. This fixes
    logging of progress indicators and similar content.
  - gh-65784: Add support for parametrized resource wantobjects
    in regrtests, which allows to run Tkinter tests with the
    specified value of tkinter.wantobjects, for example -u
    wantobjects=0.
  - gh-143553: Add support for parametrized resources, such as
  - u xpickle=2.7.
  - gh-142836: Accommodated Solaris in
    test_pdb.test_script_target_anonymous_pipe.
  - gh-129401: Fix a flaky test in test_repr_rlock that checks
    the representation of multiprocessing.RLock.
  - bpo-31391: Forward-port test_xpickle from Python 2 to
    Python 3 and add the resource back to test’s command line.
  - Security
  - gh-144125: BytesGenerator will now refuse to serialize
    (write) headers that are unsafely folded or delimited; see
    verify_generated_headers. (Contributed by Bas Bloemsaat and
    Petr Viktorin in gh-121650).
  - gh-143935: Fixed a bug in the folding of comments when
    flattening an email message using a modern email policy.
    Comments consisting of a very long sequence of non-foldable
    characters could trigger a forced line wrap that omitted
    the required leading space on the continuation line,
    causing the remainder of the comment to be interpreted as
    a new header field. This enabled header injection with
    carefully crafted inputs (bsc#1257029, CVE-2025-11468).
  - gh-143925: Reject control characters in data: URL media
    types (bsc#1257046, CVE-2025-15282).
  - gh-143919: Reject control characters in http.cookies.Morsel
    fields and values (bsc#1257031, CVE-2026-0672).
  - gh-143916: Reject C0 control characters within
    wsgiref.headers.Headers fields, values, and parameters
    (bsc#1257042, CVE-2026-0865).
  - Library
  - gh-144380: Improve performance of io.BufferedReader line
    iteration by ~49%.
  - gh-144169: Fix three crashes when non-string keyword
    arguments are supplied to objects in the ast module.
  - gh-144100: Fixed a crash in ctypes when using a deprecated
    POINTER(str) type in argtypes. Instead of aborting, ctypes
    now raises a proper Python exception when the pointer
    target type is unresolved.
  - gh-144050: Fix stat.filemode() in the pure-Python
    implementation to avoid misclassifying invalid mode values
    as block devices.
  - gh-144023: Fixed validation of file descriptor 0 in posix
    functions when used with follow_symlinks parameter.
  - gh-143999: Fix an issue where inspect.getgeneratorstate()
    and inspect.getcoroutinestate() could fail for generators
    wrapped by types.coroutine() in the suspended state.
  - gh-143706: Fix multiprocessing forkserver so that sys.argv
    is correctly set before __main__ is preloaded. Previously,
    sys.argv was empty during main module import in forkserver
    child processes. This fixes a regression introduced in
    3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
    provided by Thomas Watson, thanks!
  - gh-143638: Forbid reentrant calls of the pickle.Pickler and
    pickle.Unpickler methods for the C implementation.
    Previously, this could cause crash or data corruption, now
    concurrent calls of methods of the same object raise
    RuntimeError.
  - gh-78724: Raise RuntimeError’s when user attempts to call
    methods on half-initialized Struct objects, For example,
    created by Struct.__new__(Struct). Patch by Sergey
    B Kirpichev.
  - gh-143602: Fix a inconsistency issue in write() that leads
    to unexpected buffer overwrite by deduplicating the buffer
    exports.
  - gh-143547: Fix sys.unraisablehook() when the hook raises an
    exception and changes sys.unraisablehook(): hold a strong
    reference to the old hook. Patch by Victor Stinner.
  - gh-143378: Fix use-after-free crashes when a BytesIO object
    is concurrently mutated during write() or writelines().
  - gh-143346: Fix incorrect wrapping of the Base64 data in
    plistlib._PlistWriter when the indent contains a mix of
    tabs and spaces.
  - gh-143310: tkinter: fix a crash when a Python list is
    mutated during the conversion to a Tcl object (e.g., when
    setting a Tcl variable). Patch by Bénédikt Tran.
  - gh-143309: Fix a crash in os.execve() on non-Windows
    platforms when given a custom environment mapping which is
    then mutated during parsing. Patch by Bénédikt Tran.
  - gh-143308: pickle: fix use-after-free crashes when
    a PickleBuffer is concurrently mutated by a custom buffer
    callback during pickling. Patch by Bénédikt Tran and Aaron
    Wieczorek.
  - gh-143237: Fix support of named pipes in the rotating
    logging handlers.
  - gh-143249: Fix possible buffer leaks in Windows overlapped
    ... changelog too long, skipping 212 lines ...
  encoding EOL possibly hidden in email headers (bsc#1257181).