Packages changed: MicroOS-release (20260217 -> 20260218) cockpit (354 -> 356) glib2 (2.86.3 -> 2.86.4) microos-tools (4.0+git21 -> 4.0+git23) openjph (0.26.0 -> 0.26.3) python313 (3.13.11 -> 3.13.12) python313-core (3.13.11 -> 3.13.12) === Details === ==== MicroOS-release ==== Version update (20260217 -> 20260218) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== cockpit ==== Version update (354 -> 356) Subpackages: cockpit-bridge cockpit-networkmanager cockpit-packagekit cockpit-system cockpit-ws cockpit-ws-selinux - Fix esbuild for ppc64le bsc#1257698 * Include esbuild-ppc64.patch * Update update_version.sh - Update to 356 * changes since 354 - 356 * systemd: Allow editing timers created by Cockpit * Convert license headers to SPDX format - 355 * ws: Remove obsolete pam_cockpit_cert module * shell: add StartTransientUnit as a sudo alternative ==== glib2 ==== Version update (2.86.3 -> 2.86.4) Subpackages: glib2-tools libgio-2_0-0 libgirepository-2_0-0 libglib-2_0-0 libgmodule-2_0-0 libgobject-2_0-0 typelib-1_0-GLib-2_0 typelib-1_0-GModule-2_0 typelib-1_0-GObject-2_0 typelib-1_0-Gio-2_0 - Update to version 2.86.4: + Fix several security vulnerabilities of varying severity + Updated translations. - Drop patches fixed upstream: + glib2-CVE-2026-1484.patch + glib2-CVE-2026-1485.patch + glib2-CVE-2026-1489.patch ==== microos-tools ==== Version update (4.0+git21 -> 4.0+git23) Subpackages: selinux-autorelabel zypp-excludedocs zypp-no-multiversion zypp-no-recommends - Update to version 4.0+git23: * zypp-*: require libzypp(econf) * test: Work around missing 9pnet_virtio in the initrd (boo#1258314) ==== openjph ==== Version update (0.26.0 -> 0.26.3) - Update to 0.26.3: * Bug fix out of range values #248 Using versions 0.26.1 and 0.26.2 is not recommended - Update to 0.26.2: * Fix a bug when the number of tiles is 0, and, in resilient mode, when the the start of tile-part segment (SOT) has an incorrect index, Isot #245 - Update to 0.26.1: * Add ARM CPU feature detection for FreeBSD and OpenBSD #238 * Bug fix: some HTJ2K codestream parameters are now qualified before being used #244 ==== python313 ==== Version update (3.13.11 -> 3.13.12) - Update to 3.13.12: Python 3.13.12 final Release date: 2026-02-03 - Tools/Demos - gh-142095: Make gdb ‘py-bt’ command use frame from thread local state when available. Patch by Sam Gross and Victor Stinner. - Tests - gh-144415: The Android testbed now distinguishes between stdout/stderr messages which were triggered by a newline, and those triggered by a manual call to flush. This fixes logging of progress indicators and similar content. - gh-65784: Add support for parametrized resource wantobjects in regrtests, which allows to run Tkinter tests with the specified value of tkinter.wantobjects, for example -u wantobjects=0. - gh-143553: Add support for parametrized resources, such as - u xpickle=2.7. - gh-142836: Accommodated Solaris in test_pdb.test_script_target_anonymous_pipe. - gh-129401: Fix a flaky test in test_repr_rlock that checks the representation of multiprocessing.RLock. - bpo-31391: Forward-port test_xpickle from Python 2 to Python 3 and add the resource back to test’s command line. - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029, CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - Library - gh-144380: Improve performance of io.BufferedReader line iteration by ~49%. - gh-144169: Fix three crashes when non-string keyword arguments are supplied to objects in the ast module. - gh-144100: Fixed a crash in ctypes when using a deprecated POINTER(str) type in argtypes. Instead of aborting, ctypes now raises a proper Python exception when the pointer target type is unresolved. - gh-144050: Fix stat.filemode() in the pure-Python implementation to avoid misclassifying invalid mode values as block devices. - gh-144023: Fixed validation of file descriptor 0 in posix functions when used with follow_symlinks parameter. - gh-143999: Fix an issue where inspect.getgeneratorstate() and inspect.getcoroutinestate() could fail for generators wrapped by types.coroutine() in the suspended state. - gh-143706: Fix multiprocessing forkserver so that sys.argv is correctly set before __main__ is preloaded. Previously, sys.argv was empty during main module import in forkserver child processes. This fixes a regression introduced in 3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test provided by Thomas Watson, thanks! - gh-143638: Forbid reentrant calls of the pickle.Pickler and pickle.Unpickler methods for the C implementation. Previously, this could cause crash or data corruption, now concurrent calls of methods of the same object raise RuntimeError. - gh-78724: Raise RuntimeError’s when user attempts to call methods on half-initialized Struct objects, For example, created by Struct.__new__(Struct). Patch by Sergey B Kirpichev. - gh-143602: Fix a inconsistency issue in write() that leads to unexpected buffer overwrite by deduplicating the buffer exports. - gh-143547: Fix sys.unraisablehook() when the hook raises an exception and changes sys.unraisablehook(): hold a strong reference to the old hook. Patch by Victor Stinner. - gh-143378: Fix use-after-free crashes when a BytesIO object is concurrently mutated during write() or writelines(). - gh-143346: Fix incorrect wrapping of the Base64 data in plistlib._PlistWriter when the indent contains a mix of tabs and spaces. - gh-143310: tkinter: fix a crash when a Python list is mutated during the conversion to a Tcl object (e.g., when setting a Tcl variable). Patch by Bénédikt Tran. - gh-143309: Fix a crash in os.execve() on non-Windows platforms when given a custom environment mapping which is then mutated during parsing. Patch by Bénédikt Tran. - gh-143308: pickle: fix use-after-free crashes when a PickleBuffer is concurrently mutated by a custom buffer callback during pickling. Patch by Bénédikt Tran and Aaron Wieczorek. - gh-143237: Fix support of named pipes in the rotating logging handlers. - gh-143249: Fix possible buffer leaks in Windows overlapped ... changelog too long, skipping 212 lines ... encoding EOL possibly hidden in email headers (bsc#1257181). ==== python313-core ==== Version update (3.13.11 -> 3.13.12) Subpackages: libpython3_13-1_0 python313-base - Update to 3.13.12: Python 3.13.12 final Release date: 2026-02-03 - Tools/Demos - gh-142095: Make gdb ‘py-bt’ command use frame from thread local state when available. Patch by Sam Gross and Victor Stinner. - Tests - gh-144415: The Android testbed now distinguishes between stdout/stderr messages which were triggered by a newline, and those triggered by a manual call to flush. This fixes logging of progress indicators and similar content. - gh-65784: Add support for parametrized resource wantobjects in regrtests, which allows to run Tkinter tests with the specified value of tkinter.wantobjects, for example -u wantobjects=0. - gh-143553: Add support for parametrized resources, such as - u xpickle=2.7. - gh-142836: Accommodated Solaris in test_pdb.test_script_target_anonymous_pipe. - gh-129401: Fix a flaky test in test_repr_rlock that checks the representation of multiprocessing.RLock. - bpo-31391: Forward-port test_xpickle from Python 2 to Python 3 and add the resource back to test’s command line. - Security - gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). - gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs (bsc#1257029, CVE-2025-11468). - gh-143925: Reject control characters in data: URL media types (bsc#1257046, CVE-2025-15282). - gh-143919: Reject control characters in http.cookies.Morsel fields and values (bsc#1257031, CVE-2026-0672). - gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters (bsc#1257042, CVE-2026-0865). - Library - gh-144380: Improve performance of io.BufferedReader line iteration by ~49%. - gh-144169: Fix three crashes when non-string keyword arguments are supplied to objects in the ast module. - gh-144100: Fixed a crash in ctypes when using a deprecated POINTER(str) type in argtypes. Instead of aborting, ctypes now raises a proper Python exception when the pointer target type is unresolved. - gh-144050: Fix stat.filemode() in the pure-Python implementation to avoid misclassifying invalid mode values as block devices. - gh-144023: Fixed validation of file descriptor 0 in posix functions when used with follow_symlinks parameter. - gh-143999: Fix an issue where inspect.getgeneratorstate() and inspect.getcoroutinestate() could fail for generators wrapped by types.coroutine() in the suspended state. - gh-143706: Fix multiprocessing forkserver so that sys.argv is correctly set before __main__ is preloaded. Previously, sys.argv was empty during main module import in forkserver child processes. This fixes a regression introduced in 3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test provided by Thomas Watson, thanks! - gh-143638: Forbid reentrant calls of the pickle.Pickler and pickle.Unpickler methods for the C implementation. Previously, this could cause crash or data corruption, now concurrent calls of methods of the same object raise RuntimeError. - gh-78724: Raise RuntimeError’s when user attempts to call methods on half-initialized Struct objects, For example, created by Struct.__new__(Struct). Patch by Sergey B Kirpichev. - gh-143602: Fix a inconsistency issue in write() that leads to unexpected buffer overwrite by deduplicating the buffer exports. - gh-143547: Fix sys.unraisablehook() when the hook raises an exception and changes sys.unraisablehook(): hold a strong reference to the old hook. Patch by Victor Stinner. - gh-143378: Fix use-after-free crashes when a BytesIO object is concurrently mutated during write() or writelines(). - gh-143346: Fix incorrect wrapping of the Base64 data in plistlib._PlistWriter when the indent contains a mix of tabs and spaces. - gh-143310: tkinter: fix a crash when a Python list is mutated during the conversion to a Tcl object (e.g., when setting a Tcl variable). Patch by Bénédikt Tran. - gh-143309: Fix a crash in os.execve() on non-Windows platforms when given a custom environment mapping which is then mutated during parsing. Patch by Bénédikt Tran. - gh-143308: pickle: fix use-after-free crashes when a PickleBuffer is concurrently mutated by a custom buffer callback during pickling. Patch by Bénédikt Tran and Aaron Wieczorek. - gh-143237: Fix support of named pipes in the rotating logging handlers. - gh-143249: Fix possible buffer leaks in Windows overlapped ... changelog too long, skipping 212 lines ... encoding EOL possibly hidden in email headers (bsc#1257181).