Packages changed: MozillaFirefox (137.0.2 -> 138.0) apache-commons-logging (1.3.4 -> 1.3.5) at-spi2-core (2.56.1 -> 2.56.2) fcitx-chewing fcitx-cloudpinyin fcitx-googlepinyin fcitx-sunpinyin fcitx-table-extra fcitx-zhuyin fdupes (2.3.1 -> 2.4.0) gstreamer (1.26.0 -> 1.26.1) gstreamer-plugins-bad (1.26.0 -> 1.26.1) gstreamer-plugins-base (1.26.0 -> 1.26.1) gstreamer-plugins-good (1.26.0 -> 1.26.1) jemalloc mozilla-nss (3.109 -> 3.110) openSUSE-release (20250501 -> 20250502) === Details === ==== MozillaFirefox ==== Version update (137.0.2 -> 138.0) Subpackages: MozillaFirefox-branding-upstream MozillaFirefox-translations-common - Mozilla Firefox 138.0 https://www.mozilla.org/en-US/firefox/138.0/releasenotes/ MFSA 2025-28 (bsc#1241621) * CVE-2025-2817 (bmo#1917536) Privilege escalation in Firefox Updater * CVE-2025-4082 (bmo#1937097) WebGL shader attribute memory corruption in Firefox for macOS * CVE-2025-4083 (bmo#1958350) Process isolation bypass using "javascript:" URI links in cross-origin frames * CVE-2025-4085 (bmo#1915280) Potential information leakage and privilege escalation in UITour actor * CVE-2025-4086 (bmo#1945705) Specially crafted filename could be used to obscure download type * CVE-2025-4087 (bmo#1952465) Unsafe attribute access during XPath parsing * CVE-2025-4088 (bmo#1953521) Cross-site request forgery via storage access API redirects * CVE-2025-4089 (bmo#1949994, bmo#1956698, bmo#1960198) Potential local code execution in "copy as cURL" command * CVE-2025-4090 (bmo#1929478) Leaked library paths in Firefox for Android * CVE-2025-4091 (bmo#1951161, bmo#1952105) Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 * CVE-2025-4092 (bmo#1924108, bmo#1950780, bmo#1959367) Memory safety bugs fixed in Firefox 138 and Thunderbird 138 - requires NSS 3.110 - rebased patches ==== apache-commons-logging ==== Version update (1.3.4 -> 1.3.5) - Upgrade to 1.3.5 * Fixed Bugs + Javadoc is missing its Overview page. + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80). * Changes + Bump org.apache.commons:commons-parent from 72 to 81 #285, [#287], #295, #298, #303, #310, #339. + Bump org.apache.commons:commons-lang3 from 3.16.0 to 3.17.0 [#288] [test]. + Bump log4j2.version from 2.23.1 to 2.24.3 #292, #299, #319, [#328]. * Removed: + Remove "cobertura" plugin use JaCoco, Cobertura is unmaintained. ==== at-spi2-core ==== Version update (2.56.1 -> 2.56.2) Subpackages: at-spi2-core-lang libatk-1_0-0 libatk-bridge-2_0-0 libatspi0 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0 - Update to version 2.56.2: + Fix the build with glib < 2.76. + a11y-manager-device: Fix unmap_keysym_modifier. ==== fcitx-chewing ==== - Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4 ==== fcitx-cloudpinyin ==== - Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4 ==== fcitx-googlepinyin ==== - Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4 ==== fcitx-sunpinyin ==== - Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4 ==== fcitx-table-extra ==== Subpackages: fcitx-table-cn-wubi-large fcitx-table-extra-lang fcitx-table-tw-boshiamy fcitx-table-tw-cangjie-large fcitx-table-tw-cangjie5 fcitx-table-tw-smart-cangjie6 - Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4 ==== fcitx-zhuyin ==== - Set -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix build with cmake4 ==== fdupes ==== Version update (2.3.1 -> 2.4.0) - Update to 2.4.0: * Add quick summary option that skips byte-for-byte match confirmation. * Reduce number of progress indicator updates for better performance. - Update to 2.3.2: * Keep cursor as close to current group as possible after deleting files. ==== gstreamer ==== Version update (1.26.0 -> 1.26.1) Subpackages: gstreamer-lang gstreamer-utils libgstreamer-1_0-0 typelib-1_0-Gst-1_0 - Update to version 1.26.1: + Highlighted bugfixes: - awstranslate and speechmatics plugin improvements - decodebin3 fixes and urisourcebin/playbin3 stability improvements - Closed captions: CEA-708 generation and muxing fixes, and H.264/H.265 caption extractor fixes - dav1d AV1 decoder: RGB support, plus colorimetry, renegotiation and buffer pool handling fixes - Fix regression when rendering VP9 with alpha - H.265 decoder base class and caption inserter SPS/PPS handling fixes - hlssink3 and hlsmultivariantsink feature enhancements - Matroska v4 support in muxer, seeking fixes in demuxer - macOS: framerate guessing for cameras or capture devices where the OS reports silly framerates - MP4 demuxer uncompressed video handling improvements and sample table handling fixes - oggdemux: seeking improvements in streaming mode - unixfdsrc: fix gst_memory_resize warnings - Plugin loader fixes, especially for Windows - QML6 GL source renegotiation fixes - RTP and RTSP stability fixes - Thread-safety improvements for the Media Source Extension (MSE) library - v4l2videodec: fix A/V sync issues after decoding errors - Various improvements and fixes for the fragmented and non-fragmented MP4 muxers - Video encoder base class segment and buffer timestamp handling fixes - Video time code support for 119.88 fps and drop-frames-related conversion fixes - WebRTC: Retransmission entry creation fixes and better audio level header extension compatibility - YUV4MPEG encoder improvments - dots-viewer: make work locally without network access - gst-python: fix compatibility with PyGObject >= 3.52.0 - Cerbero: recipe updates, compatibility fixes for Python < 3.10; Windows Android cross-build improvements - Various bug fixes, build fixes, memory leak fixes, and other stability and reliability improvements + gstreamer: - Correctly handle whitespace paths when executing gst-plugin-scanner - Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup - cmake: Fix PKG_CONFIG_PATH formatting for Windows cross-builds - macos: Move macos function documentation to the .h so the introspection has the information - meson.build: test for and link against libatomic if it exists - pluginloader-win32: Fix helper executable path under devenv - pluginloader: fix pending_plugins Glist use-after-free issue - unixfdsrc: Complains about resize of memory area - tracers: dots: fix debug log ==== gstreamer-plugins-bad ==== Version update (1.26.0 -> 1.26.1) Subpackages: gstreamer-plugins-bad-lang libgstadaptivedemux-1_0-0 libgstanalytics-1_0-0 libgstbadaudio-1_0-0 libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstinsertbin-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0 libgstmse-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstsctp-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0 libgstwebrtcnice-1_0-0 - Update to version 1.26.1: + Add missing Requires in pkg-config + Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup + Update docs + aja: Use the correct location of the AJA NTV2 SDK in the docs + alphacombine: De-couple flush-start/stop events handling + alphadecodebin: use a multiqueue instead of a couple of queues + avfvideosrc: Guess reasonable framerate values for some 3rd party devices + codecalpha: name both queues + d3d12converter: Fix cropping when automatic mipmap is enabled + dashsink: Make sure to use a non-NULL pad name when requesting a pad from splitmuxsink + docs: Fix GstWebRTCICE* class documentation + h264ccextractor, h265ccextractor: Handle gap with unknown pts + h265decoder, h265ccinserter: Fix broken SPS/PPS link + h265parser: Fix num_long_term_pics bound check + Segmentation fault in H265 decoder + h266decoder: fix leak parsing SEI messages + meson.build: test for and link against libatomic if it exists + mse: Improved Thread Safety of API + mse: Revert ownership transfer API change in gst_source_buffer_append_buffer() + tensordecoders: updating element classification + unixfd: Fix wrong memory size when offset > 0 + uvcsink: Respond to control requests with proper error handling + v4l2codecs: unref frame in all error paths of end_picture + va: Skip codecs that report maximum width or height lower than minimum + vapostproc: fix wrong video orientation after restarting the element + vavp9enc: fix mem leaks in _vp9_decide_profile + vkformat: fix build error + vtenc: Avoid deadlocking when changing properties on the fly + vulkan: fix memory leak at dynamic registering + webrtc: enhance rtx entry creation + webrtcbin: add missing warning for caps missmatch + ZDI-CAN-26596: New Vulnerability Report (Security) - Drop va-codecs-check-size.patch: Fixed upstream. - Drop cuda_nvdec conditional, builds fine for aarch64/armv7 now. ==== gstreamer-plugins-base ==== Version update (1.26.0 -> 1.26.1) Subpackages: gstreamer-plugins-base-lang libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsdp-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0 typelib-1_0-GstVideo-1_0 - Update to version 1.26.1: + Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup + alsadeviceprovider: Fix leak of Alsa longname + audioaggregator: fix error added in !8416 when chaining up + audiobasesink: Fix custom slaving driftsamples calculation and add custom audio clock slaving callback example + decodebin3: - Don't avoid parsebin even if we have a matching decoder - Doesn't plug parsebin for AAC from tsdemux + gl: eglimage: warn the reason of export failure + glcolorconvert: - Fix YUVA<->RGBA conversions - Regression when rendering alpha vp9 + gldownload: Unref glcontext after usage + meson.build: test for and link against libatomic if it exists + oggdemux: Don't push new packets if there is a pending seek + urisourcebin: - Make parsebin activation more reliable - Deadlock between parsebin and typefind + videoencoder: Use the correct segment and buffer timestamp in the chain function + videotimecode: Fix conversion of timecode to datetime with drop-frame timecodes and handle 119.88 fps correctly in all places ==== gstreamer-plugins-good ==== Version update (1.26.0 -> 1.26.1) Subpackages: gstreamer-plugins-good-gtk gstreamer-plugins-good-lang - Update to version 1.26.1: + Ensure properties are freed before (re)setting with g_value_dup_string() and during cleanup + gst-plugins-good: Matroska mux v4 support + matroska-demux: Prevent corrupt cluster duplication + qml6glsrc: update buffer pool on renegotiation + qt6: Add a missing newline in unsupported platform message + qtdemux: - Fix stsc size check in qtdemux_merge_sample_table() - Next Iteration Of Uncompressed MP4 Decoder - Unref simple caps after use + rtspsrc: - Do not emit signal 'no-more-pads' too early - Don't error out on not-linked too early + rtpsession: - Do not push events while holding SESSION_LOCK - Deadlock when gst_rtp_session_send_rtcp () is forwarding eos + v4l2: drop frame for frames that cannot be decoded + v4l2videodec: AV unsync for streams with many frames that cannot be decoded + v4l2object: - Fix memory leak - Fix type mismatch when ioctl takes int + y4menc: - Fix Y41B format - Handle frames with GstVideoMeta ==== jemalloc ==== - Add fix_make_check_with_gcc15.patch to make the testsuite pass despite new GCC malloc-related optimizations. [boo#1240665] ==== mozilla-nss ==== Version update (3.109 -> 3.110) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs mozilla-nss-sysinit mozilla-nss-tools - update to NSS 3.110 * bmo#1930806 - FIPS changes need to be upstreamed: force ems policy * bmo#1954724 - Prevent excess allocations in sslBuffer_Grow * bmo#1953429 - Remove Crl templates from ASN1 fuzz target * bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target * bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned * bmo#1930807 - NSS policy updates * bmo#1951161 - Improve locking in nssPKIObject_GetInstances * bmo#1951394 - Fix race in sdb_GetMetaData * bmo#1951800 - Fix member access within null pointer * bmo#1950077 - Increase smime fuzzer memory limit * bmo#1949677 - Enable resumption when using custom extensions * bmo#1952568 - change CN of server12 test certificate * bmo#1949118 - Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle * bmo#1949118 - Part 1: Fix smime UBSan errors * bmo#1930806 - FIPS changes need to be upstreamed: updated key checks * bmo#1951491 - Don't build libpkix in static builds * bmo#1951395 - handle `-p all` in try syntax * bmo#1951346 - fix opt-make builds to actually be opt * bmo#1951346 - fix opt-static builds to actually be opt * bmo#1916439 - Remove extraneous assert - Removed upstreamed nss-fips-stricter-dh.patch - Added bmo1962556.patch to fix test failures - Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch ==== openSUSE-release ==== Version update (20250501 -> 20250502) Subpackages: openSUSE-release-appliance-custom openSUSE-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen