Packages changed:
  MicroOS-release (20260612 -> 20260613)
  gcc15 (15.2.1+git11263 -> 15.3.0+git11272)
  gstreamer (1.28.3 -> 1.28.4)
  gstreamer-plugins-bad (1.28.3 -> 1.28.4)
  gstreamer-plugins-base (1.28.3 -> 1.28.4)
  ncurses
  openssl-3
  python-PyJWT (2.12.1 -> 2.13.0)
  python-tornado6 (6.5.5 -> 6.5.7)
  rav1e
  snapper
  sssd (2.13.0 -> 2.13.1)
  zypper (1.14.97 -> 1.14.98)

=== Details ===

==== MicroOS-release ====
Version update (20260612 -> 20260613)
Subpackages: MicroOS-release-appliance MicroOS-release-dvd

- automatically generated by openSUSE-release-tools/pkglistgen

==== gcc15 ====
Version update (15.2.1+git11263 -> 15.3.0+git11272)

- Update to GCC 15.3 release

==== gstreamer ====
Version update (1.28.3 -> 1.28.4)
Subpackages: libgstreamer-1_0-0

- Update to version 1.28.4:
  + Highlighted bugfixes:
  - Various security fixes and playback fixes
  - audioaggregator: fixes for conversion of in-progress buffers
    when input caps change
  - audioresample: more armv7 fixes
  - camerabin: Fix caps negotiation failure when starting video
    capture
  - Debug logging performance improvements
  - fmp4mux: Fix draining in chunk mode after partial GOPs were
    drained
  - gldownload: fix handling of directly imported dmabufs from
    glupload
  - matroskamux: Write ReferenceBlock for non-keyframe video in
    BlockGroups
  - rtp2: session: add "stats" property
  - rtspsrc2: handle parse errors with TCP interleaved more
    gracefully where the server just drops data
  - rtspsrc2: implement support for SRTP, authentication, HTTP
    tunnelling, keep alive, stream selection, TLS validation,
    latency configuration
  - st2038combiner: only forward video pad segment, fixing issues
    for cases where the ST2038 segment differs
  - Wavpack audio: Various channel and channel-mask related fixes
  - webrtc, sdp: set level in negotiated caps only if level
    asymmetry not allowed, fixing an H.264 negotiation regression
    with higher resolutions
  - androidmedia: add various new codec mime / profile mappings
    (WMV, VC1, AC3/EAC3/AC4, AAC, H265) and support decoding FLAC
  - d3d12decoder: Fix decoding on Qualcomm GPUs on ARM64 Windows
  - wasapi2src: fix hang when using loopback-target-pid
    (regression from 1.26)
  - cerbero: update to Rust 1.96, plus glib-networking OpenSSL
    backend fixes
  - Various bug fixes, build fixes, memory leak fixes, and other
    stability and reliability improvements
  + gstreamer:
  - bufferpool: avoid leaking partially preallocated buffers
  - caps: fix multiple caps leaks
  - datetime: Improve correctness of ISO-8601 string parsing
  - info: Don't use fwrite() on Windows for debug logging
  - info: Use stack allocation for messages smaller than 1kB
  - task: Fix racy tests by making unref deterministic
  - value: fix crash when converting NULL G_TYPE_VALUE_ARRAY to
    G_TYPE_STRING
  - registry: detect libgstreamer load from Android container
    and skip canonicalization
  - tests: Fix build with glib <= 2.67.2

==== gstreamer-plugins-bad ====
Version update (1.28.3 -> 1.28.4)
Subpackages: libgstphotography-1_0-0 libgstplay-1_0-0

- Update to version 1.28.4:
  + ahcsrc: Register exposure-mode property for GstPhotography
    interface
  + amc: Don't try printing NULL caps
  + amcvideodec: Don't keep crop-rectangle uninitialized if not
    specified
  + androidmedia: Add various new codec mime / profile mappings
  + androidmedia: Don't print error logs if downstream returns
    flushing / EOS
  + androidmedia: Fix typo in error message
  + androidmedia: support decoding flac
  + av1parser: Fix bytes/bits confusion when parsing tile data size
  + camerabin: Fix caps negotiation when starting video capture
  + d3d12decoder: Fix decoding on Qualcomm GPUs
  + mpegtspacketizer: Do not seek before the first PCR
  + mxfdemux: Use unsigned integers in more places and don't
    truncate 64 bit integers
  + svtav1enc: Scale MDCV and CLL to SVT-AV1's expected units
  + va: drm: Fix fd leak and return type in create_va_display
  + vajpegdecoder: Validate that enough data is available for the
    current JPEG segment
  + vulkanupload: Don't reallocate the pool when the framerate
    changes
  + wasapi2: Don't reset process loopback capture client
  + wasapi2src hangs when using loopback-target-pid in
    GStreamer 1.28 (regression from 1.26)
  + tests: Fix build with glib <= 2.67.2
  + meson: fix building -bad tests with disabled mse

==== gstreamer-plugins-base ====
Version update (1.28.3 -> 1.28.4)
Subpackages: libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstgl-1_0-0 libgstpbutils-1_0-0 libgstriff-1_0-0 libgsttag-1_0-0 libgstvideo-1_0-0

- Update to version 1.28.4:
  + audio-resampler-neon: fix accumulated stride
  + audio-resampler-neon: re-increment address
  + audioaggregator: Remove brittle conversion of in-progress
    buffers
  + discoverer: Lock the DISCO_LOCK whenever accessing the streams
    list
  + gl: egl: Set TRANSFER_NEED_DOWNLOAD flag
  + gldownload: Can't handle directly imported dmabufs from
    glupload
  + glupload: fix memleak on failure path
  + glwindow: Allow setting a NULL window handle
  + id3v2: Don't modify const data and check for enough data when
    reading RVA2 tags
  + id3v2: Don't unnecessarily assert on size==0 when unsyncing
    data
  + pbutils: Add NULL check for tmpcaps parsing
  + pbutils: Fix possible null dereference when empty string is
    provided
  + rtcpbuffer: Add some missing bounds checks when parsing SDES
  + sdp: keep level-asymmetry-allowed in the caps
  + subparse: Avoid zero and extreme fps when parsing mdvdsub
    subtitles
  + uridecodebin3: Use PLAY_ITEMS_LOCK for URI-related getter
  + uridecodebin: Protect missing_plugin_errors list from
    concurrent access
  + videodmabufpool: Fix debug category
  + xmptag: Correctly initialize pointer to the end of the input
    array

==== ncurses ====
Subpackages: libncurses6 ncurses-utils terminfo-base

- Pre work for ABI 7

==== openssl-3 ====
Subpackages: libopenssl3

- Security fixes:
  * CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357)
  * CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356)
  * CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353)
  * CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355)
  * CVE-2026-42767: NULL Pointer Dereference in CRMF EncryptedValue Decryption (bsc#1266350)
  * CVE-2026-42768: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (bsc#1266351)
  * CVE-2026-42769: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (bsc#1266352)
  * CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349)
  * CVE-2026-34183: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (bsc#1266345)
  * CVE-2026-42764: NULL pointer dereference in QUIC server initial packet handling (bsc#1266347)
  * CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344)
  * CVE-2026-9076:  Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341)
  * CVE-2026-7383:  Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340)
  * CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342)
  * Add patches:
    openssl-CVE-2026-45447.patch
    openssl-CVE-2026-45446.patch
    openssl-CVE-2026-42770.patch
    openssl-CVE-2026-45445.patch
    openssl-CVE-2026-42767.patch
    openssl-CVE-2026-42768.patch
    openssl-CVE-2026-42769.patch
    openssl-CVE-2026-42766.patch
    openssl-CVE-2026-34183.patch
    openssl-CVE-2026-42764.patch
    openssl-CVE-2026-34182.patch
    openssl-CVE-2026-9076.patch
    openssl-CVE-2026-7383.patch
    openssl-CVE-2026-34180.patch

==== python-PyJWT ====
Version update (2.12.1 -> 2.13.0)

- Update to 2.13.0
  - Security
  * CVE-2026-48526 (bsc#1266802) — JWK JSON accepted as HMAC secret
    (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM-
    and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw
    JSON string. In a verifier configured with both symmetric and asymmetric
    algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker
    could forge HS256 tokens using the JWK text as the HMAC secret. The guard
    has been extended to reject any JWK-shaped JSON.
  * CVE-2026-48523 (bsc#1266799) — Algorithm allow-list bypass with PyJWK /
    PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…]
    allow-list was checked against the token header alg as a string only;
    actual verification used the algorithm bound to the PyJWK. An attacker
    who controlled a registered JWKS key could sign with one algorithm and
    advertise another on the header. PyJWT now requires the token header alg
    to match the PyJWK's algorithm before verification.
  * CVE-2026-48525 (bsc#1266801) — DoS via base64 decode of unused payload
    segment when b64=false. For detached-payload JWS (b64=false), the
    compact-form payload segment was base64-decoded before being discarded in
    favor of the caller-supplied detached_payload. An attacker could inflate
    the unused segment to force CPU + memory cost without holding a valid
    signature. The segment is now required to be empty per RFC 7515
    Appendix F, and is no longer decoded.
  * CVE-2026-48522 (bsc#1266798) — PyJWKClient accepts non-HTTP(S) URIs.
    PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which
    by default also handles file://, ftp://, and data: schemes. An
    application that fed an attacker-influenced URI into PyJWKClient could be
    coerced into reading local files or reaching other unintended schemes.
    PyJWKClient now rejects any URI whose scheme isn't http or https.
  * CVE-2026-48524 (bsc#1266800) — PyJWKClient cache wiped on fetch error. A
    finally-block put(jwk_set=None) cleared the JWK Set cache whenever a
    fetch raised, turning a transient JWKS-endpoint outage into application-
    wide auth failure. The cache write was moved into the success path;
    transient errors no longer evict valid cached keys.
  - Fixed
  * Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with
    InvalidKeyError instead of accepting them with only a warning. Defends
    against the os.getenv("JWT_SECRET", "") footgun.
  * Forward per-call options (including enforce_minimum_key_length) from
    PyJWT.decode through to PyJWS._verify_signature. The option was
    previously silently dropped between the two layers, so it only took
    effect when set on the PyJWT instance.
  * RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to
    crit, and the decoder rejects tokens that set b64=false without listing
    it in crit
  - Changed
  * Migrate the dev, docs, and tests package extras to dependency groups

==== python-tornado6 ====
Version update (6.5.5 -> 6.5.7)

- Update to 6.5.7:
  [#]# Security fixes
  * CurlAsyncHTTPClient now fully resets the curl object before reusing it.
    This prevents incorrectly reusing options from a previous request,
    specifically including client SSL and credentials used for accessing
    proxies.
  * SimpleAsyncHTTPClient now strips the Authorization and Cookie headers
    from the request when following a redirect to a different origin. This
    matches the default behavior of CurlAsyncHTTPClient. Applications that
    need different behavior here can set follow_redirects=False and handle
    redirects manually. CVE-2026-49853
  * SimpleAsyncHTTPClient now enforces max_body_size on the decompressed size
    of the response, rather than the compressed size. This prevents a
    denial-of-service attack via a very large compressed response.
    CVE-2026-49855
  * Fixed a bug in the C extension that could have read up to three bytes
    past the end of an input array. CVE-2026-49854
  * OpenIDMixin has improved parsing for the check_authentication response.
  [#]# Bug fixes
  * CurlAsyncHTTPClient has been updated to use non-deprecated APIs, avoiding
    deprecation warnings with recent versions of pycurl.
- Refreshed patch ignore-resourcewarning-doctests.patch
- Drop patch fix-tests-with-curl-8-19.patch, merged upstream.

==== rav1e ====

- Update cargo dependencies (bsc#1249016 CVE-2025-58160).

==== snapper ====
Subpackages: libsnapper8

- add dependencies to dbus in service files (see bsc#1265853)
- improved error handling when disconnected by dbus (see
  gh#openSUSE/snapper#223)
- improve error handling if uid of client cannot be detected
  (see bsc#1265853)
- Add snapper-sync to synchronize the highest snapshot number
  (gh#openSUSE/snapper#1128)

==== sssd ====
Version update (2.13.0 -> 2.13.1)
Subpackages: libsss_certmap0 libsss_idmap0 sssd-krb5-common sssd-ldap

- Update to release 2.13.1
  * Fixed an issue where SSSD fails to start when DNS is
    unresponsive.
  * SSSD no longer crashes if ``ldap_read_rootdse=never`` and
    ``enumerate=true`` is set.
- Add jwk.patch

==== zypper ====
Version update (1.14.97 -> 1.14.98)
Subpackages: zypper-needs-restarting

- Transactional systems: Delegate rw-commands to
  transactional-wrapper if available (jsc#PED-13680, jsc#PED-15607)
  On a transactional system where the root filesystem is mounted
  read-only, zypper commands that modify the system cannot be
  executed directly.
  If the system provides a transactional-wrapper utility, zypper
  will automatically attempt to invoke it. The wrapper
  transparently executes the zypper command within a new, writable
  snapshot and manages the lifecycle of that snapshot based on the
  command's exit status.
  On transactional systems lacking a transactional-wrapper, users
  must manually invoke specialized tools -such as
  transactional-update- to install, update, or remove software.
- version 1.14.98