Packages changed: MicroOS-release (20260608 -> 20260609) fontconfig (2.18.0 -> 2.18.1) graphite2 (1.3.14 -> 1.3.15) libzypp (17.38.11 -> 17.38.13) mpg123 (1.33.5 -> 1.33.6) openexr (3.4.11 -> 3.4.12) openjph (0.27.3 -> 0.27.4) pinentry pinentry-gui sqlite3 (3.53.1 -> 3.53.2) === Details === ==== MicroOS-release ==== Version update (20260608 -> 20260609) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== fontconfig ==== Version update (2.18.0 -> 2.18.1) Subpackages: libfontconfig1 - Update to 2.18.1 * Workaround :-prefixed filename used in Qt * meson: force enabling HAVE_C99_VSNPRINTF * Do not set 'sans-serif' for default genericfamily * Fix another font matching issue * Fix not matching with a font family name * Disable invalid attribute warning by default * boo#1267844 ==== graphite2 ==== Version update (1.3.14 -> 1.3.15) - version update to 1.3.15: . Bug fixes. . Update graphite website documentation. . Use SPDX lines, and improve license declarations. . Fix incorrectly generated graphite2.pc pkgconf file. - modified patches * graphite2-1.2.0-cmakepath.patch (refreshed) * link-gcc-shared.diff (refreshed) - deleted patches * graphite2-1.3.14-gcc15.patch (upstreamed) - fixes CVE-2026-50593 [bsc#1267734] ==== libzypp ==== Version update (17.38.11 -> 17.38.13) - A .repo files "path=" entry must not refer to a location outside the repo (bsc#1267874, CVE-2026-44942) A "path=" entry may solely denote a sub-directory of the baseurl where the metadata are located. A relative path trying to access data outside the baseurl is reported and sanitized. - version 17.38.13 (35) - Repo "keyhint" must denote a filename, no path (bsc#1267426, CVE-2026-44941) - version 17.38.12 (35) ==== mpg123 ==== Version update (1.33.5 -> 1.33.6) - Update to version 1.33.6 * mpg123 + Prepare for const-returning strchr(). + Hide seq_len debugging counter in non-debug mode. + Fix memory leak with --network internal due to inverted NULL check in net123_close_internal() (handle never NULL in practice, though). * mpg123, out123: Fix strrchr() usage to be more const and correct under C99 as well as C23. * mpg123-strip: Also use largefile API properly using mpg123config.h, but without actual effect at least on Linux/x86. It is cleaner that way, though. * libmpg123: Remove unused loop variable in layer2 left over from runtime table elimination (32 bit mmx/sse code). ==== openexr ==== Version update (3.4.11 -> 3.4.12) Subpackages: libIex-3_4-33 libIlmThread-3_4-33 libOpenEXR-3_4-33 libOpenEXRCore-3_4-33 - version update to 3.4.12 * Fix several minor memory leaks recovering from reading invalid files. * The compressor API incorrectly identfied `HTJ2K` and `HTJ2K256` as lossy; they are lossles. * Fix CMake AVX feature detection that caused DWA SIMD code to fail on certain architectures. * The `WidenFilename` utility function is marked as deprecated, to be removed in a future release. * `exrmetrics` now print the on-disk size of the data portion of each part. Useful for determining compression impact on part data * Reject files where the dataWindows does not match the pixel array dimensions. * Support NumPy float vector attributes * Reading now skips over invalid parts, returns the valid parts only. * Doc strings have proper indentation * [CVE-2026-45696](https://www.cve.org/CVERecord?id=CVE-2026-45696) OpenEXR `ht_undo_impl` heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode * [CVE-2026-44663](https://www.cve.org/CVERecord?id=CVE-2026-44663) Integer overflow in HTJ2K decoder ( `ht_undo_impl` ) leading to heap-buffer-overflow * [OSS-Fuzz 512895184](https://issues.oss-fuzz.com/issues/512895184) * [OSS-Fuzz 512314697](https://issues.oss-fuzz.com/issues/512314697) * [OSS-Fuzz 508362159](https://issues.oss-fuzz.com/issues/508362159) * [OSS-Fuzz 507413960](https://issues.oss-fuzz.com/issues/507413960) ==== openjph ==== Version update (0.27.3 -> 0.27.4) - Update to 0.27.4: * Add documentation for ASAN build type #274 * Bug fix #277 ==== pinentry ==== - Force -std=gnu++17 when building with GCC 16 to fix the broken build ==== pinentry-gui ==== - Force -std=gnu++17 when building with GCC 16 to fix the broken build ==== sqlite3 ==== Version update (3.53.1 -> 3.53.2) - Update to version 3.53.2: * Fixes for problems in 3.53.0 reported by users. * See the check-in timeline for details: https://sqlite.org/src/timeline?from=version-3.53.1&to=version-3.53.2