Packages changed:
  grub2
  hwinfo (25.2 -> 25.3)
  jq
  libxmlb (0.3.25 -> 0.3.27)
  python-psutil
  rsync (3.4.1 -> 3.4.3)
  selinux-policy (20260508 -> 20260522)
  thin-provisioning-tools (1.2.1 -> 1.3.2)

=== Details ===

==== grub2 ====
Subpackages: grub2-common grub2-i386-efi grub2-i386-efi-bls grub2-i386-pc grub2-snapper-plugin grub2-x86_64-efi grub2-x86_64-efi-bls

- Add python-base BR

==== hwinfo ====
Version update (25.2 -> 25.3)
Subpackages: libhd25

- merge gh#openSUSE/hwinfo#178
- fix memory leaks in pci and pppoe modules (bsc#1265908)
- avoid NULL pointer in ADD2LOG() call
- 25.3

==== jq ====
Subpackages: libjq1

- Add patch CVE-2026-33948.patch (CVE-2026-33948, bsc#1262043)
- Add patch CVE-2026-32316.patch (CVE-2026-32316, bsc#1262044)
- Add patch CVE-2026-33947.patch (CVE-2026-33947, bsc#1262069)
- Add patch CVE-2026-39956.patch (CVE-2026-39956, bsc#1262070)
- Add patch CVE-2026-39979.patch (CVE-2026-39979, bsc#1262071)
- Add patch CVE-2026-40164.patch (CVE-2026-40164, bsc#1262072)
- Add patch CVE-2026-40612.patch (CVE-2026-40612, bsc#1265060)
- Add patch CVE-2026-41256.patch (CVE-2026-41256, bsc#1265061)
- Add patch CVE-2026-41257.patch (CVE-2026-41257, bsc#1265062)
- Add patch CVE-2026-43894.patch (CVE-2026-43894, bsc#1265070)
- Add patch CVE-2026-43895.patch (CVE-2026-43895, bsc#1265071)
- Add patch CVE-2026-43896.patch (CVE-2026-43896, bsc#1265075)
- Add patches CVE-2026-44777_0.patch and CVE-2026-44777_1.patch
  (CVE-2026-44777, bsc#1265076)

==== libxmlb ====
Version update (0.3.25 -> 0.3.27)

- Update to version 0.3.27:
  + New Features: Bump the required version of GLib to 2.68
  + Bugfixes:
  - Do not construct an invalid silo when processing more than 30
    attrs
  - Fix NULL pointer dereference when searching with NULL needle
  - Fix potential use-after-free when building the in() haystack
  - Fix stem() type-checking the wrong stack position
  - Handle NULL string opcodes in more functions
  - Limit operator recursion depth in xb_machine_parse_section
  - Limit the number of predicates and OR branches in each
    section
  - Prevent an infinite loop when parsing a corrupt silo
  - Reject XML with more than 65535 unique element names
- Changes from version 0.3.26:
  + New Features: Parse CDATA as text
  + Bugfixes:
  - Add bounds check to prevent OOB read in token index lookup
  - Do not write an invalid silo when more than 63 attrs on one
    node
  - No inotify for illumos and Solaris
  - Prevent stack overflow from unbounded recursion in export

==== python-psutil ====

- %check phase should run aside from %builddir to use extension
  from the main binary package (don't build during the %check
  phase).

==== rsync ====
Version update (3.4.1 -> 3.4.3)

- Fixed some warnings while building the rpm.
- Added patches:
  - rsync-python-3.6-tests.patch:
    Small patch to support running tests on python 3.6+:
  - rsync-openat2-glibc-missing.patch:
    Small patch to build on kernels >= 5.6+ where openat2
    is not defined in glibc.
- Removed patches already upstream:
  - rsync-no-libattr.patch
  - rsync-CVE-2025-10158.patch
  - rsync-CVE-2026-41035.patch
  - rsync341-gcc15-bool.patch
- Removed support for the unmaintained rsync-patches archive,
  which in turn removes support for SLP. These patches are not
  being shipped anymore.
- Update to 3.4.3:
  - SECURITY FIXES:
    Six CVEs are fixed in this release. Three of the six
    (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require
    non-default daemon configuration to reach: the first and
    third need use chroot = no for a module, the second needs
    daemon chroot = ... set in rsyncd.conf.
    Two (CVE-2026-43618, CVE-2026-43620) are reachable from a
    normal pull or a normal authenticated daemon connection.
    The sixth (CVE-2026-45232) is reachable only when RSYNC_PROXY
    is set and the proxy (or a MITM) returns a pathological
    response.
    Complete list of changes: https://download.samba.org/pub/rsync/NEWS#3.4.3
  - CVE-2026-29518, bsc#1264511: Symlink-Race TOCTOU in Daemon (use chroot = no)
    TOCTOU symlink race condition allowing local privilege
    escalation in daemon mode without chroot. An rsync daemon
    configured with "use chroot = no" was exposed to a
    time-of-check / time-of-use race on parent path components.
  - CVE-2026-43617, bsc#1264515: Authorization Bypass via Hostname Resolution
    Hostname/ACL bypass on an rsync daemon configured with
    daemon chroot = /X in rsyncd.conf when the chroot tree
    lacks DNS resolution support. The reverse-DNS lookup of
    the connecting client was performed after the daemon chroot
    had been entered; if /X did not contain the libc resolver
    fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts,
    NSS service modules) the lookup failed and the connecting
    hostname was set to "UNKNOWN", causing hostname-based deny
    rules to silently fail open. IP-based ACLs are unaffected.
    The per-module use chroot setting is unrelated to this
    issue. The fix performs the lookup before entering the
    daemon chroot.
  - CVE-2026-43618, bsc#1264512:  Integer Overflow Information Disclosure
    Integer overflow in the compressed-token decoder enabling
    remote memory disclosure to an authenticated daemon peer.
    Workaround for older releases: refuse options = compress in rsyncd.conf.
  - CVE-2026-43619, bsc#1264514: Symlink Race Condition via Path-Based Syscalls
    Symlink races on path-based system calls in "use chroot=no"
    daemon mode (generalisation of CVE-2026-29518). Earlier
    fixes for symlink races on the receiver's open() call
    missed the same race class on every other path-based system
    call: chmod, lchown, utimes, rename, unlink, mkdir, symlink,
    mknod, link, rmdir and lstat.
    Default "use chroot = yes" is not exposed.
  - CVE-2026-43620, bsc#1264513: Out-of-Bounds Array Read via recv_files()
    Out-of-bounds read in the receiver's recv_files() enabling
    remote denial-of-service of any client pulling from a
    malicious server (incomplete fix of commit 797e17f).
    Workaround for older releases: --no-inc-recursive on the client.
  - CVE-2026-45232, bsc#1265296: Off-by-one stack OOB write in HTTP CONNECT proxy
    response parsing
    Off-by-one out-of-bounds stack write in the rsync client's
    HTTP CONNECT proxy handler (establish_proxy_connection() in
    socket.c). The fix detects the "buffer filled without finding
    \n" case explicitly by position and refuses the response with
    "proxy response line too long".
  - In addition to the six CVE fixes, this release adds defence-in-depth
    hardening on several adjacent paths.
  - BUG FIXES:
  - Fixed a regression introduced by the 3.4.0 secure_relative_open().
- Complete list of fixes in version 3.4.2:
  - https://download.samba.org/pub/rsync/NEWS#3.4.2

==== selinux-policy ====
Version update (20260508 -> 20260522)
Subpackages: selinux-policy-targeted

- Update to version 20260522:
  * Fix build by switching to corecmd_exec_bin_noattr()
  * Split using dirsrv_ and dirsrvadmin_ interfaces into separate blocks
  * Allow virtqemud execute kmod in the kmod domain
  * Allow qatlib map kernel modules
  * Allow sys_resource on execution of generic executables conditionally
  * Label bootloader-migrate-generator with coreos_bootloader_migrate_generator_exec_t
  * Label /run/coreos with coreos_installer_var_run_t
  * Add systemd_create_generator_unit_file() and systemd_write_generator_unit_file()
  * Allow virtnwfilterd_t r/w on packet_socket (bsc#1264273)
  * Update fstools swap interfaces with dir search
  * Allow go-fdo-server to read system information
  * Change README to openSUSE specific README
  * Add missing fc rule for org.gnome.DisplayManager (bsc#1264182)
  * config: make /etc/systemd/user same as /usr/lib/systemd/user
  * Do not audit iptables attempts to read other process state
  * Policy for go-fdo-server
  * Allow setroubleshoot_fixit_t to touch /.autorelabel and reboot
  * Allow init nnp domain transition do dirsrv_t and dirsrv_snmp_t
  * Allow NetworkManager_dispatcher_nvme_t check status of systemd services
  * Allow iptables_t read state of some processes
  * Label /dev/HID-SENSOR-.* with hid_sensor_device_t
- Syncing with upstream rawhide selinux-policy up to:
  * 190ed3591e0004c395409dd62acea41c8a684fc1
- Update embedded container-selinux version to commit:
  * e659fc8858d2e34781cc1640ac1658ba484cb3f5 (v2.248.0)

==== thin-provisioning-tools ====
Version update (1.2.1 -> 1.3.2)

- Update to version 1.3.2:
  * Bump version to 1.3.2
  * [doc] Update CHANGES
  * [thin_repair] Prevent out-of-bounds access from corrupted btree pointers
  * [thin_repair] Use saturating arithmetic to avoid integer overflow
  * [build] Update ratatui to address RUSTSEC-2026-0002
  * [build] Bump rand to address RUSTSEC-2026-0097
  * Bump version to 1.3.1
  * [doc] Update CHANGES
  * [build] Update dependencies to latest patch releases
  * [space_map] Optimize zero-filling loops in Aggregator region lookup
  * [tests] Fix device name in the preparation script
  * [tests] Add tests for thin_ls mapped block counts
  * [tests] Update documentation for test files
  * [thin_ls] Optimize second pass by skipping unnecessary key parsing
  * [thin_ls] Read exclusive leaves multithreaded
  * [thin_ls] Read leaf nodes multithreaded
  * [thin_ls] Read internal nodes multithreaded
  * [thin_ls] Switch to Aggregator for upcoming parallelization
  * [utils] Add mutable accessor to HashVec
  * [space_map] Add specialized Aggregator that counts up to two
  * [space_map] Make Region type configurable via generics
  * [space_map] Relocate misplaced code documentation
  * [thin_ls] Print memory usage for performance analysis
  * [utils] Factor out memory profiling functions
  * [space_map] Factor out repair_space_map
  * Bump version to 1.3.0
  * [doc] Update CHANGES
  * [build] Update dependencies to latest patch releases
  * [pdata] Avoid unnecessary error object construction
  * [btree] Factor out get_depth method
  * [btree_walker] Remove multithreaded read_nodes and use references
  * [thin_check] Handle data mappings outside the space map boundary
  * [btree_walker] Handle metadata blocks outside the space map boundary
  * [thin_check] Remove unused error logging
  * [space_map] Add comments to space_map/aggregator_load.rs
  * [space_map] Prevent panics from out-of-bounds access in Aggregator
  * [thin_check] Display number of free blocks using saturating arithmetic
  * [thin_check] Handle incomplete metadata dump
  * [thin_check] Do not read space maps while checking the metadata snap
  * [thin_check] Refactor space map comparison
  * [thin_explore] Migrate from tui to ratatui
  * [thin_check] Improve error messages by visiting the mapping tree first
  * Bump version to 1.3.0-rc.1
  * [io_engine] Improve partial read handling in VectoredBlockIo
  * [io_engine] Pass down the error from IoEngine to the handler
  * [thin_check] Fix error when no devices are present
  * [all] Avoid manual implementation of .is_multiple_of() on unsigned types
  * [io_engine] Handle out of bounds reads in VectoredBlockIo
  * [space_map] Handle errors in reading bitmap blocks
  * [thin_check] Handle errors in reading mapping tree leaves
  * [thin_check] Replace Arc::try_unwrap() by into_inner()
  * [thin_check] Log additional memory usage info
  * [space_map] Implement get_nr_allocated() for Aggregator
  * [io_engine] Implement read_blocks for SyncIoEngine
  * [utils] Add AdjacentChunks to produce fixed-length consecutive runs
  * [aggregator] Avoid copying block numbers and cloning iterator items
  * [thin_check] Re-enable NEEDS_CHECK flag clearing
  * [thin_check] Repair space map leaks
  * [thin_check] Enable metadata space map checking in terms of Aggregator
  * [btree_walker] Introduce layer-based btree walker
  * [btree_walker] Expose the ValueCollector for building maps from Handlers
  * [btree] Decouple node check and unpack functions from the io Block
  * [space_map] Batch update the aggregator while loading the ref counts
  * [thin_check] Read and compare space maps
  * [utils] Add spawn_future() for concurrent execution
  * [space_map] Support loading data/metadata space maps into Aggregators
  * [btree] Derive Copy trait for NodeError
  * [thin_check] Use threads to speed up read_internal_nodes()
  * [thin_check] Rewrite read_internal_nodes() to use streaming read
  * [thin_check] Speed up summarize_tree
  * [thin_check] Improve performance of reading leaf nodes
  * [utils] Introduce RangedBitsetIter to iterate a specific range of bits
  * [space_map] Introduce Aggregator type
  * [space_map] Split SpaceMap trait into RefCount and SpaceMap
  * [io_engine] Implement AsyncIoEngine::read_blocks() for streaming read
  * [io_engine] Add BufferPool
  * [io_engine] Rewrite AsyncIoEngine to use tokio IoUring
  * [io_engine] Introduce io_engine/ring_pool.rs
  * [io_engine] Add documentation to io_engine/gaps.rs
  * [io_engine] Add some documentation to io_engine/utils.rs
  * [io_engine] Remove suggest_nr_threads() from IoEngine
  * [thin_check] Add get_memory_usage()
  * [pdata] A couple of trivial performance tweaks to unpacking a btree node
  * Bump version to 1.2.2
  * [doc] Update CHANGES
  * [build] Update dependencies to latest patch releases
  * [build] Update dependencies' major/minor versions without code changes
  * [tests] Add era_invalidate --metadata-snapshot tests
  * [era_invalidate] Fix missing flag setting for --metadata-snapshot