Monday, July 13, 2026

F45 Change Proposal: ODBC Stack Modernization (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/ODBC_stack_modernization Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-odbc-stack-modernization-self-contained/196627 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Modernize the Fedora ODBC stack across 7 packages (<code>unixODBC</code> and 6 driver packages: <code>mariadb-connector-odbc</code>, <code>mysql-connector-odbc</code>, <code>postgresql-odbc</code>, <code>freetds</code>, <code>sqliteodbc</code>, <code>mdbtools</code>). The central change is replacing the static, centrally-maintained <code>/etc/odbcinst.ini</code> driver registration file with an auto-generated configuration assembled from per-driver drop-in snippets, using RPM file triggers — the same pattern used by <code>ldconfig</code>, <code>ca-certificates</code>, and <code>crypto-policies</code>. Supporting changes include switching to bare library names resolved via a compiled-in search path, moving driver plugins to a dedicated directory, and general spec cleanups. == Owner == * Name: [[User:mschorm|Michal Schorm]] * Email: mschorm@redhat.com === Proposed code changes === All changes are in the <code>dropin-registration</code> topic branches in the Chnage owner's forks: * [https://src.fedoraproject.org/fork/mschorm/rpms/unixODBC/c/fddf280ed2a7afdc6dda18996bad8b20425f00b6 unixODBC] — drop-in infrastructure, file triggers, <code>%ghost</code> config, migration scriptlets, [https://src.fedoraproject.org/fork/mschorm/rpms/unixODBC/c/70abcfdeeb41bacacc7da75b0a9d9f58a225e11b?branch=dropin-registration manual page] for the new script * [https://src.fedoraproject.org/fork/mschorm/rpms/mariadb-connector-odbc/c/d5cecc1055d4077b8f4a1c9b80d3cd49240f027c mariadb-connector-odbc] — ship <code>10-mariadb.ini</code> drop-in snippet * [https://src.fedoraproject.org/fork/mschorm/rpms/mysql-connector-odbc/c/0b03c28a7485d7ed446c63f70e9b537e5611e5c0 mysql-connector-odbc] — ship <code>10-mysql.ini</code> drop-in snippet * [https://src.fedoraproject.org/fork/mschorm/rpms/postgresql-odbc/c/e136923324f3956e599c15851d524d7bbb3c0576 postgresql-odbc] — ship <code>10-postgresql.ini</code> drop-in snippet * [https://src.fedoraproject.org/fork/mschorm/rpms/freetds/c/d36341635aa8a230abb072ac4c56539f9609ac48 freetds] — ship <code>10-freetds.ini</code> drop-in snippet * [https://src.fedoraproject.org/fork/mschorm/rpms/sqliteodbc/c/316aa92e9326d15ce43ba26675554ddfcb0d2a71 sqliteodbc] — ship <code>10-sqlite.ini</code> drop-in snippet, remove legacy <code>odbcinst</code> scriptlets * [https://src.fedoraproject.org/fork/mschorm/rpms/mdbtools/c/b6f54b24fb8de6f00eb883c37f20f0762d257dcf mdbtools] — ship <code>10-mdbtools.ini</code> drop-in snippet == Detailed Description == === Background === The ODBC driver manager (<code>unixODBC</code>) uses <code>/etc/odbcinst.ini</code> to map driver names to shared libraries. In Fedora, this file has historically been shipped as <code>%config(noreplace)</code> inside the <code>unixODBC</code> package, pre-populated with entries for all known Fedora ODBC drivers. The driver entries in Fedora were in poor shape. <code>FileUsage</code> values were wrong for multiple drivers, library paths were hardcoded and multilib-unfriendly, and the FreeTDS entry contained a dead <code>Port</code> key that the driver never reads from <code>odbcinst.ini</code>. These problems persisted because driver entries lived in the wrong package — fixing a driver's registration required a change to <code>unixODBC</code>, not to the driver package itself. This coupling created several structural problems: * '''Wrong ownership:''' Driver packages had no control over their own registration. A driver maintainer who wanted to fix or update their entry had to coordinate a change in <code>unixODBC</code>. * '''Stale entries:''' All known drivers were pre-populated in the config regardless of whether they were installed, leading to broken references. * '''Invisible drivers:''' New driver packages (e.g. <code>mdbtools-odbc</code>) were not registered at all until someone manually added them to the <code>unixODBC</code> spec. <code>mdbtools-odbc</code> was invisible to ODBC applications after install. * '''Fragile upgrades:''' The <code>%config(noreplace)</code> semantics mean RPM silently keeps the old file on upgrade, so corrections (like fixed <code>FileUsage</code> values) never reach existing installations. Of all 6 driver packages in Fedora, only <code>sqliteodbc</code> attempted self-registration via <code>%post</code>/<code>%preun</code> scriptlets calling <code>odbcinst -i</code>/<code>odbcinst -u</code>. The other 5 relied entirely on <code>unixODBC</code> pre-populating their entries. === What is changing === The modernization consists of two groups of changes: '''Already in Fedora Rawhide (foundation work):''' * ODBC driver plugins moved from <code>%{_libdir}</code> to a dedicated <code>%{_libdir}/odbc/</code> directory across all driver packages. * <code>unixODBC</code> compiled with <code>--with-odbc-driver-path=%{_libdir}/odbc</code>, enabling bare library names (e.g. <code>Driver = libmaodbc.so</code> instead of full paths). * <code>FileUsage</code> values corrected across all drivers ([https://bugzilla.redhat.com/show_bug.cgi?id=2453060 BZ#2453060]). * <code>Suggests:</code> added for all 6 ODBC driver packages. * Removal of a 17-year-old dead patch (<code>keep-typedefs.patch</code>). '''Proposed in this change (driver registration):''' * Each driver package ships a static <code>.ini</code> snippet file to <code>/usr/lib/odbc/odbcinst.d/</code> (vendor defaults). * <code>unixODBC</code> owns <code>%transfiletriggerin</code> and <code>%transfiletriggerpostun</code> scriptlets that run a regeneration script (<code>odbcinst-generate</code>) whenever snippets are installed or removed. * The regeneration script merges all snippets (vendor defaults overlaid by admin overrides) and atomically replaces <code>/etc/odbcinst.ini</code>. * <code>/etc/odbcinst.ini</code> changes from <code>%config(noreplace)</code> to <code>%ghost</code> — RPM tracks ownership but the file is never shipped; it is always generated. * Administrators can override or disable vendor drivers via <code>/etc/odbc/odbcinst.d/</code> (see below). === Drop-in directory layout === /usr/lib/odbc/odbcinst.d/ ← vendor snippets (shipped by driver RPMs) 10-mariadb.ini 10-mysql.ini 10-postgresql.ini 10-freetds.ini 10-sqlite.ini 10-mdbtools.ini /etc/odbc/odbcinst.d/ ← admin overrides and additions /etc/odbcinst.ini ← generated output (%ghost) '''Override semantics:''' * Files are named <code>NN-name.ini</code>. The numeric prefix controls merge order. * Vendor range: 10–49. Admin range: 50–99. * When two files share the same name after stripping the prefix (e.g. <code>10-mariadb.ini</code> and <code>60-mariadb.ini</code>), the higher-numbered one wins. * To disable a vendor driver, symlink its snippet to <code>/dev/null</code>: ln -sf /dev/null /etc/odbc/odbcinst.d/10-freetds.ini * To apply changes after editing drop-in files manually, run: <code>odbcinst-generate</code> These semantics follow the established systemd convention used throughout Fedora. === Precedent === This is the standard Fedora pattern for generated configuration. At least 22 packages use the same <code>%transfiletriggerin</code> + regeneration model, including: * <code>glibc-common</code> — <code>/etc/ld.so.conf.d/</code> → <code>ldconfig</code> → <code>/etc/ld.so.cache</code> * <code>ca-certificates</code> — <code>/etc/pki/ca-trust/source/</code> → <code>update-ca-trust</code> → <code>ca-bundle.crt</code> * <code>crypto-policies</code> — <code>/usr/share/crypto-policies/</code> → <code>update-crypto-policies</code> * <code>fontconfig</code> — <code>/usr/share/fonts/</code> → <code>fc-cache</code> * <code>shared-mime-info</code> — <code>/usr/share/mime/</code> → <code>update-mime-database</code> * <code>glib2</code> — <code>/usr/share/glib-2.0/schemas/</code> → <code>glib-compile-schemas</code> === Migration strategy (for FESCo consideration) === This is the area where community input is most welcome. When upgrading from a system where <code>/etc/odbcinst.ini</code> was <code>%config(noreplace)</code> to the new <code>%ghost</code> model, RPM does '''not''' automatically create an <code>.rpmsave</code> backup. Without intervention, any user modifications to <code>odbcinst.ini</code> would be silently lost. The proposed migration strategy: # A <code>%pretrans</code> Lua scriptlet in <code>unixODBC</code> detects first-time upgrades (the drop-in directory does not yet exist) and renames <code>/etc/odbcinst.ini</code> to <code>/etc/odbcinst.ini.rpmsave</code>. On subsequent upgrades (drop-in directory already exists), the <code>%pretrans</code> is a no-op. # <code>%post</code> checks whether <code>/etc/odbcinst.ini.rpmsave</code> exists. If so, it prints a notice to stderr explaining that driver registration has moved to drop-in snippets, pointing users to the <code>.rpmsave</code> file and explaining how to migrate custom entries. This notice is repeated on every upgrade as long as the <code>.rpmsave</code> file remains, serving as a persistent reminder until the user completes the migration and removes it. '''What users need to do:''' * Users who never modified <code>odbcinst.ini</code>: nothing. All standard drivers are registered automatically via snippets. * Users who added custom driver entries: copy their custom <code>[sections]</code> from <code>odbcinst.ini.rpmsave</code> into a new file under <code>/etc/odbc/odbcinst.d/</code> and run <code>odbcinst-generate</code>. '''Alternatives considered:''' * ''Content-based detection'' (parse the file to detect user modifications): rejected as unreliable in RPM's limited Lua environment. * ''Always preserve'' (never create <code>.rpmsave</code>): rejected because it leaves the old static file alongside the new generated one, causing confusion. * ''In-place migration'' (automatically convert user entries to drop-in files): rejected as too complex and opaque. Users should be aware of the new mechanism. === Rejected ideas: scriptlet-based registration (Debian/Ubuntu, openSUSE) === Other distributions use <code>odbcinst -i</code>/<code>odbcinst -u</code> commands in driver package scriptlets (<code>postinst</code>/<code>postrm</code> on Debian, <code>%post</code>/<code>%preun</code> on openSUSE). I considered and rejected this for Fedora due to various bugs present in this approach. '''How it works in Debian/Ubuntu:''' Each driver package calls <code>odbcinst -i -d -f /usr/share/<driver>/odbcinst.ini.template</code> in its <code>postinst</code> and <code>odbcinst -u -d</code> in its <code>postrm</code>. This approach has generated real bugs over more than a decade: * [https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1173083 Ubuntu Bug #1173083]: <code>tdsodbc</code> used a debconf prompt to ask whether to register the driver. In automated installs (containers, CI, preseed), the question was never answered, leaving FreeTDS silently unregistered. Open for 12 years before being fixed. * [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001141 Debian Bug #1001141]: <code>odbc-mariadb</code> called <code>odbcinst</code> in its maintainer scripts but did not declare a dependency on the <code>odbcinst</code> binary, causing silent registration failures. '''How it works in openSUSE:''' Similar, using RPM <code>%post</code>/<code>%preun</code> scriptlets. All errors are suppressed with <code>> /dev/null 2>&1 || true</code>, so failures are completely silent. Coverage is inconsistent: only 3 of 5 driver packages self-register; <code>mariadb-connector-odbc</code> ships a sample <code>.ini</code> but no scriptlets; <code>mdbtools</code> has its ODBC driver incorrectly placed in the <code>-devel</code> subpackage. '''Why the scriptlet approach is fundamentally fragile:''' * '''Race conditions:''' <code>odbcinst</code> performs a read-modify-write cycle on <code>/etc/odbcinst.ini</code> without file locking. If two driver packages run scriptlets concurrently, the file can be corrupted or one registration silently lost. * '''Reference counting:''' <code>odbcinst</code> maintains a reference count per driver entry. A failed or interrupted scriptlet can leave the count out of sync, resulting in stale entries that never get removed or premature removal of valid entries. * '''Cross-package file modification:''' Multiple independent packages all modify a file owned by <code>unixODBC</code>, violating single file ownership. * '''Per-driver boilerplate:''' Every driver package must independently implement registration logic, template files, and correct dependency declarations. Each one is a potential source of bugs. '''Why the drop-in approach is better:''' RPM file triggers (<code>%transfiletriggerin</code>) are transactional — they fire once after the entire transaction completes, not once per package. The regeneration script rebuilds <code>/etc/odbcinst.ini</code> from scratch using only the snippet files currently on disk. There is no read-modify-write race, no reference counting, no possibility of stale entries, and driver packages need zero scriptlet logic — they ship a static file and nothing else. With this change, Fedora would be the first distribution with a systemic, race-free, declarative ODBC driver registration mechanism with first-class admin override semantics. == Feedback == &nbsp; == Benefit to Fedora == * '''Decoupled driver registration:''' Each driver package owns its own registration. Adding a new ODBC driver to Fedora no longer requires changes to <code>unixODBC</code>. * '''Correct out-of-the-box experience:''' Only installed drivers appear in the config. Installing a driver automatically makes it visible to applications; removing it automatically cleans up. This fixes the long-standing problem where <code>mdbtools-odbc</code> was installable but invisible to ODBC applications. * '''Admin override mechanism:''' System administrators can override vendor defaults or disable drivers without editing generated files, using the same drop-in pattern familiar from systemd, ldconfig, and crypto-policies. * '''Bare library names:''' Driver entries use plain library names (e.g. <code>Driver = libmaodbc.so</code>) resolved via a compiled-in search path, eliminating hardcoded <code>%{_libdir}</code> paths and multilib ambiguity. * '''Correct metadata:''' <code>FileUsage</code> values are fixed across all drivers. Fedora becomes the first distribution to ship correct values for all its ODBC drivers. * '''Reduced spec complexity:''' Driver packages no longer need <code>%post</code>/<code>%preun</code> scriptlets for registration. A single static <code>.ini</code> file per driver replaces all of it. == Scope == * Proposal owners: ** Implement drop-in infrastructure in <code>unixODBC</code> (directories, regeneration script, file triggers, <code>%ghost</code> config, migration scriptlets) ** Add drop-in snippet files to all 6 driver packages: <code>mariadb-connector-odbc</code>, <code>mysql-connector-odbc</code>, <code>postgresql-odbc</code>, <code>freetds</code>, <code>sqliteodbc</code>, <code>mdbtools</code> ** Remove legacy <code>%post</code>/<code>%preun</code> <code>odbcinst</code> scriptlets from <code>sqliteodbc</code> ** Test upgrade scenarios in containers via COPR * Other developers: ** No action required from other package maintainers. The change is self-contained within the 7 packages listed above. * Release engineering: N/A (not a System Wide Change) * Policies and guidelines: N/A * Trademark approval: N/A * Alignment with the Fedora Strategy: Fedora leads in the Linux distribution development. This change adopts a modern, well-established Fedora pattern for an area of the stack that has lagged behind. == Upgrade/compatibility impact == On upgrade from a previous Fedora release: * <code>/etc/odbcinst.ini</code> is saved as <code>/etc/odbcinst.ini.rpmsave</code>. * A new <code>/etc/odbcinst.ini</code> is generated from drop-in snippets. * All standard drivers (MariaDB, MySQL, PostgreSQL, FreeTDS, SQLite, MDBTools) are registered automatically if their packages are installed. * Users with custom driver entries in the old <code>odbcinst.ini</code> need to migrate them to drop-in snippet files under <code>/etc/odbc/odbcinst.d/</code>. A notice is printed during upgrade with instructions. Applications using ODBC continue to work without changes. The generated <code>odbcinst.ini</code> uses the same INI format as before; only the mechanism that produces it has changed. == How To Test == Test builds are available in COPR: [https://copr.fedorainfracloud.org/coprs/mschorm/ODBC/ mschorm/ODBC] '''Fresh install (no previous ODBC config):''' # Install <code>unixODBC</code> and one or more driver packages # Verify <code>/etc/odbcinst.ini</code> is generated and contains entries for the installed drivers # Verify that uninstalling a driver package removes its entry from <code>odbcinst.ini</code> '''Upgrade from current Rawhide (unmodified config):''' # Start with a system running the current <code>unixODBC</code> (pre-drop-in) # Upgrade to the new version # Verify <code>/etc/odbcinst.ini.rpmsave</code> is created # Verify the new <code>/etc/odbcinst.ini</code> contains correct entries for installed drivers '''Upgrade with custom driver entries:''' # Start with a system where <code>/etc/odbcinst.ini</code> has been manually edited (e.g. a custom <code>[MyDriver]</code> section added) # Upgrade to the new version # Verify <code>/etc/odbcinst.ini.rpmsave</code> preserves the custom entries # Copy the custom section into <code>/etc/odbc/odbcinst.d/60-mydriver.ini</code> # Run <code>odbcinst-generate</code> # Verify the custom driver appears in the regenerated <code>/etc/odbcinst.ini</code> '''Admin override:''' # Install <code>mariadb-connector-odbc</code> (ships <code>10-mariadb.ini</code>) # Create <code>/etc/odbc/odbcinst.d/60-mariadb.ini</code> with modified settings # Run <code>odbcinst-generate</code> # Verify the admin override takes precedence '''Driver disable:''' # <code>ln -sf /dev/null /etc/odbc/odbcinst.d/10-freetds.ini</code> # Run <code>odbcinst-generate</code> # Verify FreeTDS no longer appears in <code>/etc/odbcinst.ini</code> == User Experience == For most users, the change is invisible. Installing an ODBC driver package automatically registers it; removing it automatically unregisters it. No manual <code>odbcinst</code> commands are needed. Power users and administrators gain a familiar drop-in override mechanism. Customizing ODBC driver registration now works the same way as customizing library paths (<code>ld.so.conf.d</code>) or CA certificates (<code>ca-trust</code>). Users upgrading from a previous Fedora release who had custom entries in <code>odbcinst.ini</code> will see a migration notice on each upgrade until they complete the migration and remove the <code>.rpmsave</code> file. == Dependencies == All 7 affected packages are maintained by the change owner: * <code>unixODBC</code> * <code>mariadb-connector-odbc</code> * <code>mysql-connector-odbc</code> * <code>postgresql-odbc</code> * <code>freetds</code> * <code>sqliteodbc</code> * <code>mdbtools</code> No other packages are affected. The generated <code>/etc/odbcinst.ini</code> is format-compatible with the previous static file. == Contingency Plan == * Contingency mechanism: Revert the <code>unixODBC</code> spec to ship a static <code>%config(noreplace)</code> <code>odbcinst.ini</code> and remove drop-in snippet files from driver packages. This is a straightforward revert of the topic branch in each package. * Contingency deadline: N/A (not a System Wide Change) * Blocks release? '''No''' == Documentation == * [https://bugzilla.redhat.com/show_bug.cgi?id=2453060 BZ#2453060] — Standardize unixODBC connector installation directory * [https://copr.fedorainfracloud.org/coprs/mschorm/ODBC/ COPR test repository: mschorm/ODBC] * A new <code>odbcinst-generate(1)</code> man page will be shipped with the <code>unixODBC</code> package, documenting the regeneration tool, drop-in directory layout, and override semantics * The existing upstream <code>odbcinst.ini(5)</code> man page will be updated or supplemented with a note about the drop-in mechanism == Release Notes == The ODBC driver stack has been modernized. ODBC driver registration now uses a drop-in snippet mechanism: each driver package ships a small <code>.ini</code> file that is automatically merged into <code>/etc/odbcinst.ini</code> when the package is installed or removed. Administrators can override vendor defaults or add custom drivers by placing files in <code>/etc/odbc/odbcinst.d/</code>. Users who had custom entries in <code>/etc/odbcinst.ini</code> will find their previous configuration saved as <code>/etc/odbcinst.ini.rpmsave</code> after upgrading. Custom driver sections should be migrated to individual files under <code>/etc/odbc/odbcinst.d/</code>. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

F45 Change Proposal: MySQL 9.7 (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/MySQL_9.7 Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-mysql-9-7-self-contained/196626 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == MySQL packages in Fedora use a versioned layout (e.g. <code>mysql8.4</code>, <code>mysql9.7</code>), where each version provides versioned sub-packages. One version at a time is designated the "distribution default" and additionally provides unversioned package names (e.g. <code>mysql-server</code>, <code>mysql-devel</code>). This change switches the distribution default from MySQL 8.4 to MySQL 9.7 in Fedora 45. == Owner == * Name: [[User:mschorm|Michal Schorm]] * Email: mschorm@redhat.com == Detailed Description == A macro in the MySQL SPECfiles controls which version provides the unversioned names. Flipping this macro in both <code>mysql8.4</code> and <code>mysql9.7</code> SPECfiles simultaneously switches the distribution default. Two "distribution default" packages cannot coexist due to file-level <code>Conflicts</code>, so the change must be coordinated. Comparable switches were done for MySQL in Fedora 43 (8.0 → 8.4) and for MariaDB in Fedora 44 (10.11 → 11.8), both without issues. == Feedback == &nbsp; == Benefit to Fedora == MySQL 9.7 is the latest LTS version of MySQL, released on April 21, 2026. It is the first new LTS since MySQL 8.4 (April 2024) and consolidates two years of innovation releases (9.0 through 9.6). Fedora's role as a leading-edge distribution makes it the right place to ship the latest MySQL LTS. == Scope == * Proposal owners: ** Switch the macro in both <code>mysql8.4</code> and <code>mysql9.7</code> SPECfiles ** Audit all packages that depend on <code>mysql-devel</code>, <code>mysql-libs</code>, or <code>mysql-server</code> and verify they build and work correctly against MySQL 9.7 ** File bugs and/or PRs for any packages that need fixes * Other developers: ** Cooperate on fixes if their package needs adjustment for MySQL 9.7 compatibility * Release engineering: N/A (not a System Wide Change) * Policies and guidelines: N/A * Trademark approval: N/A * Alignment with the Fedora Strategy: Fedora leads in the Linux distribution development == Upgrade/compatibility impact == Users upgrading from Fedora 44 (which has MySQL 8.4 as default) to Fedora 45 will have their MySQL installation upgraded to 9.7. Database administrators should follow the standard MySQL major version upgrade procedure: # Back up all databases before upgrading # Run <code>dnf update</code> # MySQL 9.7 runs <code>mysql_upgrade</code> automatically on first start MySQL 8.4 remains available in Fedora 45 as <code>mysql8.4-server</code> for users who need more time to migrate. '''Note:''' Upgrading directly from MySQL 8.4 to 9.7 is the supported LTS-to-LTS upgrade path. Skipping LTS versions (e.g. 8.4 directly to a future 10.x) is not supported by upstream. '''Note:''' The <code>mysql_native_password</code> authentication plugin was removed in the MySQL 9.x series. Applications still relying on it must switch to <code>caching_sha2_password</code>. '''Note:''' The <code>replica_parallel_type</code> system variable has been removed. Replication setups using it must be updated before upgrading. '''Note:''' MySQL 9.7, like 8.4, does not support 32-bit builds. This was already handled in Fedora 43. == How To Test == '''Fresh install:''' * <code>dnf install mysql-server</code> → installs <code>mysql9.7-server</code> * <code>dnf install mysql8.4-server</code> → installs <code>mysql8.4-server</code> * <code>dnf install mysql9.7-server</code> → installs <code>mysql9.7-server</code> * Verify the server starts, accepts connections, and runs basic queries '''Upgrade scenario:''' * Running <code>dnf update</code> from a Fedora 44 installation with MySQL 8.4 results in <code>mysql9.7-server</code> * Verify data integrity after the automatic upgrade '''Staying on 8.4 (manual steps):''' # Disable the service: <code>systemctl disable --now mysqld</code> # Run <code>dnf update</code> (installs 9.7) # Swap back: <code>dnf swap mysql-server mysql8.4-server --allowerasing</code> # Restore service: <code>systemctl enable --now mysqld</code> '''Conflict test:''' * Installing both <code>mysql8.4-server</code> and <code>mysql9.7-server</code> must fail gracefully with a conflict message about <code>mysql-server-any</code> == User Experience == Users get access to MySQL 9.7's features and enhancements. The installation and management experience remains identical. == Dependencies == Packages that need rebuild (BuildRequire <code>mysql-devel</code> / link against <code>libmysqlclient</code>): * <code>mysql-connector-odbc</code> - [https://src.fedoraproject.org/rpms/mysql-connector-odbc/blob/rawhide/f/mysql-connector-odbc.spec#_22 BuildRequires: mysql-devel] * <code>mysql-connector-python</code> - [https://src.fedoraproject.org/rpms/mysql-connector-python/blob/rawhide/f/mysql-connector-python.spec#_49 BuildRequires: mysql-devel] * <code>perl-DBD-MySQL</code> - [https://src.fedoraproject.org/rpms/perl-DBD-MySQL/blob/rawhide/f/perl-DBD-MySQL.spec#_33 BuildRequires: mysql-devel] No RPMFusion packages depend on <code>mysql-devel</code> or <code>mysql-libs</code>. == Contingency Plan == * Contingency mechanism: revert the macro change in both SPECfiles to restore MySQL 8.4 as the default * Contingency deadline: N/A (not a System Wide Change) * Blocks release? '''No''' == Documentation == * MySQL 9.7 Changes & improvements: https://dev.mysql.com/doc/refman/9.7/en/mysql-nutshell.html * MySQL 9.7 Release Notes: https://dev.mysql.com/doc/relnotes/mysql/9.7/en/ * MySQL 9.7 Reference Manual: https://dev.mysql.com/doc/refman/9.7/en/ == Release Notes == MySQL 9.7 is the latest long-term support release. It consolidates all features from the innovation releases 9.0 through 9.6 on top of the previous LTS (8.4). Major changes since MySQL 8.4: https://dev.mysql.com/doc/refman/9.7/en/mysql-nutshell.html -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

F45 Change Proposal: MariaDB 12.3 (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/MariaDB_12.3 Discussion Thread - https://discussion.fedoraproject.org/t/f45-change-proposal-mariadb-12-3-self-contained/196621 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == MariaDB packages in Fedora use a versioned layout (e.g. <code>mariadb11.8</code>, <code>mariadb12.3</code>), where each version provides versioned sub-packages. One version at a time is designated the "distribution default" and additionally provides unversioned package names (e.g. <code>mariadb-server</code>, <code>mariadb-devel</code>). This change switches the distribution default from MariaDB 11.8 to MariaDB 12.3 in Fedora 45. == Owner == * Name: [[User:mschorm|Michal Schorm]] * Email: mschorm@redhat.com == Detailed Description == A macro in the MariaDB SPECfiles controls which version provides the unversioned names. Flipping this macro in both <code>mariadb11.8</code> and <code>mariadb12.3</code> SPECfiles simultaneously switches the distribution default. Two "distribution default" packages cannot coexist due to file-level <code>Conflicts</code>, so the change must be coordinated. Comparable switches were done for MySQL in Fedora 43 (8.0 → 8.4) and for MariaDB in Fedora 44 (10.11 → 11.8), both without issues. == Feedback == &nbsp; == Benefit to Fedora == MariaDB 12.3 is the latest LTS version of MariaDB, released on May 29, 2026. It is maintained until June 2029. The previous default, MariaDB 11.8, reaches community end-of-life in June 2028 — before Fedora 45 itself reaches end-of-life. Switching to MariaDB 12.3 ensures that Fedora ships a version with full upstream support throughout its lifecycle. == Scope == * Proposal owners: ** Switch the macro in both <code>mariadb11.8</code> and <code>mariadb12.3</code> SPECfiles ** Audit all packages that depend on <code>mariadb-devel</code>, <code>libmariadb-devel</code>, or <code>mariadb-server</code> and verify they build and work correctly against MariaDB 12.3 ** File bugs and/or PRs for any packages that need fixes * Other developers: ** Cooperate on fixes if their package needs adjustment for MariaDB 12.3 compatibility * Release engineering: N/A (not a System Wide Change) * Policies and guidelines: N/A * Trademark approval: N/A * Alignment with the Fedora Strategy: Fedora leads in the Linux distribution development == Upgrade/compatibility impact == Users upgrading from Fedora 44 (which has MariaDB 11.8 as default) to Fedora 45 will have their MariaDB installation upgraded to 12.3. Database administrators should follow the standard MariaDB major version upgrade procedure: # Back up all databases before upgrading # Run <code>dnf update</code> # Run <code>mariadb-upgrade</code> after starting the new server https://mariadb.com/docs/server/server-management/install-and-upgrade-mariadb/upgrading/mariadb-community-server-upgrade-paths/upgrading-from-mariadb-11-8-to-mariadb-12-3 MariaDB 11.8 remains available in Fedora 45 as <code>mariadb11.8-server</code> for users who need more time to migrate. '''Note:''' <code>innodb_snapshot_isolation</code> now defaults to ON in MariaDB 12.3, which changes the semantics of REPEATABLE READ transactions. Applications that depend on the previous behavior should test before upgrading. See https://mariadb.com/docs/release-notes/community-server/12.3/mariadb-12.3-changes-and-improvements '''Note:''' MariaDB 12.3 adds reserved words <code>CONVERSION</code>, <code>ST_COLLECT</code>, and <code>TO_DATE</code>. SQL using these as unquoted identifiers will need quoting. '''Note:''' When upgrading a replica to 12.3, the <code>master_use_gtid</code> setting is reset to DEFAULT ([https://jira.mariadb.org/browse/MDEV-39788 MDEV-39788]). Re-apply it after upgrading. == How To Test == '''Fresh install:''' * <code>dnf install mariadb-server</code> → installs <code>mariadb12.3-server</code> * <code>dnf install mariadb11.8-server</code> → installs <code>mariadb11.8-server</code> * <code>dnf install mariadb12.3-server</code> → installs <code>mariadb12.3-server</code> * Verify the server starts, accepts connections, and runs basic queries '''Upgrade scenario:''' * Running <code>dnf update</code> from a Fedora 44 installation with MariaDB 11.8 results in <code>mariadb12.3-server</code> * After upgrade, run <code>mariadb-upgrade</code> and verify data integrity '''Staying on 11.8 (manual steps):''' # Disable the service: <code>systemctl disable --now mariadb</code> # Run <code>dnf update</code> (installs 12.3) # Swap back: <code>dnf swap mariadb-server mariadb11.8-server --allowerasing</code> # Restore service: <code>systemctl enable --now mariadb</code> '''Conflict test:''' * Installing both <code>mariadb11.8-server</code> and <code>mariadb12.3-server</code> must fail gracefully with a conflict message about <code>mariadb-server-any</code> == User Experience == Users get access to MariaDB 12.3's features and enhancements. The installation and management experience remains identical. == Dependencies == Only a single package in Fedora and RPMFusion needs rebuild: <code>amarok</code> - [https://src.fedoraproject.org/rpms/amarok/blob/rawhide/f/amarok.spec#_99 BuildRequires: mariadb-embedded-devel] All other packages depending on MariaDB are built against the client library provided by the <code>mariadb-connector-c</code> package. == Contingency Plan == * Contingency mechanism: revert the macro change in both SPECfiles to restore MariaDB 11.8 as the default * Contingency deadline: N/A (not a System Wide Change) * Blocks release? '''No''' == Documentation == * MariaDB 12.3 Changes & Improvements: https://mariadb.com/docs/release-notes/community-server/12.3/mariadb-12.3-changes-and-improvements * MariaDB 12.3 Release Announcement: https://mariadb.org/mariadb-server-12-3-lts-released/ * Upgrading from 11.8 to 12.3: https://mariadb.com/docs/server/server-management/install-and-upgrade-mariadb/upgrading/mariadb-community-server-upgrade-paths/upgrading-from-mariadb-11-8-to-mariadb-12-3 == Release Notes == MariaDB 12.3 is the latest long-term support release, maintained until June 2029. It consolidates all features from the rolling releases 12.0, 12.1, and 12.2 on top of the previous LTS (11.8). Major changes since MariaDB 11.8: https://mariadb.com/docs/release-notes/community-server/12.3/mariadb-12.3-changes-and-improvements -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

F45 Change Proposal: LibreOffice Dictionaries (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/LibreOfficeDictionaries Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-libreoffice-dictionaries-self-contained/196620 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Add a new `libreoffice-dictionaries` source package in Fedora providing hunspell spellcheck dictionaries sourced directly from the LibreOffice upstream [https://github.com/LibreOffice/dictionaries dictionaries] repository, packaged as individual per-language subpackages named `libreoffice-dict-<lang>`. == Owner == * Name: [[User:pnemade| Parag Nemade]] * Email: pnemade@redhat.com == Detailed Description == The LibreOffice project maintains its own collection of hunspell dictionaries at `https://github.com/LibreOffice/dictionaries`, updated in sync with each LibreOffice release. These dictionaries are maintained separately from the existing `hunspell-<lang>` packages in Fedora and in some cases provide more up-to-date word lists. This Change introduces the libreoffice-dictionaries source package, which builds 71 binary subpackages covering over 66 languages. Each subpackage: * Installs `.aff and .dic` hunspell dictionary files into `/usr/share/hunspell/` * Declares `Conflicts: hunspell-<lang>` so it does not co-install with the existing Fedora-maintained package for the same language * Declares `Requires: hunspell-filesystem` for the directory ownership dependency Notable new additions compared to existing Fedora hunspell-* packages include: * Bengali (libreoffice-dict-bn_BD) * English regional variants split into five subpackages: libreoffice-dict-en-AU, libreoffice-dict-en-CA, libreoffice-dict-en-GB, libreoffice-dict-en-US, libreoffice-dict-en-ZA * Aragonese (libreoffice-dict-an), Tibetan (libreoffice-dict-bo), Bosnian (libreoffice-dict-bs), Central Kurdish (libreoffice-dict-ckb), Guarani (libreoffice-dict-gug), Kurdish (libreoffice-dict-kmr), Lao (libreoffice-dict-lo), Sanskrit (libreoffice-dict-sa) The spec file uses embedded RPM Lua scripting to generate all subpackage definitions programmatically from a single data table, avoiding hundreds of lines of repetitive boilerplate. == Feedback == == Benefit to Fedora == * Users installing LibreOffice will have access to dictionaries that are versioned and tested together with each LibreOffice release, reducing spellcheck regressions caused by version skew between LibreOffice and independently-packaged dictionaries. * Provides coverage for languages and regional locales not currently available as standalone hunspell-* packages in Fedora. * The Conflicts: tagging ensures clean, unambiguous dictionary ownership — users can choose between the Fedora-maintained `hunspell-<lang>` or the LibreOffice-sourced `libreoffice-dict-<lang>`, but not both simultaneously. == Scope == * Proposal owners: Create and maintain the `libreoffice-dictionaries` package in Fedora. * Other developers: No changes required to existing `hunspell-*` packages. The Conflicts: tag handles coexistence cleanly. * Release engineering: New source package to be added to Fedora 45 dist-git. No mass rebuild required. * Policies and guidelines: Package follows Fedora Packaging Guidelines. Per-language SPDX licenses are declared on each subpackage. Files in `/usr/share/hunspell/` are owned via the hunspell-filesystem dependency. * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == This is a new source package with no prior presence in Fedora. No existing packages are modified. The Conflicts: relationship with existing `hunspell-<lang>` packages is intentional and ensures that users upgrading from a system with `hunspell-fr` (for example) will not inadvertently end up with conflicting dictionary files if `libreoffice-dict-fr` is installed. == How To Test == 1. Enable Copr repo on your system using command `dnf copr enable pnemade/libreoffice-dictionaries` 2. Install any subpackage, for example: `dnf install libreoffice-dict-fr libreoffice-dict-en-GB libreoffice-dict-de` 3. Verify the dictionary files are installed: `ls /usr/share/hunspell/fr_FR.* /usr/share/hunspell/en_GB.* /usr/share/hunspell/de_DE.*` 4. Verify locale symlinks are present (e.g. for en-GB aliases): `ls -la /usr/share/hunspell/en_IE.* /usr/share/hunspell/en_IN.* /usr/share/hunspell/en_NZ.*` 5. Confirm spellcheck works in LibreOffice Writer by setting the document language to the installed locale. 6. Confirm that attempting to install both `hunspell-fr` and `libreoffice-dict-fr` simultaneously results in a conflict reported by dnf. == User Experience == == Dependencies == == Contingency Plan == * Contingency mechanism: If the package is not ready, it is simply not included in Fedora 45. No other packages depend on it yet. * Contingency deadline: Final freeze for Fedora 45. * Blocks release? No. == Documentation == No documentation changes required. == Release Notes == A new `libreoffice-dictionaries` package is available in Fedora 45, providing hunspell spell check dictionaries sourced directly from the LibreOffice upstream repository. Install individual language packages such as libreoffice-dict-fr, libreoffice-dict-de or libreoffice-dict-en-GB to enable spell checking for those languages in LibreOffice and any other application using hunspell. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

F45 Change Proposal: LibreOffice html help (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/LibreOffice_html_help Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-libreoffice-html-help-self-contained/196619 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == This proposal aims to change how the LibreOffice package distribute its help files, from an embedded help system to html files which can be distributed as noarch packages. == Owner == * Name: [[User:mattia| Mattia Verga]] * Email: mattia.verga@proton.me == Detailed Description == For historic reasons, we currently build and provide LibreOffice help as embedded within the program. From quite some time now, LO has the capability for a new help system based on HTML pages, which can be viewed from any web browser installed on system. In this change, we want to switch to the new HTML help. This also enables us to switch from architecture dependent to noarch subpackages, thus saving a lot of space on repositories. == Feedback == No negative feedback so far. == Benefit to Fedora == Switching to HTML help / noarch subpackages can save a lot of space on repositories. User disk space is also happy with this, except for the default EN help packages, which shows a size increase. The following data compares help subpackage sizes for an x86_64 build (26.8.0.0.beta1). (comparison made by a python script, AI assisted by Claude) {| class="wikitable sortable" |+ Confronto dimensioni pacchetti help: arch-dependent vs noarch ! Lingua !! Dim. arch !! Dim. noarch !! Diff. % |- | ar || 3.22 MB || 2.67 MB || -17.1% |- | bg || 3.95 MB || 2.87 MB || -27.5% |- | bn || 3.77 MB || 2.80 MB || -25.8% |- | ca || 3.84 MB || 2.82 MB || -26.6% |- | cs || 3.83 MB || 2.80 MB || -26.9% |- | da || 3.86 MB || 2.79 MB || -27.7% |- | de || 3.97 MB || 2.84 MB || -28.6% |- | dz || 3.95 MB || 2.85 MB || -28.0% |- | el || 4.68 MB || 3.03 MB || -35.2% |- | en || 3.22 MB || 14.36 MB || +346.1% |- | en-GB || 3.21 MB || 2.67 MB || -16.7% |- | eo || 3.55 MB || 2.75 MB || -22.5% |- | es || 3.86 MB || 2.82 MB || -26.8% |- | et || 3.78 MB || 2.77 MB || -26.7% |- | eu || 3.88 MB || 2.78 MB || -28.3% |- | fi || 3.77 MB || 2.79 MB || -26.2% |- | fr || 3.90 MB || 2.80 MB || -28.3% |- | gl || 3.72 MB || 2.80 MB || -24.7% |- | gu || 3.23 MB || 2.73 MB || -15.4% |- | he || 3.17 MB || 2.61 MB || -17.8% |- | hi || 3.37 MB || 2.74 MB || -18.6% |- | hr || 3.31 MB || 2.73 MB || -17.4% |- | hu || 3.99 MB || 2.89 MB || -27.5% |- | id || 3.61 MB || 2.76 MB || -23.5% |- | it || 3.88 MB || 2.79 MB || -28.2% |- | ja || 5.07 MB || 3.06 MB || -39.6% |- | ka || 3.40 MB || 2.94 MB || -13.5% |- | ko || 4.18 MB || 2.80 MB || -33.1% |- | lt || 3.86 MB || 2.84 MB || -26.5% |- | lv || 3.33 MB || 2.73 MB || -18.1% |- | nb || 3.80 MB || 2.76 MB || -27.4% |- | nl || 3.78 MB || 2.80 MB || -25.8% |- | nn || 3.78 MB || 2.76 MB || -27.0% |- | pl || 3.98 MB || 2.84 MB || -28.7% |- | pt-BR || 3.75 MB || 2.78 MB || -25.8% |- | pt-PT || 3.75 MB || 2.80 MB || -25.2% |- | ro || 3.22 MB || 2.70 MB || -16.3% |- | ru || 3.91 MB || 2.90 MB || -25.9% |- | si || 3.38 MB || 2.79 MB || -17.7% |- | sk || 3.70 MB || 2.82 MB || -23.6% |- | sl || 3.90 MB || 2.79 MB || -28.4% |- | sv || 3.70 MB || 2.78 MB || -24.8% |- | ta || 3.52 MB || 2.91 MB || -17.4% |- | tr || 3.91 MB || 2.83 MB || -27.8% |- | uk || 3.87 MB || 2.89 MB || -25.2% |- | zh-Hans || 5.02 MB || 2.88 MB || -42.6% |- | zh-Hant || 4.73 MB || 2.90 MB || -38.7% |- ! TOTALE !! 178.06 MB !! 143.56 MB !! -19.4% |} The total space saved on repositories is much more greater, since we'll have the noarch only without duplicating the arch packages for each architecture. == Scope == * Proposal owners: Set LibreOffice configure script to produce help in HTML format and flag help subpackages as noarch. * Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> Nothing. * Release engineering: [https://forge.fedoraproject.org/releng/tickets/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> Nothing. * Policies and guidelines: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> No change. * Trademark approval: N/A (not needed for this Change) N/A * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == Help subpackages will be switched to noarch on upgrade. == Early Testing (Optional) == == How To Test == Open LibreOffice help by F1 or by the help menu and observe a web browser is launched instead of the old help window. == User Experience == == Dependencies == == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change) == Documentation == N/A (not a System Wide Change) == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

F45 Change Proposal: Native Butane Config Support in Ignition (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/IgnitionNativeButaneSupport Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-native-butane-config-support-in-ignition-self-contained/196615 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Enabling Ignition to natively accept Butane YAML configs in addition to Ignition JSON at first boot by merging the Butane config transpiler into the Ignition package. The <code>butane</code> CLI continues to be built from the same source and is still available as a standalone tool. == Owner == * Name: [[User:spresti| Steven Presti]] * Email: spresti@redhat.com == Detailed Description == Today, users must install the <code>butane</code> CLI tool, write a Butane YAML config, transpile it to Ignition JSON, and then pass the JSON to their instance. We think that this two-step process is the primary adoption barrier for Fedora CoreOS. This change merges the Butane codebase into the Ignition repository and modifies Ignition's config parsing to automatically detect and transpile Butane YAML configs at boot time. The implementation uses a JSON-first, Butane-fallback detection strategy: if the raw config parses as valid Ignition JSON, it is used directly; otherwise, Ignition attempts to transpile it as Butane YAML. On both failures, the original Ignition parse error is returned, preserving backward compatibility. Key design decisions: * '''Unsupported features at runtime''': Butane's <code>source: local</code> / <code>--files-dir</code> feature requires local filesystem context only available client-side and correctly returns an error at boot. The <code>butane</code> CLI remains available for local validation, <code>--strict</code>/<code>--check</code> modes, and <code>--files-dir</code> workflows. * '''OpenShift variant''': Butane's <code>openshift</code> variant produces MachineConfig YAML (not Ignition JSON), which intentionally fails Ignition's JSON parse. OpenShift provisioning goes through the Machine Config Operator and is unaffected. * '''RPM packaging''': A single ignition.spec will produce both the ignition package and a butane subpackage. The standalone butane.spec will be archived. Package names remain unchanged so existing dnf install butane workflows continue to work. == Feedback == This feature has been discussed extensively across multiple FCOS community meetings: * [https://meetbot.fedoraproject.org/meeting-1_matrix_fedoraproject-org/2026-01-14/fedora-coreos-meeting.2026-01-14-15.30.log.html 2026-01-14 community meeting] -- agreed on the merge approach * [https://meetbot-raw.fedoraproject.org/meeting-1_matrix_fedoraproject-org/2026-06-17/fedora-coreos-meeting.2026-06-17-15.30.log.html 2026-06-17 community meeting] -- agreed to pursue F45 Change Request * [https://meetbot-raw.fedoraproject.org/meeting-1_matrix_fedoraproject-org/2026-07-01/fedora-coreos-meeting.2026-07-01-15.30.log.html 2026-07-01 community meeting] -- agreed to combine ignition and butane specs, with butane as a subpackage of ignition Tracked in [https://github.com/coreos/fedora-coreos-tracker/issues/2006 coreos/fedora-coreos-tracker#2006] with 33 comments over 10 months. Key community input: * '''Alternative considered: YAML input for Ignition spec''' -- rejected because it would require Ignition spec changes and wouldn't provide Butane's sugar syntax (boot device mirroring, systemd units, etc.) * '''Alternative considered: git subtree''' -- rejected; subtrees are for maintaining active repos inside another, and Butane will be archived after the merge ([https://github.com/coreos/fedora-coreos-tracker/issues/2006#issuecomment-4750699585 travier, June 19]) == Benefit to Fedora == * '''Removes the #1 adoption barrier for Fedora CoreOS''': Users can write Butane YAML and pass it directly as instance userdata -- no toolchain installation, no transpile step, no build pipeline integration needed. * '''Simpler onboarding''': Getting started guides can show a single step (write YAML, boot instance) instead of the current three steps (install butane, write YAML, transpile, boot instance). * '''Aligns with user expectations''': Users of cloud-init and similar tools expect to pass human-readable configs directly. This brings Ignition-based systems closer to that experience. * '''Referenced configs via URL work transparently''': Butane YAML served over HTTP/S3/GCS can be used in <code>ignition.config.replace</code>/<code>merge</code> directives, enabling YAML-native config management workflows. * '''Reduced maintenance burden''': One repository, one CI pipeline, one release process instead of two. == Scope == * Proposal owners: The Ignition/Butane maintainers will merge the Butane codebase into the Ignition repository, update <code>ignition.spec</code> to produce a <code>butane</code> subpackage, archive the standalone <code>butane.spec</code>, and ensure all CI checks pass. Upstream PR: [https://github.com/coreos/ignition/pull/2235 ignition#2235]. * Other developers: No changes required from other Fedora package maintainers. The Flatcar team has reviewed the approach and confirmed compatibility. * Release engineering: N/A (not a System Wide Change) * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: This change aligns with Fedora's goal of making the platform more accessible and easier to adopt. By removing a toolchain dependency from the provisioning workflow, Fedora CoreOS becomes more approachable for new users and operators. == Upgrade/compatibility impact == This change is fully backward compatible: * '''Existing Ignition JSON configs continue to work identically'''. JSON is always tried first; the Butane fallback is only attempted if JSON parsing fails. * '''No config format changes'''. Both Ignition JSON specs and Butane YAML specs remain unchanged. * '''No behavioral changes for existing deployments'''. Systems already provisioned are unaffected. * '''initrd size increase''': ~3MB. This is more than offset by complementary binary size reduction work ([https://github.com/coreos/ignition/pull/2238 ignition#2238]) which reduces the Ignition binary from 64MB to 20MB, resulting in a significantly smaller initrd than the current baseline. No manual configuration or data migration is required. == Early Testing (Optional) == Do you require 'QA Blueprint' support? N == How To Test == No special hardware is required (any x86_64 or aarch64 machine, or a cloud instance). # Write a Butane YAML config (e.g., create a user with an SSH key): <pre> variant: fcos version: 1.6.0 passwd: users: - name: core ssh_authorized_keys: - ssh-ed25519 AAAA... </pre> # Pass the YAML directly as instance userdata (no transpilation step). # Boot a Fedora CoreOS instance and verify provisioning works correctly (e.g., SSH login with the provided key succeeds). # Verify that existing Ignition JSON configs still work identically by booting an instance with a known-good JSON config. # Test that <code>ignition-validate</code> accepts both Butane YAML and Ignition JSON inputs. # Test that a Butane config using <code>source: local</code> produces a clear error at boot (expected behavior -- this feature requires the <code>butane</code> CLI). == User Experience == Users can now pass Butane YAML configs directly as instance userdata when provisioning Fedora CoreOS systems. The separate <code>butane</code> CLI transpilation step is no longer required for basic provisioning workflows. The <code>butane</code> CLI binary continues to be built and distributed for users who need: * Local config validation with <code>--strict</code> / <code>--check</code> * The <code>--files-dir</code> feature to embed local files into configs * Client-side transpilation for workflows that require Ignition JSON output == Dependencies == N/A (self-contained change). No other Fedora packages are affected. Complementary work: [https://github.com/coreos/ignition/pull/2238 ignition#2238] reduces the Ignition binary size, offsetting the size increase from embedding Butane. This is tracked separately and is not a dependency of this change. == Contingency Plan == * Contingency mechanism: Revert the merge commit and RPM spec changes. Butane remains a separate tool and users continue transpiling configs client-side (status quo). The Ignition/Butane maintainers will handle the revert. * Contingency deadline: N/A (not a System Wide Change) * Blocks release? No == Documentation == * Fedora CoreOS documentation will be updated to describe the new workflow (pass Butane YAML directly as userdata). * The <code>butane</code> CLI documentation will note that client-side transpilation is optional for basic use cases. * The Butane repository ([https://github.com/coreos/butane github.com/coreos/butane]) will be archived with a README pointing to the Ignition repository. * Upstream tracking: [https://github.com/coreos/fedora-coreos-tracker/issues/2006 coreos/fedora-coreos-tracker#2006] == Release Notes == Ignition now natively accepts Butane YAML configurations at first boot. Users can pass Butane configs directly as instance userdata without a separate transpilation step. All existing Ignition JSON configs continue to work unchanged. The <code>butane</code> CLI remains available for local validation and advanced features like <code>--files-dir</code>. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Sunday, July 12, 2026

Security support for Bookworm handed over to the LTS team

------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Security support for Bookworm handed over to the LTS team press@debian.org July 12th, 2026 https://www.debian.org/News/2026/20260712 ------------------------------------------------------------------------ On 12 July 2026, three years after the initial release, the regular support for Debian 12, alias "bookworm", has come to an end. The Debian Long Term Support (LTS) [1] Team is taking over security support from the Security and Release Teams. 1: https://wiki.debian.org/LTS/ Information for users --------------------- Bookworm LTS will be supported until 30 June 2028. Where possible, users are encouraged to upgrade their machines to Debian 13, alias "trixie", the current Debian stable release. The life cycle of Debian releases encompasses three years of regular support plus two years of Long Term Support. Debian 12 will thus receive Long Term Support until 30 June 2028, five years after the initial release. Users that need to stick with Debian 12 can find relevant information about Debian Long Term Support at LTS/Using [2]. Important information and updates regarding Bookworm LTS specifically can be found at LTS/ Bookworm [3]. 2: https://wiki.debian.org/LTS/Using 3: https://wiki.debian.org/LTS/Bookworm Debian 12 LTS users are invited to subscribe to the announcement mailing list [4] to receive notifications about security updates, or to follow the latest advisories through the LTS Security Information [5] webpage. 4: https://lists.debian.org/debian-lts-announce/ 5: https://www.debian.org/lts/security/ A few packages are not covered by the Bookworm LTS support. Non- supported packages installed in users' machines can be identified by installing the debian-security-support [6] package. If debian-security- support detects an unsupported package which is critical to you, please get in touch with <debian-lts@lists.debian.org>. 6: https://tracker.debian.org/pkg/debian-security-support ppc64el supported as a Bookworm LTS architecture. ------------------------------------------------- One of the differences between regular support and long term support is the set of supported architectures. The Debian LTS team is pleased to announce that 64-bit Little Endian PowerPC (ppc64el) will be supported, for the first time, as an LTS architecture. The supported architectures in Debian 12 LTS are thus amd64, i386, arm64, armhf and ppc64el. Bullseye LTS reaching end of support. ------------------------------------- Debian 11, alias "bullseye", was initially released on 14 August 2021, and its two years of Long Term Support will end on 31 August 2026. Users of Debian 11 LTS are strongly encouraged to upgrade to Debian 12, and then to Debian 13. Debian and its LTS Team would like to thank all contributing users, developers, sponsors and other Debian teams who are making it possible to extend the life of previous stable releases. If you rely on Debian LTS, please consider joining the team [7], providing patches, testing or funding the efforts [8]. 7: https://wiki.debian.org/LTS/Development 8: https://wiki.debian.org/LTS/Funding About Debian ------------ The Debian Project was founded in 1993 by Ian Murdock to be a truly free community project. Since then the project has grown to be one of the largest and most influential open source projects. Thousands of volunteers from all over the world work together to create and maintain Debian software. Available in 70 languages, and supporting a huge range of computer types, Debian calls itself the "universal operating system". Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/ or send mail to <press@debian.org>.

Saturday, July 11, 2026

Fedora 45 Mass Rebuild Notification — Scheduled for 2026-07-15

Hello all,

As per the Fedora 45 release schedule [1], the mass rebuild is scheduled to begin on Wednesday, 2026-07-15.

We have a tracker ticket [2] open on the Release Engineering issue tracker. Feel free to leave a comment on the ticket with any questions or requests.

The mass rebuild will be done in a side tag (`f45-rebuild`) and merged when completed. FTBFS (Fails To Build From Source) bugs will be filed shortly after the mass rebuild has finished.

If you need to exclude a package from the rebuild, add a `noautobuild` file to the root of your dist-git repository, or request that Release Engineering add it to the skip list.

Please note that maintainers can continue working as normal during the mass rebuild. If you submit a build for your package, it will be used instead of the mass rebuild build.

If you have questions or run into issues, comment on the tracker ticket or reach out in the Release Engineering Matrix room [3].

Regards,
Patrik Polakovic
Fedora Release Engineering

[1] https://fedorapeople.org/groups/schedule/f-45/f-45-all-tasks.html
[2] https://forge.fedoraproject.org/releng/tickets/issues/13406
[3] https://matrix.to/#/#releng:fedoraproject.org

-- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Updated Debian 13: 13.6 released

------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 13: 13.6 released press@debian.org July 11th, 2026 https://www.debian.org/News/2026/20260711 ------------------------------------------------------------------------ The Debian project is pleased to announce the sixth update of its stable distribution Debian 13 (codename "trixie"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 13 but only updates some of the packages included. There is no need to throw away old "trixie" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Noteworthy updates ------------------ "fwupd" has been updated to upstream version 2.0.20, which has the ability to update the Secure Boot certificate authority (CA), Key Exchange Key (KEK) and revocation (DBX) databases. The 2013 UEFI Secure Boot CA installed by default on most PCs and used to sign bootloaders has now expired. Future updates to "shim-signed" could therefore lead to systems being unable to boot with Secure Boot enabled. Users are strongly advised to apply "CA", "KEK" and "DBX" updates from their system OEM in line with the following guidance: https://wiki.debian.org/SecureBoot/CAChanges#What_should_I_do.3F For licensing reasons "geoip-database" has been reverted to a version dated approximately December 2019. As a result, applications using this database might use out-of-date allocation information. More recent versions of "geoip-database" (GeoLite) are not compatible with the Debian Free Software Guidelines and cannot be distributed. Consumers of this data are strongly encouraged to obtain a GeoLite license directly and cease reliance on the "geoip-database" package. Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +-------------------------+-------------------------------------------+ | Package | Reason | +-------------------------+-------------------------------------------+ | apache2 [1] | Fix use-after-free issues [CVE-2026-29167 | | | CVE-2026-48913]; fix cross-site scripting | | | issue [CVE-2026-29170]; fix buffer | | | overflow issues [CVE-2026-34355 CVE-2026- | | | 34356 CVE-2026-42536]; fix denial of | | | service issues [CVE-2026-42535 CVE-2026- | | | 44186 CVE-2026-49975]; fix out of bounds | | | read issues [CVE-2026-43951 CVE-2026- | | | 44185]; fix file read issue [CVE-2026- | | | 44119]; fix buffer underwrite issue | | | [CVE-2026-44631] | | | | | archlinux-keyring [2] | Update keys | | | | | awstats [3] | Prevent freezing on keyword stat | | | | | base-files [4] | Update for the point release | | | | | beets [5] | Fix XSS vulnerability [CVE-2026-42052] | | | | | calibre [6] | Fix unsafe e-book extraction and resource | | | path handling [CVE-2026-30853 CVE-2026- | | | 33206]; prevent e-book viewer local file | | | reads and SSRF/exfiltration [CVE-2026- | | | 33205]; avoid unsafe catalog rule | | | evaluation; correct XPath and SQL query | | | handling; fix reader-background endpoint | | | path normalisation; improve exception | | | diagnostics | | | | | cdebootstrap [7] | Rebuild with updated xz-utils | | | | | chrony [8] | Ensure if-up/down hook scripts exit | | | successfully | | | | | ckermit [9] | Block remote control of the local kermit | | | by default [CVE-2025-68920]; disable | | | unnecessary OpenSSL version check | | | | | composer [10] | Fix support for new GitHub token format | | | [CVE-2026-45793] | | | | | courier [11] | Fix webadmin paths to imapd and imapd-ssl | | | | | curl [12] | Fix bearer token redirect leaks | | | [CVE-2025-14524 CVE-2026-3783]; correct | | | OpenSSL CA cache reuse [CVE-2025-14819]; | | | fix HTTP Negotiate and proxy connection | | | reuse [CVE-2026-1965 CVE-2026-3784 | | | CVE-2026-5545]; prevent clear-text | | | STARTTLS connection reuse [CVE-2026- | | | 4873]; fix SMB use-after-free and wrong | | | share reuse [CVE-2026-3805 CVE-2026- | | | 5773]; clear redirected host/proxy/netrc | | | credentials [CVE-2026-6253 CVE-2026- | | | 6429]; prevent stale cookie leaks | | | [CVE-2026-6276]; clear proxy Digest state | | | when switching proxies [CVE-2026-7168] | | | | | dar [13] | Rebuild with updated curl, libgcrypt20, | | | openssl | | | | | dcmtk [14] | Fix NULL pointer dereference issues | | | [CVE-2022-4981 CVE-2025-14841]; fix | | | memory corruption issues [CVE-2025-2357 | | | CVE-2025-9732 CVE-2025-14607]; fix | | | command injection issue [CVE-2026-5663]; | | | fix buffer overflow issues [CVE-2026- | | | 10194 CVE-2026-12805] | | | | | debian-installer [15] | Bump linux ABI 6.12.94+deb13; rebuild for | | | point release | | | | | debian-installer- | Rebuild from proposed updates | | netboot-images [16] | | | | | | debusine [17] | Enforce file upload permissions; restrict | | | artifact relation creation/deletion | | | [CVE-2026-11852]; harden sbuild | | | repository command quoting; reject | | | unsafe .dsc/.changes checksum paths | | | [CVE-2026-11853] | | | | | deepdiff [18] | Fix class pollution issue [CVE-2025- | | | 58367]; fix denial of service issue | | | [CVE-2026-33155] | | | | | dhcpcd [19] | Fix memory safety issues [CVE-2025-70102 | | | CVE-2026-56113 CVE-2026-56114]; fix IPv6 | | | Router Advertisement information leakage | | | [CVE-2026-56116]; correct control socket | | | lifetime handling [CVE-2026-56117] | | | | | distrobuilder [20] | Rebuild with updated incus | | | | | dolphin [21] | Fix sandbox escape issue [CVE-2026-41525] | | | | | errands [22] | Fix verification of TLS certificates for | | | CalDAV servers [CVE-2025-71063] | | | | | execnet [23] | Disable unreliable build-time tests | | | | | fldigi [24] | Force LC_NUMERIC=C.UTF-8 to use proper | | | decimal separator in API and ADIF log | | | files | | | | | freecad [25] | Fix fanuc post processor; fix build | | | failure on arm64 | | | | | fwupd [26] | Enable UEFI CA/db/KEK updates for the | | | 2026 Secure Boot certificate transition; | | | fix UEFI PK/KEK/dbx enumeration; fix | | | Thunderbolt controller deployment; | | | correct firmware update regressions; | | | update fwupd hardware support and tests | | | | | gambas3 [27] | Fix Qt component loading | | | | | gdown [28] | Fix arbitray file write issue [CVE-2026- | | | 40491] | | | | | geoip [29] | Reinstate generator scripts, relied upon | | | by geoip-database | | | | | geoip-database [30] | Revert to a DFSG-compatible version | | | | | giflib [31] | Fix memory corruption issues [CVE-2026- | | | 23868 CVE-2026-26740] | | | | | gimp [32] | Fix integer overflow issues [CVE-2026- | | | 4154 CVE-2026-40915] | | | | | gnupg2 [33] | Rebuild with updated libgcrypt20 | | | | | gnustep-sqlclient [34] | Remove Multi-Arch: same | | | | | graphite2 [35] | Fix out-of-bounds write [CVE-2026-50593] | | | | | horizon [36] | Fix escaping of special characters in | | | project | | | | | ironic [37] | Fix credential forwarding from | | | configuration molds [CVE-2026-42997]; fix | | | IPMI console command injection [CVE-2026- | | | 42510]; sandbox kickstart template | | | rendering [CVE-2026-44916]; prevent | | | conductor thread exhaustion from file | | | special devices [CVE-2026-44919]; | | | restrict unsafe file image paths; improve | | | image download validation and | | | checksumming; correct Redfish power, boot | | | and firmware workflows; fix inspection | | | rule validation and hook failures; avoid | | | stuck service/deploy states | | | | | isc-kea [38] | Fix denial of service issue [CVE-2026- | | | 3608] | | | | | isenkram [39] | Handle usr-merge migration in update-fw- | | | list; update generated firmware lists | | | | | keystone [40] | Fix behaviour of user_enabled_invert | | | [CVE-2026-40683]; prevent unauthorized | | | EC2 credential creation and deletion | | | [CVE-2026-33551] | | | | | libapache-session- | Improve entropy source [CVE-2026-8503] | | browseable-perl [41] | | | | | | libass [42] | Fix out of bounds read and write issues | | | | | libbytes-random-secure- | Fix incorrect usage of seed in PRNG | | perl [43] | [CVE-2026-11625] | | | | | libcaca [44] | Prevent undefined behaviour in overflow | | | check [CVE-2026-42046] | | | | | libcrypt-pbkdf2- | Change default hash algorithm to HMAC- | | perl [45] | SHA256 and default iterations to 600,000 | | | [CVE-2026-9641]; generate salts using | | | Crypt::URandom [CVE-2026-9638]; use a | | | constant-time comparison in `validate` to | | | avoid timing attacks [CVE-2017-20240] | | | | | libcrypt-urandom- | Fix buffer overflow issue [CVE-2026-2474] | | perl [46] | | | | | | libhtml-parser- | Fix heap-use-after-free in | | perl [47] | _decode_entities [CVE-2026-8829] | | | | | libnet-cidr-lite- | Fix IP/CIDR parser validation: reject | | perl [48] | non-ASCII digits and trailing newlines | | | [CVE-2026-55190]; reject zero-padded CIDR | | | masks [CVE-2026-45191] | | | | | libreoffice [49] | Gracefully handle failure in graphite2 | | | | | libslirp [50] | Fix memory disclosure issue [CVE-2026- | | | 9539] | | | | | libtasn1-6 [51] | Fix buffer overflow issue [CVE-2025- | | | 13151] | | | | | libvncserver [52] | Fix buffer overflow and out-of-bounds | | | write [CVE-2026-44988 CVE-2026-50538] | | | | | libxml-libxml-perl [53] | Fix out-of-bounds read [CVE-2026-8177] | | | | | libxml2 [54] | Fix RelaxNG include recursion limits | | | [CVE-2026-0989]; prevent XML and SGML | | | catalog recursion/resource exhaustion | | | [CVE-2025-8732 CVE-2026-0990 CVE-2026- | | | 0992]; fix xmllint shell memory leak | | | [CVE-2026-1757]; correct XML writer and | | | Schematron error-path leaks; avoid | | | RelaxNG validation use-after-free; update | | | regression tests | | | | | libxpm [55] | Fix out of bounds read issue [CVE-2026- | | | 4367] | | | | | linuxcnc [56] | Sanitize module names | | | | | lxml-html-clean [57] | Fix filter bypass issue [CVE-2026-28348]; | | | fix tag injection issue [CVE-2026-28350] | | | | | mesa [58] | Fix WebGPU/SPIR-V allocation handling | | | [CVE-2026-40393] | | | | | miniupnpd [59] | Fix integer underflow issue [CVE-2026- | | | 5720] | | | | | modsecurity [60] | Prevent denial of service in hexDecode | | | handling [CVE-2026-30923]; prevent denial | | | of service in SSN/CPF/SVNR verification | | | [CVE-2026-42268] | | | | | mutt [61] | Fix buffer truncation issues [CVE-2026- | | | 43859 CVE-2026-43860 CVE-2026-43861]; fix | | | mishandling of imap_auth_gss security | | | level [CVE-2026-43862]; fix denial of | | | service issue [CVE-2026-43863]; fix NULL | | | pointer dereference issue [CVE-2026- | | | 43864] | | | | | mxml [62] | Fix out-of-bounds read [CVE-2026-5037] | | | | | nbconvert [63] | Fix arbitrary file read/write issues | | | [CVE-2026-39377 CVE-2026-39378] | | | | | neutron [64] | Fix tagging policy bypass | | | | | nss [65] | Improve handling of escape sequences in | | | pk11uri_ParseAttributes [CVE-2026-12318] | | | | | ojalgo [66] | Reduce frequency of built-time test | | | failures | | | | | opencc [67] | Fix out-of-bounds read issue [CVE-2025- | | | 15536] | | | | | openslide [68] | Fix possible code execution issue | | | [CVE-2026-48977] | | | | | php-guzzlehttp- | Fix Host authority validation [CVE-2026- | | psr7 [69] | 48998]; reject control characters in URI | | | hosts [CVE-2026-49214]; harden | | | ServerRequest globals handling; normalise | | | global header values; encode literal plus | | | signs in query helpers | | | | | php-league-csv [70] | Fix build time test with PHP >=8.4.14 | | | | | php-twig [71] | Security update | | | | | pillow [72] | Followup fix for CVE-2026-42310 | | | | | poco [73] | Fix segmentation fault [CVE-2025-6375] | | | | | poetry [74] | Fix arbitrary file write issue [CVE-2026- | | | 34591] | | | | | poppler [75] | Fix invalid signature creation issue | | | | | postfix [76] | New upstream stable release; fix denial | | | of service issue [CVE-2026-43964]; keep | | | daemon running during upgrades | | | | | protobuf [77] | Fix parser recursion limits [CVE-2024- | | | 7254 CVE-2025-4565 CVE-2026-0994 | | | CVE-2026-6409] | | | | | psd-tools [78] | Fix denial of service issue [CVE-2026- | | | 27809] | | | | | pupnp [79] | Fix SSRF port confusion issue [CVE-2026- | | | 41682] | | | | | pymdown-extensions [80] | Fix regular expression-based denial of | | | service issue [CVE-2025-68142] | | | | | pyopenssl [81] | Fix handling of exceptions and connection | | | cancelling [CVE-2026-27448]; fix buffer | | | overflow in DTLS cookie callback | | | [CVE-2026-27459] | | | | | pytest-httpbin [82] | Disable unreliable build-time test | | | | | python-daphne [83] | Fix denial of service issue [CVE-2026- | | | 44545]; fix header injection issue | | | [CVE-2026-44546] | | | | | python-django [84] | Update test suite following changes in | | | python3.13 | | | | | python-dynaconf [85] | Fix Server-Side Template Injection issue | | | [CVE-2026-33154] | | | | | python-grpc-tools [86] | Fix TypeError in | | | command.build_package_protos | | | | | python-handy- | Fix end of central diretory locator for | | archives [87] | Zip64 | | | | | python-idna [88] | Fix denial of service issue [CVE-2026- | | | 45409] | | | | | python-iniparse [89] | Fix race condition in build-time tests | | | | | python-jwcrypto [90] | Fix denial of service issue [CVE-2026- | | | 39373] | | | | | python-markdown [91] | Adapt to changes in Python's html.parser | | | module | | | | | python-marshmallow [92] | Fix denial of service issue [CVE-2025- | | | 68480] | | | | | python-memray [93] | Fix cross-site scripting issue [CVE-2026- | | | 32722] | | | | | python-virtualenv [94] | Fix time-of-check / time-of-use issues | | | [CVE-2026-22702] | | | | | python-webob [95] | Fix open redirect issue [CVE-2026-44889] | | | | | python-xmltodict [96] | Fix XML injection issue [CVE-2025-9375] | | | | | python3.13 [97] | Fix a crash in SNI callback when the SSL | | | object is gone; fix reference leaks in | | | ssl.SSLContext objects; avoid garbage | | | collecting objects too early when sharing | | | __dict__; fix "CR/LF bytes were not | | | rejected by HTTP client proxy tunnel | | | headers or host" [CVE-2026-1502]; fix | | | denial of service issues [CVE-2026-3276 | | | CVE-2026-9669]; fix insufficient escaping | | | issue [CVE-2026-6019]; fix path traversal | | | issue [CVE-2026-7774]; fix server-side | | | request forgery issue [CVE-2026-8328] | | | | | qemu [98] | New upstream stable release; security | | | fixes [CVE-2024-6519 CVE-2026-2243 | | | CVE-2026-3195 CVE-2026-3196 CVE-2026-3842 | | | CVE-2026-3886 CVE-2026-3890 CVE-2026- | | | 41435 CVE-2026-41436 CVE-2026-41437 | | | CVE-2026-41438 CVE-2026-41439 CVE-2026- | | | 41440 CVE-2026-5744 CVE-2026-5761 | | | CVE-2026-5763 CVE-2026-6502 CVE-2026-8341 | | | CVE-2026-48002 CVE-2026-48003 CVE-2026- | | | 48004 CVE-2026-48914 CVE-2026-48915 | | | CVE-2026-6425 CVE-2026-8343] | | | | | qtmir [99] | Fix Lomiri rendering, scaling, focus | | | handling, and session crash issues; | | | correct stale window and dead surface | | | cleanup; ensure Xwayland applications | | | inherit DISPLAY; improve Asahi Linux | | | rendering provider selection | | | | | rauc [100] | Fix improper signing of large bundles | | | [CVE-2026-34155] | | | | | resource-agents [101] | Fix syntax error | | | | | rhino [102] | Fix denial of service issue [CVE-2025- | | | 66453] | | | | | rlottie [103] | Fix out-of-bounds read issue [CVE-2026- | | | 10305]; fix denial of service issues | | | [CVE-2026-47319 CVE-2026-47320] | | | | | rsync [104] | Reject excessively long HTTP proxy | | | response lines [CVE-2026-45232] | | | | | rtl-433 [105] | Fix buffer overflow issue [CVE-2025- | | | 34450] | | | | | ruby-css-parser [106] | Fix validation of HTTPS certificates for | | | remote CSS [CVE-2026-44312] | | | | | rust-time [107] | Fix denial of service [CVE-2026-25727] | | | | | samba [108] | New upstream stable release | | | | | shim [109] | New upstream release; build with default | | | gcc; set SBAT revocation level to | | | 2025021800 | | | | | shim-helpers-amd64- | Update to shim 16.1-2~deb13u1 | | signed [110] | | | | | | shim-helpers-arm64- | Update to shim 16.1-2~deb13u1 | | signed [111] | | | | | | shim-signed [112] | Ensure Secure Boot compatibility with | | | 2023 Microsoft UEFI CA; check for likely | | | boot issues before installation; combine | | | and verify multiple shim signatures; | | | update signed shim binaries | | | | | skanpage [113] | Fix data leakage issue [CVE-2025-55174] | | | | | smartdns [114] | Fix buffer overflow issue [CVE-2026-1425] | | | | | squirrel3 [115] | Fix sandbox escape [CVE-2021-41556] | | | | | sshfs-fuse [116] | Add contain_symlinks option to prevent | | | symlink escape attacks [CVE-2026-47187]; | | | reject hostname option injection via | | | bracketed mount source [CVE-2026-48711] | | | | | starman [117] | Fix request smuggling issue [CVE-2026- | | | 40560] | | | | | symfony [118] | Security update | | | | | tigervnc [119] | Prevent other users reading x0vncserver | | | screen [CVE-2026-34352] | | | | | user-mode-linux [120] | Rebuild with updated linux | | | | | vitrage [121] | Fix remote code execution vulnerability | | | [CVE-2026-28370] | | | | | wireless-regdb [122] | New upstream stable release; update | | | regulatory information for several | | | countries | | | | | wireshark [123] | New upstream stable release; fix denial | | | of service issue [CVE-2026-9759] | | | | | xz-utils [124] | Fix buffer overflow issue [CVE-2026- | | | 34743] | | | | +-------------------------+-------------------------------------------+ 1: https://packages.debian.org/src:apache2 2: https://packages.debian.org/src:archlinux-keyring 3: https://packages.debian.org/src:awstats 4: https://packages.debian.org/src:base-files 5: https://packages.debian.org/src:beets 6: https://packages.debian.org/src:calibre 7: https://packages.debian.org/src:cdebootstrap 8: https://packages.debian.org/src:chrony 9: https://packages.debian.org/src:ckermit 10: https://packages.debian.org/src:composer 11: https://packages.debian.org/src:courier 12: https://packages.debian.org/src:curl 13: https://packages.debian.org/src:dar 14: https://packages.debian.org/src:dcmtk 15: https://packages.debian.org/src:debian-installer 16: https://packages.debian.org/src:debian-installer-netboot-images 17: https://packages.debian.org/src:debusine 18: https://packages.debian.org/src:deepdiff 19: https://packages.debian.org/src:dhcpcd 20: https://packages.debian.org/src:distrobuilder 21: https://packages.debian.org/src:dolphin 22: https://packages.debian.org/src:errands 23: https://packages.debian.org/src:execnet 24: https://packages.debian.org/src:fldigi 25: https://packages.debian.org/src:freecad 26: https://packages.debian.org/src:fwupd 27: https://packages.debian.org/src:gambas3 28: https://packages.debian.org/src:gdown 29: https://packages.debian.org/src:geoip 30: https://packages.debian.org/src:geoip-database 31: https://packages.debian.org/src:giflib 32: https://packages.debian.org/src:gimp 33: https://packages.debian.org/src:gnupg2 34: https://packages.debian.org/src:gnustep-sqlclient 35: https://packages.debian.org/src:graphite2 36: https://packages.debian.org/src:horizon 37: https://packages.debian.org/src:ironic 38: https://packages.debian.org/src:isc-kea 39: https://packages.debian.org/src:isenkram 40: https://packages.debian.org/src:keystone 41: https://packages.debian.org/src:libapache-session-browseable-perl 42: https://packages.debian.org/src:libass 43: https://packages.debian.org/src:libbytes-random-secure-perl 44: https://packages.debian.org/src:libcaca 45: https://packages.debian.org/src:libcrypt-pbkdf2-perl 46: https://packages.debian.org/src:libcrypt-urandom-perl 47: https://packages.debian.org/src:libhtml-parser-perl 48: https://packages.debian.org/src:libnet-cidr-lite-perl 49: https://packages.debian.org/src:libreoffice 50: https://packages.debian.org/src:libslirp 51: https://packages.debian.org/src:libtasn1-6 52: https://packages.debian.org/src:libvncserver 53: https://packages.debian.org/src:libxml-libxml-perl 54: https://packages.debian.org/src:libxml2 55: https://packages.debian.org/src:libxpm 56: https://packages.debian.org/src:linuxcnc 57: https://packages.debian.org/src:lxml-html-clean 58: https://packages.debian.org/src:mesa 59: https://packages.debian.org/src:miniupnpd 60: https://packages.debian.org/src:modsecurity 61: https://packages.debian.org/src:mutt 62: https://packages.debian.org/src:mxml 63: https://packages.debian.org/src:nbconvert 64: https://packages.debian.org/src:neutron 65: https://packages.debian.org/src:nss 66: https://packages.debian.org/src:ojalgo 67: https://packages.debian.org/src:opencc 68: https://packages.debian.org/src:openslide 69: https://packages.debian.org/src:php-guzzlehttp-psr7 70: https://packages.debian.org/src:php-league-csv 71: https://packages.debian.org/src:php-twig 72: https://packages.debian.org/src:pillow 73: https://packages.debian.org/src:poco 74: https://packages.debian.org/src:poetry 75: https://packages.debian.org/src:poppler 76: https://packages.debian.org/src:postfix 77: https://packages.debian.org/src:protobuf 78: https://packages.debian.org/src:psd-tools 79: https://packages.debian.org/src:pupnp 80: https://packages.debian.org/src:pymdown-extensions 81: https://packages.debian.org/src:pyopenssl 82: https://packages.debian.org/src:pytest-httpbin 83: https://packages.debian.org/src:python-daphne 84: https://packages.debian.org/src:python-django 85: https://packages.debian.org/src:python-dynaconf 86: https://packages.debian.org/src:python-grpc-tools 87: https://packages.debian.org/src:python-handy-archives 88: https://packages.debian.org/src:python-idna 89: https://packages.debian.org/src:python-iniparse 90: https://packages.debian.org/src:python-jwcrypto 91: https://packages.debian.org/src:python-markdown 92: https://packages.debian.org/src:python-marshmallow 93: https://packages.debian.org/src:python-memray 94: https://packages.debian.org/src:python-virtualenv 95: https://packages.debian.org/src:python-webob 96: https://packages.debian.org/src:python-xmltodict 97: https://packages.debian.org/src:python3.13 98: https://packages.debian.org/src:qemu 99: https://packages.debian.org/src:qtmir 100: https://packages.debian.org/src:rauc 101: https://packages.debian.org/src:resource-agents 102: https://packages.debian.org/src:rhino 103: https://packages.debian.org/src:rlottie 104: https://packages.debian.org/src:rsync 105: https://packages.debian.org/src:rtl-433 106: https://packages.debian.org/src:ruby-css-parser 107: https://packages.debian.org/src:rust-time 108: https://packages.debian.org/src:samba 109: https://packages.debian.org/src:shim 110: https://packages.debian.org/src:shim-helpers-amd64-signed 111: https://packages.debian.org/src:shim-helpers-arm64-signed 112: https://packages.debian.org/src:shim-signed 113: https://packages.debian.org/src:skanpage 114: https://packages.debian.org/src:smartdns 115: https://packages.debian.org/src:squirrel3 116: https://packages.debian.org/src:sshfs-fuse 117: https://packages.debian.org/src:starman 118: https://packages.debian.org/src:symfony 119: https://packages.debian.org/src:tigervnc 120: https://packages.debian.org/src:user-mode-linux 121: https://packages.debian.org/src:vitrage 122: https://packages.debian.org/src:wireless-regdb 123: https://packages.debian.org/src:wireshark 124: https://packages.debian.org/src:xz-utils Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------------------+ | Advisory ID | Package | +----------------+--------------------------------+ | DSA-6250 [125] | chromium [126] | | | | | DSA-6256 [127] | php8.4 [128] | | | | | DSA-6266 [129] | nghttp2 [130] | | | | | DSA-6267 [131] | thunderbird [132] | | | | | DSA-6268 [133] | ffmpeg [134] | | | | | DSA-6270 [135] | postgresql-17 [136] | | | | | DSA-6271 [137] | gsasl [138] | | | | | DSA-6273 [139] | chromium [140] | | | | | DSA-6274 [141] | linux-signed-amd64 [142] | | | | | DSA-6274 [143] | linux-signed-arm64 [144] | | | | | DSA-6274 [145] | linux [146] | | | | | DSA-6277 [147] | openjpeg2 [148] | | | | | DSA-6278 [149] | nginx [150] | | | | | DSA-6279 [151] | redis [152] | | | | | DSA-6280 [153] | netatalk [154] | | | | | DSA-6281 [155] | gnutls28 [156] | | | | | DSA-6282 [157] | rsync [158] | | | | | DSA-6283 [159] | firefox-esr [160] | | | | | DSA-6284 [161] | pdns [162] | | | | | DSA-6285 [163] | bind9 [164] | | | | | DSA-6286 [165] | evince [166] | | | | | DSA-6287 [167] | chromium [168] | | | | | DSA-6288 [169] | thunderbird [170] | | | | | DSA-6289 [171] | openvpn [172] | | | | | DSA-6290 [173] | nss [174] | | | | | DSA-6291 [175] | haproxy [176] | | | | | DSA-6292 [177] | haveged [178] | | | | | DSA-6293 [179] | krb5 [180] | | | | | DSA-6294 [181] | libgcrypt20 [182] | | | | | DSA-6295 [183] | linux-signed-amd64 [184] | | | | | DSA-6295 [185] | linux-signed-arm64 [186] | | | | | DSA-6295 [187] | linux [188] | | | | | DSA-6296 [189] | spip [190] | | | | | DSA-6297 [191] | samba [192] | | | | | DSA-6298 [193] | imagemagick [194] | | | | | DSA-6299 [195] | kdenlive [196] | | | | | DSA-6300 [197] | node-shell-quote [198] | | | | | DSA-6301 [199] | roundcube [200] | | | | | DSA-6302 [201] | starlette [202] | | | | | DSA-6303 [203] | varnish [204] | | | | | DSA-6304 [205] | unbound [206] | | | | | DSA-6305 [207] | linux-signed-amd64 [208] | | | | | DSA-6305 [209] | linux-signed-arm64 [210] | | | | | DSA-6305 [211] | linux [212] | | | | | DSA-6307 [213] | kitty [214] | | | | | DSA-6308 [215] | nagios4 [216] | | | | | DSA-6309 [217] | exim4 [218] | | | | | DSA-6311 [219] | php-twig [220] | | | | | DSA-6312 [221] | symfony [222] | | | | | DSA-6313 [223] | dovecot [224] | | | | | DSA-6314 [225] | swift [226] | | | | | DSA-6315 [227] | cyborg [228] | | | | | DSA-6316 [229] | chromium [230] | | | | | DSA-6318 [231] | gst-plugins-good1.0 [232] | | | | | DSA-6319 [233] | yelp [234] | | | | | DSA-6321 [235] | ceph [236] | | | | | DSA-6322 [237] | frr [238] | | | | | DSA-6323 [239] | apache2 [240] | | | | | DSA-6324 [241] | request-tracker5 [242] | | | | | DSA-6325 [243] | chromium [244] | | | | | DSA-6326 [245] | nginx [246] | | | | | DSA-6328 [247] | tomcat10 [248] | | | | | DSA-6329 [249] | tomcat11 [250] | | | | | DSA-6330 [251] | strongswan [252] | | | | | DSA-6331 [253] | keystone [254] | | | | | DSA-6332 [255] | okular [256] | | | | | DSA-6333 [257] | mistral [258] | | | | | DSA-6334 [259] | poppler [260] | | | | | DSA-6335 [261] | openssl [262] | | | | | DSA-6336 [263] | jackson-core [264] | | | | | DSA-6336 [265] | jackson-databind [266] | | | | | DSA-6336 [267] | jackson-dataformat-smile [268] | | | | | DSA-6337 [269] | chromium [270] | | | | | DSA-6338 [271] | libdbi-perl [272] | | | | | DSA-6339 [273] | libinput [274] | | | | | DSA-6340 [275] | neutron [276] | | | | | DSA-6341 [277] | ironic [278] | | | | | DSA-6341 [279] | python-oslo.messaging [280] | | | | | DSA-6342 [281] | jpeg-xl [282] | | | | | DSA-6343 [283] | librabbitmq [284] | | | | | DSA-6344 [285] | chromium [286] | | | | | DSA-6345 [287] | libgd-perl [288] | | | | | DSA-6346 [289] | libreoffice [290] | | | | | DSA-6347 [291] | bird2 [292] | | | | | DSA-6348 [293] | gsasl [294] | | | | | DSA-6349 [295] | atril [296] | | | | | DSA-6350 [297] | firefox-esr [298] | | | | | DSA-6351 [299] | thunderbird [300] | | | | | DSA-6352 [301] | chromium [302] | | | | | DSA-6353 [303] | gst-libav1.0 [304] | | | | | DSA-6354 [305] | libconfig-inifiles-perl [306] | | | | | DSA-6355 [307] | linux-signed-amd64 [308] | | | | | DSA-6355 [309] | linux-signed-arm64 [310] | | | | | DSA-6355 [311] | linux [312] | | | | | DSA-6356 [313] | imagemagick [314] | | | | | DSA-6357 [315] | pillow [316] | | | | | DSA-6358 [317] | libhttp-daemon-perl [318] | | | | | DSA-6359 [319] | gst-plugins-good1.0 [320] | | | | | DSA-6360 [321] | squid [322] | | | | | DSA-6361 [323] | ffmpeg [324] | | | | | DSA-6362 [325] | gst-plugins-bad1.0 [326] | | | | | DSA-6363 [327] | python-urllib3 [328] | | | | | DSA-6364 [329] | chromium [330] | | | | | DSA-6365 [331] | libssh2 [332] | | | | | DSA-6366 [333] | sogo [334] | | | | | DSA-6367 [335] | dnsdist [336] | | | | | DSA-6368 [337] | pdns [338] | | | | | DSA-6369 [339] | pdns-recursor [340] | | | | | DSA-6370 [341] | incus [342] | | | | | DSA-6371 [343] | xorg-server [344] | | | | | DSA-6372 [345] | tor [346] | | | | | DSA-6373 [347] | lxd [348] | | | | | DSA-6374 [349] | nginx [350] | | | | | DSA-6375 [351] | fastnetmon [352] | | | | | DSA-6376 [353] | openvpn [354] | | | | | DSA-6377 [355] | php8.4 [356] | | | | | DSA-6378 [357] | chromium [358] | | | | | DSA-6379 [359] | bird3 [360] | | | | | DSA-6380 [361] | mediawiki [362] | | | | | DSA-6384 [363] | chromium [364] | | | | +----------------+--------------------------------+ 125: https://www.debian.org/security/2026/dsa-6250 126: https://packages.debian.org/src:chromium 127: https://www.debian.org/security/2026/dsa-6256 128: https://packages.debian.org/src:php8.4 129: https://www.debian.org/security/2026/dsa-6266 130: https://packages.debian.org/src:nghttp2 131: https://www.debian.org/security/2026/dsa-6267 132: https://packages.debian.org/src:thunderbird 133: https://www.debian.org/security/2026/dsa-6268 134: https://packages.debian.org/src:ffmpeg 135: https://www.debian.org/security/2026/dsa-6270 136: https://packages.debian.org/src:postgresql-17 137: https://www.debian.org/security/2026/dsa-6271 138: https://packages.debian.org/src:gsasl 139: https://www.debian.org/security/2026/dsa-6273 140: https://packages.debian.org/src:chromium 141: https://www.debian.org/security/2026/dsa-6274 142: https://packages.debian.org/src:linux-signed-amd64 143: https://www.debian.org/security/2026/dsa-6274 144: https://packages.debian.org/src:linux-signed-arm64 145: https://www.debian.org/security/2026/dsa-6274 146: https://packages.debian.org/src:linux 147: https://www.debian.org/security/2026/dsa-6277 148: https://packages.debian.org/src:openjpeg2 149: https://www.debian.org/security/2026/dsa-6278 150: https://packages.debian.org/src:nginx 151: https://www.debian.org/security/2026/dsa-6279 152: https://packages.debian.org/src:redis 153: https://www.debian.org/security/2026/dsa-6280 154: https://packages.debian.org/src:netatalk 155: https://www.debian.org/security/2026/dsa-6281 156: https://packages.debian.org/src:gnutls28 157: https://www.debian.org/security/2026/dsa-6282 158: https://packages.debian.org/src:rsync 159: https://www.debian.org/security/2026/dsa-6283 160: https://packages.debian.org/src:firefox-esr 161: https://www.debian.org/security/2026/dsa-6284 162: https://packages.debian.org/src:pdns 163: https://www.debian.org/security/2026/dsa-6285 164: https://packages.debian.org/src:bind9 165: https://www.debian.org/security/2026/dsa-6286 166: https://packages.debian.org/src:evince 167: https://www.debian.org/security/2026/dsa-6287 168: https://packages.debian.org/src:chromium 169: https://www.debian.org/security/2026/dsa-6288 170: https://packages.debian.org/src:thunderbird 171: https://www.debian.org/security/2026/dsa-6289 172: https://packages.debian.org/src:openvpn 173: https://www.debian.org/security/2026/dsa-6290 174: https://packages.debian.org/src:nss 175: https://www.debian.org/security/2026/dsa-6291 176: https://packages.debian.org/src:haproxy 177: https://www.debian.org/security/2026/dsa-6292 178: https://packages.debian.org/src:haveged 179: https://www.debian.org/security/2026/dsa-6293 180: https://packages.debian.org/src:krb5 181: https://www.debian.org/security/2026/dsa-6294 182: https://packages.debian.org/src:libgcrypt20 183: https://www.debian.org/security/2026/dsa-6295 184: https://packages.debian.org/src:linux-signed-amd64 185: https://www.debian.org/security/2026/dsa-6295 186: https://packages.debian.org/src:linux-signed-arm64 187: https://www.debian.org/security/2026/dsa-6295 188: https://packages.debian.org/src:linux 189: https://www.debian.org/security/2026/dsa-6296 190: https://packages.debian.org/src:spip 191: https://www.debian.org/security/2026/dsa-6297 192: https://packages.debian.org/src:samba 193: https://www.debian.org/security/2026/dsa-6298 194: https://packages.debian.org/src:imagemagick 195: https://www.debian.org/security/2026/dsa-6299 196: https://packages.debian.org/src:kdenlive 197: https://www.debian.org/security/2026/dsa-6300 198: https://packages.debian.org/src:node-shell-quote 199: https://www.debian.org/security/2026/dsa-6301 200: https://packages.debian.org/src:roundcube 201: https://www.debian.org/security/2026/dsa-6302 202: https://packages.debian.org/src:starlette 203: https://www.debian.org/security/2026/dsa-6303 204: https://packages.debian.org/src:varnish 205: https://www.debian.org/security/2026/dsa-6304 206: https://packages.debian.org/src:unbound 207: https://www.debian.org/security/2026/dsa-6305 208: https://packages.debian.org/src:linux-signed-amd64 209: https://www.debian.org/security/2026/dsa-6305 210: https://packages.debian.org/src:linux-signed-arm64 211: https://www.debian.org/security/2026/dsa-6305 212: https://packages.debian.org/src:linux 213: https://www.debian.org/security/2026/dsa-6307 214: https://packages.debian.org/src:kitty 215: https://www.debian.org/security/2026/dsa-6308 216: https://packages.debian.org/src:nagios4 217: https://www.debian.org/security/2026/dsa-6309 218: https://packages.debian.org/src:exim4 219: https://www.debian.org/security/2026/dsa-6311 220: https://packages.debian.org/src:php-twig 221: https://www.debian.org/security/2026/dsa-6312 222: https://packages.debian.org/src:symfony 223: https://www.debian.org/security/2026/dsa-6313 224: https://packages.debian.org/src:dovecot 225: https://www.debian.org/security/2026/dsa-6314 226: https://packages.debian.org/src:swift 227: https://www.debian.org/security/2026/dsa-6315 228: https://packages.debian.org/src:cyborg 229: https://www.debian.org/security/2026/dsa-6316 230: https://packages.debian.org/src:chromium 231: https://www.debian.org/security/2026/dsa-6318 232: https://packages.debian.org/src:gst-plugins-good1.0 233: https://www.debian.org/security/2026/dsa-6319 234: https://packages.debian.org/src:yelp 235: https://www.debian.org/security/2026/dsa-6321 236: https://packages.debian.org/src:ceph 237: https://www.debian.org/security/2026/dsa-6322 238: https://packages.debian.org/src:frr 239: https://www.debian.org/security/2026/dsa-6323 240: https://packages.debian.org/src:apache2 241: https://www.debian.org/security/2026/dsa-6324 242: https://packages.debian.org/src:request-tracker5 243: https://www.debian.org/security/2026/dsa-6325 244: https://packages.debian.org/src:chromium 245: https://www.debian.org/security/2026/dsa-6326 246: https://packages.debian.org/src:nginx 247: https://www.debian.org/security/2026/dsa-6328 248: https://packages.debian.org/src:tomcat10 249: https://www.debian.org/security/2026/dsa-6329 250: https://packages.debian.org/src:tomcat11 251: https://www.debian.org/security/2026/dsa-6330 252: https://packages.debian.org/src:strongswan 253: https://www.debian.org/security/2026/dsa-6331 254: https://packages.debian.org/src:keystone 255: https://www.debian.org/security/2026/dsa-6332 256: https://packages.debian.org/src:okular 257: https://www.debian.org/security/2026/dsa-6333 258: https://packages.debian.org/src:mistral 259: https://www.debian.org/security/2026/dsa-6334 260: https://packages.debian.org/src:poppler 261: https://www.debian.org/security/2026/dsa-6335 262: https://packages.debian.org/src:openssl 263: https://www.debian.org/security/2026/dsa-6336 264: https://packages.debian.org/src:jackson-core 265: https://www.debian.org/security/2026/dsa-6336 266: https://packages.debian.org/src:jackson-databind 267: https://www.debian.org/security/2026/dsa-6336 268: https://packages.debian.org/src:jackson-dataformat-smile 269: https://www.debian.org/security/2026/dsa-6337 270: https://packages.debian.org/src:chromium 271: https://www.debian.org/security/2026/dsa-6338 272: https://packages.debian.org/src:libdbi-perl 273: https://www.debian.org/security/2026/dsa-6339 274: https://packages.debian.org/src:libinput 275: https://www.debian.org/security/2026/dsa-6340 276: https://packages.debian.org/src:neutron 277: https://www.debian.org/security/2026/dsa-6341 278: https://packages.debian.org/src:ironic 279: https://www.debian.org/security/2026/dsa-6341 280: https://packages.debian.org/src:python-oslo.messaging 281: https://www.debian.org/security/2026/dsa-6342 282: https://packages.debian.org/src:jpeg-xl 283: https://www.debian.org/security/2026/dsa-6343 284: https://packages.debian.org/src:librabbitmq 285: https://www.debian.org/security/2026/dsa-6344 286: https://packages.debian.org/src:chromium 287: https://www.debian.org/security/2026/dsa-6345 288: https://packages.debian.org/src:libgd-perl 289: https://www.debian.org/security/2026/dsa-6346 290: https://packages.debian.org/src:libreoffice 291: https://www.debian.org/security/2026/dsa-6347 292: https://packages.debian.org/src:bird2 293: https://www.debian.org/security/2026/dsa-6348 294: https://packages.debian.org/src:gsasl 295: https://www.debian.org/security/2026/dsa-6349 296: https://packages.debian.org/src:atril 297: https://www.debian.org/security/2026/dsa-6350 298: https://packages.debian.org/src:firefox-esr 299: https://www.debian.org/security/2026/dsa-6351 300: https://packages.debian.org/src:thunderbird 301: https://www.debian.org/security/2026/dsa-6352 302: https://packages.debian.org/src:chromium 303: https://www.debian.org/security/2026/dsa-6353 304: https://packages.debian.org/src:gst-libav1.0 305: https://www.debian.org/security/2026/dsa-6354 306: https://packages.debian.org/src:libconfig-inifiles-perl 307: https://www.debian.org/security/2026/dsa-6355 308: https://packages.debian.org/src:linux-signed-amd64 309: https://www.debian.org/security/2026/dsa-6355 310: https://packages.debian.org/src:linux-signed-arm64 311: https://www.debian.org/security/2026/dsa-6355 312: https://packages.debian.org/src:linux 313: https://www.debian.org/security/2026/dsa-6356 314: https://packages.debian.org/src:imagemagick 315: https://www.debian.org/security/2026/dsa-6357 316: https://packages.debian.org/src:pillow 317: https://www.debian.org/security/2026/dsa-6358 318: https://packages.debian.org/src:libhttp-daemon-perl 319: https://www.debian.org/security/2026/dsa-6359 320: https://packages.debian.org/src:gst-plugins-good1.0 321: https://www.debian.org/security/2026/dsa-6360 322: https://packages.debian.org/src:squid 323: https://www.debian.org/security/2026/dsa-6361 324: https://packages.debian.org/src:ffmpeg 325: https://www.debian.org/security/2026/dsa-6362 326: https://packages.debian.org/src:gst-plugins-bad1.0 327: https://www.debian.org/security/2026/dsa-6363 328: https://packages.debian.org/src:python-urllib3 329: https://www.debian.org/security/2026/dsa-6364 330: https://packages.debian.org/src:chromium 331: https://www.debian.org/security/2026/dsa-6365 332: https://packages.debian.org/src:libssh2 333: https://www.debian.org/security/2026/dsa-6366 334: https://packages.debian.org/src:sogo 335: https://www.debian.org/security/2026/dsa-6367 336: https://packages.debian.org/src:dnsdist 337: https://www.debian.org/security/2026/dsa-6368 338: https://packages.debian.org/src:pdns 339: https://www.debian.org/security/2026/dsa-6369 340: https://packages.debian.org/src:pdns-recursor 341: https://www.debian.org/security/2026/dsa-6370 342: https://packages.debian.org/src:incus 343: https://www.debian.org/security/2026/dsa-6371 344: https://packages.debian.org/src:xorg-server 345: https://www.debian.org/security/2026/dsa-6372 346: https://packages.debian.org/src:tor 347: https://www.debian.org/security/2026/dsa-6373 348: https://packages.debian.org/src:lxd 349: https://www.debian.org/security/2026/dsa-6374 350: https://packages.debian.org/src:nginx 351: https://www.debian.org/security/2026/dsa-6375 352: https://packages.debian.org/src:fastnetmon 353: https://www.debian.org/security/2026/dsa-6376 354: https://packages.debian.org/src:openvpn 355: https://www.debian.org/security/2026/dsa-6377 356: https://packages.debian.org/src:php8.4 357: https://www.debian.org/security/2026/dsa-6378 358: https://packages.debian.org/src:chromium 359: https://www.debian.org/security/2026/dsa-6379 360: https://packages.debian.org/src:bird3 361: https://www.debian.org/security/2026/dsa-6380 362: https://packages.debian.org/src:mediawiki 363: https://www.debian.org/security/2026/dsa-6384 364: https://packages.debian.org/src:chromium Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: https://deb.debian.org/debian/dists/trixie/ChangeLog The current stable distribution: https://deb.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: https://deb.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.