openSUSE

Welcome to the monthly update for openSUSE Tumbleweed for May 2024. This month has seen a significant number of updates, enhancements, and crucial security fixes. Whether you are a developer, a system administrator, or a casual user, these updates are designed to enhance your experience and ensure the highest level of security and performance.

Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.

Let’s go!

New Features and Enhancements

• Linux Kernel 6.9.1: The month of May had a couple updates for the Kernel, but so far remains at version 6.9.1, which addresses various issues and enhancing overall stability. The mt76 driver for wifi saw improvements with the addition of missing chanctx operations for the mt7915 wifi card, enhancing functionality. A critical fix was made to the keys subsystem to prevent overwriting key expiration during instantiation, improving security. Support for system suspend/hibernation was enhanced for the Modem Host Interface subsystem with the addition of the mhi_power_down_keep_dev() Application Programming Interfaces, which is beneficial for maintaining device states during power management operations.
• LLVM 18.1.6: Subpackages that were updated were clang-tools, clang18, libLLVM18, libclang-cpp18, libclang13, llvm18-gold. Fixed issues with generating incorrect thunks for functions with aligned parameters or incorrect return value passing when StructRet was used. -Xclang -target-feature -Xclang +unaligned-scalar-mem for enabling unaligned scalar memory accesses on CPUs without unaligned vector access support were introduced. Build failures when compiling AVX512 code with -march=native on machines without AVX512 were addressed. Crashes in the AArch64 backend related to fcmp instruction operands being true or false at the IR level were fixed and there was a fix to compiler crashes.
• KDE Frameworks 5.116.0: Breeze Icons received new icons for audio/ogg and audio/x-vorbis+ogg file types, as well as the audio/vnd.wave MIME type, enhancing support for audio file formats. Extra CMake Modules had notable updates including the dropping of attempts to set IMPORTED on targets with installed configurations in ecm_add_qch. KFileMetaData saw a fix with the handling of attribute namespacing and improved metadata accuracy and processing. KService addressed a warning related to the "mimeType x-scheme-handler/file not found" issue.
• udisks2 2.10.1: This update features updated Ukrainian and German translations, improvements to testing for LVM2 RAID by wiping used devices, settling down before checking properties and rescanning vdevs after tests. Offline and online filesystem grow tests were added, and documentation for the Filesystem.Size property was clarified. A fix was implemented for Python class invocation in nvme tests, and a --no-partition-scan option was added for the loop-setup command in udisksctl. A --no-partition-scan option for the loop-setup command in udisksctl was added.
• firewalld 2.1.2: The update to 2.1.2 includes several fixes: the policy now allows forwarding ports with the to-addr for egress-zone=HOST, the range check for large rule limits in rich rules has been corrected, and skip detection in the fw-in-container environment has been fixed during testing.
• snapper 0.11.0: The update introduces asynchronous cleanup of stale btrfs qgroups and reverts some parts to fix the build in the Open Build Service. The cleanup service is now set to run every hour and qgroups are disabled if they do not exist to avoid failure when creating snapshots. Support for quarterly snapshots has been added, and a table-style selection is now based on codeset.
• GTK3 3.24.42: Printing is improved by avoiding access to freed printers. Wayland fixes include correct monitor sizes, a crash related to tablet removal, inferred resizable edges for tiled windows, and ensuring commits occur soon after acknowledging a configure.
  GTK4 4.14.4: A crash issue when there is no child was resolved and efficiency improvements were made in loading symbolic SVGs and handling color-free symbolics. Accessibility updates include making the gtk-demo sidebar search more accessible and stopping the emission of focus events. GDK introduced support for XDG_ACTIVATION_TOKEN and made defensive improvements for dmabuf. These improvements include handling unknown formats more carefully and using a narrower range for YUV formats.
• Mozilla Firefox 126.0. The browser brought had a major update and fixed 16 Common Vulnerabilities and Exposures. There was arbitrary JavaScript execution in PDF.js fixed with CVE-2024-4367. A potential permissions request bypass via clickjacking was fixed for CVE-2024-4764. There were memory safety bug fixes addressing CVE-2024-4778 and CVE-2024-4777; the latter helps with those for Firefox ESR 115.11 and Thunderbird 115.11.
  sssd 2.9.5: The update introduces a new configuration option called failover_primary_timeout. This option allows users to configure how often SSSD tries to reconnect to a primary server after successfully connecting to a backup server. Previously, this interval was hardcoded to 31 seconds, which remains the default value.
• openldap2 2.6.7: The liblber library fixes a missing newline on long messages and libldap addresses exit handling issues with OpenSSL3, TLS usage with multiple LDAP URIs OpenSSL cipher suite handling and handling of Diffie-Hellman parameter files with OpenSSL 3.0. The slapd service now honors the disclose option in matchedDN handling, improves regex testing in ACLs, and fixes sync replication with glued databases.
• iproute2 6.9: The update introduces several new features and improvements: The m_mirred module now allows mirroring to block and the tc command adds NLM_F_ECHO support for actions and filters. The ip command has been enhanced with coupled_control support for bonding and a new monitor command for IOAM6.
• xwayland 24.1.0: The feature release addresses several regressions introduced in previous release candidate versions. The eglstreams support has been dropped.
• AppStream 1.0.3: Key features include enhanced validator checks to ensure description lists aren't translated, improved translation checks for descriptions and the ability to propagate selected custom entries to catalog output via the CLI compose command. Many other features were added.

Key Package Updates

• tpm2-0-tss 4.1.0: This updated provided a major security fix for CVE-2024-29040. Various bug fixes were implemented, including correcting the length check on FAPI auth callbacks, fixing the deviation from the CEL specification and resolving json syntax errors in FAPI profiles that were previously ignored by json-c. The update also adds support for new features and enables the usage of external keys for Fapi_Encrypt.
• postgresql16 16.3: A fix was made for CVE-2024-4317, which could allow for an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users.
• Python 3.x versions had a fix for CVE-2023-6597 A vulnerability was discovered in the CPython. It affected versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, 3.8.18, and earlier. This class would incorrectly follow symlinks during cleanup when there were permission errors. As a result, users with the ability to run privileged programs could potentially change the permissions of files pointed to by symlinks under certain conditions.

Bug Fixes

• glib2 2.80.2:

  • CVE-2024-34397 - An issue in GNOME GLib allows spoofed D-Bus signals, affecting client behavior

• qt6-base:

  • CVE-2024-33861 - QStringConverter's invalid pointer callback can modify the stack, risking vulnerabilities in applications using QStringDecoder.

• libxml2 2.12.7

  • CVE-2024-34459 - Buffer over-read in xmllint --htmlout can cause vulnerabilities in libxml2 before 2.12.7.

• libarchive 3.7.4:

  • CVE-2024-26256 - Remote Code Execution Vulnerability.

• krb5 added some patches to fix memory leaks related to:

  • CVE-2024-26458
  • CVE-2024-26461
  • CVE-2024-26462

• ovmf

  • CVE-2022-36763 - EDK2 vulnerability in Tcg2MeasureGptTable() allows heap buffer overflow via local network

• python-Jinja2 3.1.4:

  • CVE-2024-34064 - Jinja's xmlattr filter vulnerability allows non-attribute characters in keys, risking XSS attacks.

• tpm2-0-tss 4.1.0:

  • CVE-2024-29040 is a flaw that allows an attacker to generate arbitrary quote data, which may not be detected by Fapi_VerifyQuote.

Conclusion

The month of May 2024 had a steady flow of crucial security fixes, important updates, and notable enhancements across various packages for openSUSE Tumbleweed. The updates to the Linux Kernel, LLVM, KDE Frameworks and numerous other components ensure that Tumbleweed systems remain feature-rich and keep rolling. Developers and users alike benefit from the improvements, enhancements and new features.

For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

Looks like most of the improvements have nothing to do with GNOME, so they should also probably impact Kalpa (the KDE MicroOS distro).

I'm particularly interested in these developments because I'm going to upgrade the CPU on my NAS (old Phenom II -> Ryzen 1700), and I'm considering reinstalling w/ MicroOS. It's currently running on an old SATA SSD, but NVMe drives are getting so cheap that it's probably worth an upgrade.

The openSUSE Project has an official space on Hugging Face, which is a popular platform offering a range of open-source Artificial Intelligence models, tools and resources.

The new namespace can be found at huggingface.co/openSUSE.

Hugging Face is known for facilitating developers and researchers in working with advanced AI applications that include natural language processing (NLP) and computer vision.

Having the openSUSE namespace provides community-driven development toward creating, sharing and improving AI models and datasets.

One dataset has already been added. The first dataset is openSUSE Cavil, which is a tool designed for license compliance, identification and legal reviews. By leveraging the rich AI models and datasets available through the Hugging Face platform, openSUSE Cavil can offer a more advanced and accurate detection of license issues and compliance.

To get involved with the openSUSE Project on Hugging Face, individuals can sign up for an account. The registration process is straightforward and requires only basic information.

Once registered, users can explore the openSUSE and view a collection of AI models and datasets created and shared by the community.

Contributors are encouraged to share their AI models and datasets. Hugging Face offers tools and tutorials to assist with uploading and managing these contributions. Community members can work together on improving existing models or developing new ones.

High-quality documentation and tutorials are vital for the success of the project. Community members can contribute by writing guides, creating video tutorials, or translating existing resources to broaden their accessibility.

Users gain access to cutting-edge AI models and a collaborative environment where they can learn and expand their skills. Contributions to the project support the advancement of AI research and development within the open-source ecosystem.

For more information and to participate, visit huggingface.co/openSUSE.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]
• https://discuss.tchncs.de/c/[email protected]

From the website:

OpenVINO is an open-source toolkit for optimizing and deploying deep learning models from cloud to edge. It accelerates deep learning inference across various use cases, such as generative AI, video, audio, and language with models from popular frameworks like PyTorch, TensorFlow, ONNX, and more. Convert and optimize models, and deploy across a mix of Intel® hardware and environments, on-premises and on-device, in the browser or in the cloud.

Important dates:

• expected summit date is Nov. 2 and 3 soon after Open Source Summit Japan
• call for speakers is going to end around the end of July

There will be another announcement in a couple weeks.

Welcome to the monthly update for openSUSE Tumbleweed for April 2024. This month began after addressing last month’s supply chain attack against xz compression library for the rolling release. An explanation of that XZ Backdoor, how it was address and what was learned can be found on news.opensuse.org.

A flurry of updates, enhancements, and crucial security fixes arrived in openSUSE’s rolling release this month as the busy season for conferences begins. Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.

New Features and Enhancements

• Linux Kernel: The month of April had a few kernel updates. Notable changes with the 6.8.5 version included mitigation for Branch History Injection (BHI) vulnerabilities, improvements to Spectre mitigation, updates for Intel graphics drivers, fixes for SMB client vulnerabilities and fixes for RISC-V architecture. Version 6.8.7 included updates and fixes for AMD display drivers, Intel i915 driver, x86 speculative execution vulnerabilities, arm 64 device tree files, DRM drivers, filesystem handling, and more.
• KDE Frameworks 6.1.0: The numpy package introduces enhanced support for structured arrays and flexible indexing, while pandas incorporates improved handling of missing data and new methods for data manipulation. Additionally, the matplotlib package offers enhanced customization options for plot aesthetics. New algorithms for machine learning tasks in scikit-learn were included in the update.
• KDE Gear 24.02.2: The KDE Gear 24.02.2 update encompasses a wide range of fixes and enhancements, including resolving issues with tag addition functionality in Akonadi, addressing translated shortcut and icon appearance problems in Akregator, various improvements and fixes in ark such as disabling RAR4 compression method, multiple fixes in Elisa including volume slider and track playback issues and numerous enhancements in Konsole. There were fixes for calendar selection and the todo view updates in Korganizer.
• PHP8 8.3.6: There were significant bug fixes, security patches and improvements across different components including in the update. Besides fixes with Core, DOM, GD, Opcache and Session other fixes include:
  • FPM: Fixes have been applied to address issues with the configuration test running twice in daemonized mode and incorrect checks in fpm_shm_free().
  • Gettext: Fixes have been made to address issues with dcgettext and dcngettext calls with specific configurations.
  • MySQLnd: Various fixes have been applied, including correcting handshake response and charset length checks.
  • Random: Compatibility improvements have been introduced for PHP versions prior to 8.2, and issues with global Mt19937 reset have been resolved.
  • Standard: Validation has been added for specific characters in the mail() function, and various bug fixes have been implemented, including addressing command injection and cookie bypass vulnerabilities. (Noted in CVE-2024-1874, CVE-2024-2756 and fixing issues with mb_encode_mimeheader and password_verify with CVE-2024-3096 and CVE-2024-2757.
• Mozilla Firefox 125.0.2. The browser brought new features such as:
  • Support for AV1 codec in Encrypted Media Extensions (EME) for improved video playback quality.
  • Enhanced PDF viewer capabilities with text highlighting.
  • Introduction of the URL Paste Suggestion feature, improving usability by allowing quick navigation to URLs copied to the clipboard.
  • Multiple critical security fixes addressing vulnerabilities like out-of-bounds reads and use-after-free errors that enhance browser security.
• dracut: There were improvements such as the addition of tpm2.target and systemd-tpm2-generator and several memory leak fixes.
• ffmpeg: Versions 4 and 6 took care of some video handling issues and made fixes for memory leaks with improved EOF handling. The updates addresses:
  • CVE-2023-51793 and CVE-2023-49502.
  • CVE-2023-50008 and CVE-2023-50007
• sqlite3: An update from version 3.45.2 to 3.45.3 addresses a long-standing bug affecting the accuracy of trigger responses in certain UPSERT operations to ensure for more reliable database operations.
• Flatpak: The 1.15.8 update had some security fixes to prevent sandbox escape and various other usability improvements.
• Python3.11: The 3.11.9 version had various security patches and bug fixes, such as addressing CVE-2023-52425, updating bundled libexpat to version 2.6.0, fixing possible crashes in collections.deque.index() and improves SSLContext behavior.
• Cppcheck: New checks in version 2.14.0 include:
  • eraseIteratorOutOfBounds: Warns about calling erase() on an iterator that is out of bounds, enhancing the robustness of code.
  • returnByReference: Warns when a large class member is returned by value from a getter function, which can impact performance and memory usage.

Other Package Updates

• SDL2: Version 2.30.2 introduces support for various new controllers, including the 6-button SEGA Mega Drive Control Pad and the Hori Fighting Stick EX2.
• Cryptsetup: Version 2.7.2 addressed several issues, including fixes for OPAL device formatting and activation.
• SpamAssassin: A package with a great name, version 4.0.1 enhances URL shortener link redirection handling and improved TxRep locking management, which bolsters email security for users.

Bug Fixes

• Xwayland: CVE-2024-31083 This critical security vulnerability mitigates an Xorg servers vulnerable due to use-after-free flaw in ProcRenderAddGlyphs(), allowing authenticated attackers to execute arbitrary code.
• [PHP8]((https://www.php.net/):[CVE-2023-51793](https://www.suse.com/security/cve/CVE-2023-51793.html), CVE-2023-49502, CVE-2023-50008 and CVE-2023-50007
• glibc: CVE-2024-2961 allows buffer overflow when converting to ISO-2022-CN-EXT, causing crashes or variable overwrites. libxml2: CVE-2024-25062 was a vulnerablity to use-after-free via crafted XML documents.
• Python3.11: CVE-2023-52425, CVE-2023-6597
• QEMU: Backports and bugfixes were made for a flaw that allows a malicious guest to crash QEMU and cause a denial of service condition with CVE-2024-3567. CVE-2024-3446 could affect arbitrary code execution and CVE-2024-3447 was also backported.
• Freerdp2: Version 2.11.5 provided fixes for CVE-2023-40574, which experienced an Out-Of-Bounds Write in the writePixelBGRX function that was likely due to incorrect variable calculations, and CVE-2023-40575, which results in crashes.

Conclusion

The month of April 2024 had a blend of feature enhancements and crucial security fixes. From improved gaming support with SDL2 to strengthened encryption practices with Cryptsetup, users benefited from a host of updates aimed at enhancing functionality, stability and security. Other packages to update in Tumbleweed during the month were Mesa, GTK4, transactional-update and more .

For those Tumbleweed users that want to contribute, subscribe to the openSUSE Factory mailing list. The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Looks like Leap 15.6 will ship with Cockpit, which looks pretty cool.

I just set up a new VPS w/ Leap 15.5, so I'm thinking about giving this a try. I'm not a fan of YaST on the CLI, and I'm not going to install a GUI on my VPS, so being able to just SSH tunnel to the admin panel sounds really nice.

Has anyone tried Cockpit (project link for the lazy)? It seems like it can manage most popular distros, so that's a pretty big value prop over YaST, which is pretty much only for SUSE. It looks like it's a RedHat project, but it's cool that openSUSE is pulling it in for 15.6.

Slowroll just bumped its Tumbleweed snapshot version a few hours ago.
This update contains everything since the previous snapshot 2024-02-13, including the Plasma and Gnome updates.

by Douglas DeMaio

So, I updated Tumbleweed, and the updates to KDE caused my Plasma/Wayland session to restart, breaking the updates part way through. I wasn't watching at the time so took some while to debug!

Spent some time learning how to use nm-cli, because new half-upgraded KDE wouldn't load the network widget. It looks like something else may have changed and mucked up in the half-update (and of course I rebooted like a wise-man/dummy/i-dont-know-but-at-least-it-didnt-make-it-work) but iterations of trying things in nmcli eventually worked!

Finally tried zypper dup again and saw the session restart, so finished the job from the virtual terminal! At last, I seem to have a working computer again, and I might just brave updating my main laptop. (I cancelled the update while it was still downloading packages, after seeing the breakage on the other laptop!)

Any idea when this will hit tumbleweed? I'm really looking forward to this release!

It's a bit quiet here so for now I'll start linking the latest openSUSE news here.

Hey, I've gone ahead and decided to try out TW as my first foray into the Linux world, and I started by getting it set up on my laptop. Everything seems to be working pretty well for me (other than wifi passwords not saving by default, but I seem to have found a workaround that's not too inconvenient).

I later tried to get it set up on my desktop and the experience was very sluggish and I was curious if there would be an obvious reason as to why. I understand that I'm giving few details here, but the sluggishness was not felt at all on my laptop and was felt immediately on my desktop. I have since installed fedora on my desktop and it's been very solid and noticeably not sluggish.

I thought I should perhaps try to understand what potential issues occurred so I can get a better understanding of the system I'm using. Thanks in advance for any input.

From what i have read, the winning logos are not guaranteed to be chosen, so we will have to wait for an official announcement. I think there is a meeting today, so I would keep an eye on the official wiki and news pages. On the meeting on tuesday (12.12), the competition results have been discussed but I don't know what's been said.

Notes for the meeting on 12.12

Notes for the meeting on 14.12

The deadline has passed, but I'm not sure if all entries have been added to the wiki yet.

Slowroll repos have been moved to a new location.
Upcoming version bump, to catch up with Tumbleweed, announced.

I'm coming for a *deb/*buntu world and I would find useful if I have a cheat sheet for Tumbleweed with the most basic commands and especially if there is something that correlates them with commands I'm already familiar.

For example that # zypper up replaces # apt upgrade

I have already found a cheat sheet for zypper here https://en.opensuse.org/SDB:Zypper_usage#Cheat_sheet so I'm looking for something that includes more stuff than just zypper. Or is zypper the main difference? I mean (I'm completely new on opensuse) other stuff, like restarting services, or default location of config files, or how to do other basic low level actions, I'm not sure if they are different, but if yes, looking for such relation-map.

Hope it makes sense what I'm asking, thanks in advance

Running Slowroll.

Just opened my laptop after having previously just closed the lid. Now its showing the last used program I was using before I closed the lid last time. Anyone experienced this before?

I can fully interact with Obsidian, but not able to login. Had to reboot to fix this.

Hi, I have created a fork of the Greybeard project called “Moldavite” (meteorite induced explosion near Nürnberg caused a lot of gems falling on the ground in Bohemia, if it is not a symbol of the cooperation inside of SUSE, then I don’t know what would be ;)). The main project site is https://sr.ht/~mcepl/moldavite/ and OBS project. Whereas, as I understand it, Greybeard is at least for the moment more or less on the back burner, I hope to continue to work on this.

Because my NAS isn't used while I'm at work, I set up a systemd service that reliably suspends the OS to memory at the same time every day (excluding weekends), and uses rtcwake to then wake it up again just before I typically get home from work. I also have an alias set up on my laptop to send a magic packet to the NAS in case I get home earlier etc. The issue is, that while the nas wakes up automatically, it does not wake up if I send a magic packet. In the BIOS of my MSI motherboard, I can change who handles wake events from OS to BIOS and doing so fixes my magic packet issues, but it also causes the systemd service to no longer wake the nas. WakeOnLAN is enabled in the network card, the network card is bridged ( I use the 'real' mac for WoL though). I got it to work while my nas ran ubuntu on different hardware (Biostar motherboard), but I'm a bit confused as to why I can no longer make it work.

any ideas?

Edit: I fixed it. On my specific MSI motherboard, wake event handling needs to be set to BIOS controlled, then wake on pcie needs to be enabled and wake on rtc needs to be disabled (!). This way, I guess, the BIOS does not take control over the rtc alarm, allowing the OS to write to it instead. Wake On LAN is still handled by the BIOS though, as it should be.

I also realize that this was an MSI-related topic, not so much OpenSUSE, but I'd ask the mods to keep this post around in case anybody else ever stumbles across it.

Hi everybody, I recently installed OpenSuse Leap, but I have trouble working with firewalld. The goal is to accept incoming ssh and vnc connections from two IPs exclusively, but it just does'nt work. I removed all interfaces from zone public, set the internal zone up so that it has only the two IPs as sources and only the ssh and vnc services, but I still get asked for password when I try to ssh into the machine from an IP that is not listed. Any hints?

firewall-cmd --get-active-zones returns this: docker interfaces: docker0 internal sources: 192.168.0.3/24 192.168.0.2/24

firewall-cmd --zone=internal --list-all returns this: internal (active) target: default icmp-block-inversion: no interfaces: sources: 192.168.0.3/24 192.168.0.2/24 services: ssh vnc-server ports: 22/tcp 5900/tcp 5901/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

edit: Even with this configuration here, incoming ssh connections from an unlisted address still ask for password: firewall-cmd --get-active-zones
docker interfaces: docker0 drop interfaces: eth0 br0 internal sources: 192.168.0.3/24 192.168.0.2/24