The syslog-ng 4.11 release is right around the corner. Thousands of automatic tests run before each new piece of source code is merged, but nothing can replace real-world hands-on tests. So help us testing Elasticsearch / OpenSearch data-streams, Kafka source, cmake fixes and much more!

The development of syslog-ng is supported by thousands of automatic test cases. Nothing can enter the syslog-ng source code before all of these tests pass. In theory, I could ask my colleagues at any moment to make a release from the current state of the syslog-ng development branch once all tests pass. However, before my current job, I was working as a director of quality assurance, so I have a different take on testing things. Automatic test cases are indeed fantastic and help us to catch many problems during development. However, nothing can replace real-world users trying to use the latest version of your software.

Personally, I run a nightly or git snapshot build of syslog-ng on all my hosts. However, none of my machines are mission-critical, where downtime would cost $$$ with each and every passing minute. While syslog-ng snapshot builds are usually quite stable and breaking configuration changes are rare, I still do not recommend installing these builds on critical servers. On the other hand, I am a big fan of production testing on hosts where running into occasional problems is not a critical issue.

Read more at https://www.syslog-ng.com/community/b/blog/posts/call-for-testing-syslog-ng-4-11-is-coming

Just 12 years remain before a fundamental limit in timekeeping threatens to disrupt unprepared computer systems; Y2K38 is the new Y2K, and open-source contributors are aiming to create actionable warnings.

Known as a Faulty Date Logic, which is a lot more common in computer systems than people may think, openSUSE is actively surfacing and fixing these issues through early testing, toolchain improvements and community-driven coordination to ensure software remains reliable well beyond 2038.

At 03:14:07 UTC on Jan. 19, 2038, the UNIX Epoch will exceed the maximum value of a signed 32-bit integer; 2,147,483,647, or 0x7fffffff. Beyond that point, systems that still rely on 32-bit representations of time risk rolling over into invalid dates, triggering failures that range from subtle data corruption to outright crashes.

While most see this as an issue for 32-bit platforms such as i586 or armv7, there are some exposures with modern 64-bit systems as covered in an openSUSE Conference talk some years ago.

Y2K38 is close enough to force action and recent testing by openSUSE developers demonstrates that the risk is immediate and tangible. By advancing a build system’s clock into the year 2038, numerous packages failed to compile or pass their test suites. Affected software in the tests included version control tools, editors, compilers, Python libraries, desktop toolkits and system components.

In some cases, basic system behavior like uptime reporting was disrupted.

Several of these failures have been corrected, but breakages in these tests show how deeply embedded 32-bit time assumptions exist.

Each new feature or refactoring carries the risk of reintroducing the problem if developers default to using int or long instead of safer types such as time_t, int64_t or long long.

The problem extends beyond applications. Commonly used protocols, including SOAP/XML-RPC and SNMP, encode timestamps using 32-bit values. Implementations must therefore take extra care to handle dates beyond 2038 without breaking interoperability.

Testing itself remains challenging. Tooling improvements are being explored as a next step for these adjustments. Discussions are underway about adding compiler warnings when code performs unsafe conversions between 32-bit integers and time-related types.

Leap 16 is 2038 safe as it comes with 32-bit (ia32) support disabled by default, but the tests show that changes in future minor releases will need to be made for affected 64-bit pieces.

Developers interested in the topic can engage with the openSUSE Factory mailing list or with the discussion on Reddit discussion about the topic.

Registration for openSUSE Conference 2026 is now open and people are encouraged to submit a talk beginning today.

The conference is scheduled to take place June 25 to 27 in Nuremberg, Germany. Flock to Fedora will take place in Prague, Czech Republic, from June 14 to 16, followed by DevConf.CZ, which will take place in Brno, Czech Republic, from June 18 and 19. Calls for proposals are currently open for all of these open-source developer conferences. With multiple major events happening across Central Europe, June is shaping up to be an excellent opportunity to travel, connect with community members, and engage with open-source developers.

Until April 30, people can submit proposals for a talk or workshop to share their expertise. People are encouraged to submit talks based on the following length and topics:

Presentations can be submitted for the following length of time:

• Lightning Talk (10 mins)
• Short Talk (30 mins)
• Long Talk (45 mins)
• Workshop (1 hour)

The following tracks are listed for the conference:

• Cloud and Containers
• Community
• Embedded Systems and Edge Computing
• New Technologies
• Open Source
• openSUSE
• Open Source for Business: Beyond Code into Sustainability Track

Volunteers who would like to help the with the organization of the conference are encouraged to email email ddemaio@opensuse.org or attend a weekly community meetings.

Conferences need sponsors to support community driven events to keep events free and open to new contributing members. Companies can find sponsorship information or donate to the Geeko Foundation to assist with funds that will go toward the conference.

Dear Tumbleweed users and hackers,

This week, Tumbleweed snapshots have hit a small bump in the road. While we managed to release three snapshots (0109, 0112, and 0113), the release pipeline is currently paused. Testing for snapshot 0114 identified a regression in the recent postfix update, which prevents the service from starting. A bug report has been filed and is currently being worked on; once resolved, Tumbleweed should resume snapshot releases.

The three published snapshots contained these changes:

• Linux kernel 6.18.4 & 6.18.5
• More GNOME 49.3-related package updates
• KDE Gear 25.12.1
• KDE Frameworks 6.22.0
• AppArmor 4.1.3
• Polkit 127
• XZ 5.8.2
• Qemu 10.2.0
• wireplumber 0.5.13: Note for GNOME users: We have seen reports about crashes with Bluetooth devices. See and follow https://bugzilla.opensuse.org/show_bug.cgi?id=1256740

Despite the current snapshots being blocked by the postfix issue, we are continuing to merge changes into Factory and let them be tested by openQA. The following updates are being tested:

• Removal of Python 3.12: in preparation of the python-* packages being enabled (soon) for python 3.14, we will lower the load on the packages first by removing Python 3.12
• Ruby 3.4 interpreter is scheduled for removal after we moved to Ruby 4.0 earlier this month
• A bunch of changes on packages to support installation on transactional systems, i.e no files written to directories outside of snapshot, i.e. no /var
• Agama 19 preview
• Run0-wrappers as a replacement for sudo and pkexec, currently waiting on https://bugzilla.opensuse.org/show_bug.cgi?id=1256515

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The below featured highlights listed on the community’s blog feed aggregator are from Jan. 9 to Jan. 15.

Blogs this week highlight a strong mix of KDE desktop development, openSUSE security work, gaming on Linux, and thoughtful reflections on software sustainability and AI.

Coverage includes multiple Plasma updates and previews, KDE Frameworks and Gear release planning, an openSUSE security retrospectives, Tumbleweed snapshot reviews, and discussions on reducing e-waste through responsible software policies.

Here is a summary and links for each post:

KDE Express Episode 63: Year-End Special – KDE Express 25.12

The KDE Blog shares the latest episode of KDE Express, a community-driven video series that recaps KDE developments and highlights from December 2025. Episode 63 features a festive year-end review, covering major releases like Plasma 6.5 updates, early previews of Plasma 6.6, and reflections on KDE’s progress in accessibility, theming, and application maturity. The hosts also thank contributors and users alike, setting an optimistic tone for KDE’s roadmap heading into 2026.

My 12 Desktop Fridays of 2025

The KDE Blog celebrates a year of community creativity with a curated showcase of the author’s favorite “Desktop Friday” (#ViernesDeEscritorio) setups from 2025. Each entry highlights unique KDE Plasma customizations. The post serves as both a nostalgic recap and an inspiration for users looking to personalize their own Linux workspaces in 2026.

KDE Gear 26.04 Release Schedule Announced

The KDE Blog outlines the official release timeline for KDE Gear 26.04. Key milestones include the feature freeze and first beta on March 5 followed by the release candidate on March 27. The final code tagging on April 9, and the stable release on April 16.

SUSE Security Team Spotlight – Autumn 2025

The SUSE Security Team provides a detailed retrospective on their autumn 2025 activities to include covering code reviews, vulnerability disclosures, and security hardening efforts across multiple projects.

Plasma 6.6 Beta Released

The KDE Blog announces the beta release of Plasma 6.6. The version is expected to include further panel customization options, smoother animations, and deeper integration with KDE’s ecosystem of apps and frameworks.

Fifth Update for Plasma 6.5 Released

The KDE Blog announces the fifth maintenance update for Plasma 6.5. The update is strongly recommended for all Plasma 6.5 users, as it refines the desktop experience without altering core functionality.

Changes in the syslog-ng Elasticsearch Destination

Peter Czanik details recent improvements to syslog-ng’s Elasticsearch integration. The update aligns the driver’s behavior with modern Elasticsearch practices and improves compatibility with existing configurations. Documentation gaps have also been addressed by incorporating clearer configuration logic directly inspired by recent OpenSearch destination updates in syslog-ng 4.11.0.

Pixel Wheels 1.0.0 Released

Victorhck announces the stable 1.0.0 release of Pixel Wheels, which is an open-source, retro-style arcade racing game built with libGDX and fully compatible with Linux. The game features local multiplayer support, procedurally generated tracks, and a charming pixel-art aesthetic, all under a permissive Apache 2.0 license. Designed to be lightweight and accessible, Pixel Wheels is now considered feature-complete and ready for use.

3 Native Real-Time Strategy (RTS) Games for Linux

The KDE Blog showcases three native real-time strategy games that run natively on Linux. The list includes both classic and modern titles that leverage open-source engines or are fully developed for Linux. These games demonstrate that Linux continues to be a viable platform for RTS enthusiasts who value freedom and cross-platform play.

Set Up a Timer and Much More in KDE Plasma

Victorhck explores the versatility of KDE Plasma’s built-in timer and stopwatch utilities, showing how they integrate seamlessly into the desktop workflow via the Digital Clock widget or standalone apps. Beyond basic timing functions, he demonstrates advanced features like custom alarms, recurring notifications, and keyboard shortcuts that enhance productivity.

Software Policies Can Fuel Waste

The openSUSE News team examines how restrictive software policies like forced obsolescence, lack of long-term support, and vendor lock-in—contribute to electronic waste and environmental harm. The article advocates for a more responsible approach to software design and deployment.

FutureofGamming.com – A New Hub for Open Gaming Insights

NintyFan introduces FutureofGamming.com, a new website dedicated to exploring the future of gaming with a focus on open-source technologies, Linux compatibility, and community-driven development. The platform aims to cover game porting efforts, performance benchmarks on open systems, and interviews with indie developers embracing open ecosystems.

Update Your Windows 10—Switch to Linux

The KDE Blog encourages Windows 10 users facing the end of official support to consider migrating to Linux as a secure, modern, and user-friendly alternative. The post highlights KDE Plasma’s polished desktop experience, strong hardware compatibility, and seamless integration with everyday tools. It also provides practical tips for trying Linux without immediately abandoning Windows, such as using live USBs or dual-boot setups.

An Internet Artisan Facing the AI Prompt

Victorhck reflects on maintaining a personal blog in the age of AI, rejecting the idea of using AI to generate or suggest content for his posts. He contrasts the deliberate, skill-based craft of traditional computing with the convenience (and opacity) of large language models, expressing both admiration for AI’s power and concern over its impact on deep technical understanding.

Car of the Year Edition Arrives in Plasma This Week

The KDE Blog announces a “Car of the Year” themed edition for this week, featuring custom wallpapers, widgets, and system sounds inspired by automotive design. The limited-time release celebrates KDE’s tradition of playful seasonal and event-based desktop themes. There is also a video on how Mercedes is using QT.

Twenty-Second Update of KDE Frameworks 6

The KDE Blog reports on the release of KDE Frameworks 6.22, the twenty-second monthly update since the major transition from Qt5/KF5 to Qt6/KF6 in February 2024. This update continues KDE’s commitment to delivering predictable, incremental improvements that underpin Plasma 6 and KDE applications. The post also introduces a new series explaining the 83 libraries that make up KDE Frameworks, which is categorized into four tiers based on dependency complexity and functionality.

OpenCV 4.13.0: Performance, Robustness, and Maturity for Production Computer Vision

Alessandro de Oliveira Faria highlights the release of OpenCV 4.13.0, emphasizing its enhanced performance, improved stability, and expanded support for production-grade computer vision applications. The article details deep optimizations across x86, ARM, RISC-V, and other platforms, and improvements to classic algorithms and DNN modules. It also notes enhanced bindings (Python, JavaScript, Java), better video and codec support, and future-oriented features like CUDA 13.0 compatibility.

openSUSE Tumbleweed Weekly Review – Week 2 of 2026

Victorhck and dimstar summarize the openSUSE Tumbleweed snapshots released during the second week of January 2026. The updates include key package upgrades such as GCC 14, systemd 257, and Mesa 25.0, alongside routine maintenance and security fixes.

View more blogs or learn to publish your own on planet.opensuse.org.

Table of Contents

• 1) Introduction
• 2) The methodology
  • Some numbers about the codebase
  • The activity tracking
  • The setup
  • The attacker’s corner
  • The reporting method
• 3) Audit results
  • CVE-2024-49502: spacewalk-web: Reflected XSS in Setup Wizard, HTTP Proxy credentials pane
  • CVE-2024-49503: spacewalk-web: Reflected XSS in Setup Wizard, Organization Credentials
  • CVE-2025-23392: spacewalk-java: reflected XSS in SystemsController.java
  • CVE-2025-46809: Plain text HTTP Proxy user:password in repolog accessible from the UYUNI 5.x webUI
  • CVE-2025-46811: Unprotected websocket endpoint
  • CVE-2025-53883: spacewalk-java: various XSS found on search page
  • CVE-2025-53880: susemanager-tftpsync-recv: arbitrary file creation and deletion due to path traversal
  • Other minor findings
• 4) Conclusions
• 5) What’s next?
• 6) Links

1) Introduction

UYUNI is an open source system management solution, forked from Spacewalk and upstream community project from which SUSE Multi-Linux Manager is derived.

The audit started in January 2024 with the perimeter definition. Since it’s not feasible to audit everything, a list of packages was chosen and submitted to UYUNI product owner. The criteria for including a package in the perimeter were:

• the package implementing UYUNI web UI
• the package implementing API or websocket layer
• the package implementing UYUNI backend
• the salt package (fundamental for UYUNI server and minions interaction)
• packages not included in previous UYUNI audits

In March 2024 the code scanning activities effectively started.

2) The methodology

Auditing a complex codebase like UYUNI is not just running a static analysis tool and waiting for it to complete. It is a complex and long-running journey that took one year and a half to complete.

Some numbers about the codebase

The codebase is big with a lot of sub-packages. Each sub-package was treated as a standalone audit with its own Bugzilla bug, its own list of affected vulnerabilities and its own report. The final report was produced by combining the reports of all sub-packages.

The audited codebase is more than 4.5 millions lines of code, with at least 7 different programming languages.

As you may wonder, using a single catch-all tool to analyze such a heterogeneous codebase is not possible.

Every package in the scanning perimeter was audited looking at the source both using tools and by manual inspection. The running server was continuously inspected dynamically looking for low-hanging fruit like cross-site-scripting (XSS), SQL injection and similar, and for business logic flaws.

Each security issue was then triaged and if necessary a CVE identifier was assigned and the vulnerability put under EMBARGO. Using the openSUSE coordinated disclosure policy as a framework, we coordinate with upstream and disclose the issue when solved.

The activity tracking

We use Bugzilla as tracking authority for audits and vulnerabilities found during the activity. A master bug (boo#1218619) was created with the purpose of acting as a main container for all sub-packages audit bugs.

Each audit bug contains all affecting vulnerabilities and, of course, a vulnerability bug can be set as blocker to more sub-packages.

The setup

For the activity, a set of KVM-powered machines were created:

• a UYUNI server instance
• a UYUNI proxy instance
• a couple of minions, Linux workstations attached and managed centrally by the master.

The server is the main UYUNI component orchestrating minions attestation and enabling system administrators to launch commands and interact with minions using the web interface.

A minion, in the UYUNI slang, is a Linux-powered machine (ideally it is a client in a local network), connected to the server.

A UYUNI proxy is a particular kind of server, used to fetch packages from software distribution channels and centrally store software packages for an efficient distribution to minions. Distribution channels are software repositories and a system administrator subscribes his own UYUNI instance to different repositories.

Each server was running openSUSE MicroOS as underlying operating system and minions were running either openSUSE Tumbleweed or Ubuntu Linux distributions.

The attacker’s corner

For the testing activities we used two different machines. A virtual machine running openSUSE Tumbleweed, used for source code inspection and a virtual machine running Kali Linux installed to help in penetration testing activities.

The tools

Burp Suite community was the main tool used trying to spot security issues in the running application.

To help, during the UYUNI application browsing, a custom tool was developed. While browsing the web UI trying to find business logic flaws, I felt the need for something running in the background spotting low-hanging fruit in web pages form, cookies and more. The tool eventually became an OSS project named nightcrawler-mitm. It’s a mitmproxy extension implementing both an active and a passive scanner running several security controls in the background.

Also for auditing the source code, opensource tools were used. Some of the tools used are famous OSS projects, like:

• bandit
• semgrep
• npm audit

To help me during the activities, I also used some SAST tools previously written by myself, like:

• dr_source
• dawnscanner

The reporting method

As discussed before, every finding was tracked on a separate bugzilla bug. Each bug was linked, marking as a blocking bug, to any sub-package audit bug affected by the associated vulnerability.

Of course, every vulnerability was confirmed by a successful exploitation, before being added to our Bugzilla tracking system. Vulnerabilities were assigned to UYUNI developers and tracked until a fix was released. A CVE was also assigned if required by the issue severity.

The standard CVSS version 4 was used as a scoring system and to assign a severity. The rationale is that if a CVSS is lower than 5, then the severity is low, it is medium if CVSS is between 5 and 7 and high otherwise. The same approach was used to assign a triage score to each sub-package. The triage score will be used in the future to decide if the sub-package must be in future audit perimeter or not.

At the end of the audit, the list of issues and the triage score created a technical report sent to UYUNI developers.

3) Audit results

During the audit, seven CVEs were found and fixed, and numerous minor issues were addressed, improving the product’s reliability and overall security posture.

CVE-2024-49502: spacewalk-web: Reflected XSS in Setup Wizard, HTTP Proxy credentials pane

A reflected cross-site scripting has been found in the HTTP proxy pane of the setup wizard UI element. Tracked in boo#1231852

CVE-2024-49503: spacewalk-web: Reflected XSS in Setup Wizard, Organization Credentials

A reflected cross-site scripting has been found in the Organization Credentials pane of the setup wizard UI element. Tracked in boo#1231922

CVE-2025-23392: spacewalk-java: reflected XSS in SystemsController.java

Some URLs, served by the SystemsController.java class are vulnerable to a reflected XSS vulnerability. Some example of vulnerable URLs are listed in the Github advisory as well. The advisory was filed by an external independent researcher following our coordinated disclosure policy. Tracked in boo#1239826

CVE-2025-46809: Plain text HTTP Proxy user:password in repolog accessible from the UYUNI 5.x webUI

Credentials to be used in UYUNI HTTP proxy are disclosed in the error log in case of wrong port number or misspelled hostname. Tracked in boo#1245005

CVE-2025-46811: Unprotected websocket endpoint

During an internal assessment, a customer found an issue with the remote-commands websocket endpoint (/rhn/websocket/minion/remote-commands). Using websockets, anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client with no authentication. The customer using our coordinated disclosure policy as a reference, reported the issue which was then fixed and publicly disclosed. Tracked in boo#1246119

CVE-2025-53883: spacewalk-java: various XSS found on search page

During an internal assessment, a customer found that some reflected cross-site scriptings were possible due to improper input validation. The issue was tracked in the private SUSE bugzilla instance, since some customer sensitive information was included. However the issue is described in the public CVE-2025-53883 page.

CVE-2025-53880: susemanager-tftpsync-recv: arbitrary file creation and deletion due to path traversal

A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses. The unprivileged user has write access to a directory that controls the provisioning of other systems, leading to a full compromise of those subsequent systems. Tracked in boo#1246277

Other minor findings

Additional vulnerabilities were identified that, while valid, did not meet the criteria for CVE assignment:

• boo#1231900: VUL-0: arbitrary log messages in API can lead to a disk space exhaustion (and so to a denial of service)
• boo#1245740: VUL-0: Default venv-salt-minion environment is activated on the different user accounts
• boo#1243679: VUL-0: Insecure communication in TFTP proxy sync.
• boo#1243768: VUL-0: Potential Command InjectionPattern in check_push Function. No activity: a follow-up was requested.
• boo#1239636: VUL-0: log pollution in class TraceBackEvent
• boo#1237368: VUL-0: unhandled exception when dealing with numeric request parameters
• boo#1243087: VUL-0: spacewalk-search: unexploitable XSS in XML RPC Server.
• boo#1227577: VUL-0: spacecmd and spacewalk-backend: usage of unsafe third party library for XML.

Last but not least, during the audit also some codebase improvements were suggested to raise the security posture even further:

• boo#1228945: AUDIT-FIND: spacewalk-utils: Sensitive information disclosure in backup file
• boo#1223313: AUDIT-FIND: Possible deserialization issue in spacewalk-client-tools (affecting only SUMA 4.x)
• boo#1228116: AUDIT-FIND: spacewalk-admin: mgr-monitoring-ctl doesn’t sanitize PILLAR parameter
• boo#1231983: AUDIT-FIND: spacewalk-web: generatePassword() improve namespace entropy
• boo#1246941: AUDIT-FIND: saline: Hardening Against Insecure Deserialization
• boo#1247015: AUDIT-FIND: saline: Race Condition in Service Startup Allows for IPC Hijacking on Systems with a Permissive umask
• boo#1227579: AUDIT-FIND: spacecmd: get rid of pickle to read and parse configuration files.

4) Conclusions

The UYUNI audit was an intense and rewarding run. The good results in term of number of found vulnerabilities and the fast reaction to release the fixes, confirmed UYUNI as a solid and reliable product for the community.

As all software, of course it can be improved in terms of code quality by applying safe coding patterns, using secure and reliable third-party libraries and consolidating the usage of one or two programming languages. This is an important step, because it creates a common ground for engineers and a solid codebase for the community to entice contributions and pull requests.

A vibrant codebase, using a balanced mix between standard and cutting edge technologies can increase adoption of the product and it can attract developers and contributors.

It also helps in adopting safe coding best practices that are widely updated and developed for newer technologies rather than ancient and not actively used programming languages.

The low number of vulnerabilities found, and the reaction time in fixing the serious ones, indicate that the project is well-curated and actively maintained. The security posture is good and it can be safely deployed in production.

5) What’s next?

Like every journey, the final destination is not the reward itself. The UYUNI project is actively under development with a monthly (more or less) release cycle.

The next audit will start in the first quarter of 2026 and it will be another one year and a half rollercoaster ride, with rabbit holes, false positives, suspected CVEs turning out to be not exploitable and real root dance issues.

The fun part is to audit code written in multiple languages, with different stacks and libraries.

It’s not rewarding only from a security perspective, it’s a real learning experience.

6) Links

• The master Bugzilla bug.
• The latest stable version 2025.10 of UYUNI containing all the relevant fixes.
• The nightcrawler-mitm tool, written to actively and passively scan the web application in the background.
• The dr_source tool, written as a SAST companion tool mainly for Java but improved with support for other programming languages.
• The UYUNI source code on Github
• The openSUSE coordinated disclosure policy

Table of Contents

• 1) Introduction
• 2) Completion of systemd v258 Code Review
• 3) D-Bus Issues in Unreleased plasma-setup KDE Package
  • org.kde.initialsystemsetup.createnewuserautostarthook
  • org.kde.initialsystemsetup.setnewuserhomedirectoryownership
  • org.kde.initialsystemsetup.setnewusertempautologin
  • Upstream Fixes
• 4) Discussion about Granting setgid Privileges to the plocate Binary
• 5) Local Root Exploit in OpenStack’s non-production virtualbmc Project
  • Lack of Authorization and Input Validation in vbmcd
  • Reproducer
  • Further Concerns
• 6) Revisit of the snapd Package Manager
• 7) Conclusion

1) Introduction

The winter season has already begun for most of the people in our team and with the Christmas holidays behind us, which granted us some well-earned rest, we want to take a look back at what happened in our team during the autumn months. During this time we already published a few dedicated review reports:

• trivial local Denial-of-Service in the OpenSMTPD mail transfer agent.
• unauthenticated D-Bus API in the scx scheduler project allowing for a major local Denial-of-Service.
• minor privilege escalation from lightdm to root in lightdm-kde-greeter leading to major improvements of its D-Bus code.
• major local vulnerabilities in the D-Bus interface of smb4k, resulting in upstream fixing a series of long-standing issues in the affected component.

In this post, as usual in the spotlight series, we will look into some topics that did not justify dedicated reports. First we will discuss our continued efforts to review privileged components found in the systemd v258 release, which involved diving deep into some low-level aspects of the Linux kernel API. Section 3 looks at D-Bus issues we found in plasma-setup, a new component for the KDE desktop. Section 4 covers recent discussions about granting special setgid permissions to the plocate package. Section 5 gives insight into security issues found in the virtualbmc OpenStack project, which turned out to be for testing purposes only. Section 6 discusses revived efforts to bring the Snap package manager to openSUSE.

2) Completion of systemd v258 Code Review

We already discussed our systemd v258 review efforts in the previous spotlight edition. At the time we found a local root exploit in the systemd-machined API, which could be fixed before the final release of v258. For the addition of this new major version of systemd to openSUSE Tumbleweed, we still needed to look more closely into a number of other D-Bus and Varlink services that have been added.

During autumn we completed the review of changes in systemd-mountfsd and systemd-nsresourced. Some of the changes introduced with these services allow unprivileged users to perform a number of container-related operations without requiring special privileges.

The io.systemd.MountFileSystem.MountDirectory API call in mountfsd, for example, allows to obtain a mount file descriptor for a directory owned by the calling user, on which a user and group ID mapping is applied corresponding to a user namespace file descriptor also owned by the caller. Some newer, little-known Linux system calls like open_tree() and mount_setattr() are used to achieve this. This niche topic and the low-level nature of the involved APIs result in quite complex code which needed careful reviewing. We are happy to report that we could find no issues in this area, however.

The nsresourced service, among other features, allows unprivileged users to obtain a dynamic range of user and group IDs for use with user namespaces. The tools newuidmap and newgidmap already allowed this for a longer time based on static configuration files. The nsresourced service applies dynamic limits and ID ranges to processes in the system, however, which makes things quite more complicated. This even includes an EBPF program, which keeps track of the uses of the resulting user namespace file descriptors. Despite this complexity we could not find any issues in this component either.

What kept us busy for a longer time was logic invoked by mountfsd to obtain the user and group ID mapping tied to the user namespace file descriptor passed by the unprivileged client. To retrieve this information, the utility function ns_enter_and_pin() forks a short-lived child process which joins the user namespace provided by the client. The parent process then reads the child’s uid_map and gid_map nodes from /proc/<child-pid>.

The mountfsd daemon runs with root privileges (although some sandboxing is applied to it as well), which will be inherited by the short-lived child process. Once the child process joins the user namespace provided by the unprivileged client, the security domain of this process changes, however, because the client owning the namespace is supposed to have full control over processes associated with it.

One consequence of this is that the owner of the user namespace can send arbitrary signals to the short-lived systemd process, e.g. to kill it. This would only result in a kind of Denial-of-Service against the client itself and should not cause any security issues.

We expected another important ramification of this to be in the area of the ptrace() system call. The following is stated in the “ptrace access mode checking” section of the ptrace(2) man page:

(3)  Deny access if neither of the following is true:

            •  The real, effective, and saved-set user IDs of the target
               match the caller's user ID, and the real, effective, and
               saved-set group IDs of the target match the caller's group
               ID.

            •  The caller has the CAP_SYS_PTRACE capability in the user
               namespace of the target.

According to the second item, the unprivileged client, which owns all capabilities in its user namespace, should be able to trace the short-lived systemd process which joins the client-controlled user namespace. This ability would have allowed for an interesting privilege escalation, because tracing capabilities also include the ability to modify the target process, e.g. to change its code and data. While trying to reproduce this, the kernel always denied ptrace() access to this short-lived process, however, and we were not sure why. Unclarity in such aspects is not a good thing when it concerns security, thus we set out to get to the bottom of this.

After diving deep into the Linux kernel’s ptrace() code, we found the commit which is responsible for the rejection of tracing access in this scenario. The background of this commit actually is to prevent owners of unprivileged user namespaces from accessing the executable of processes created in the initial namespace. ptrace() access to the target PID is now only allowed if the target process performed an execve() while being a member of the newly joined user namespace. In summary this means the following:

• if a process only performs fork() and setns() to join a user namespace, then ptrace() access to this process is denied to the owner of the user namespace.
• if a process performs fork(), setns() and execve(), then ptrace() access to this process is granted to the owner of the user namespace.

This detail is not documented in the ptrace() man page and it took us a while to fully understand what was going on. With this well understood we could finally move on, knowing that the logic in mountfsd is robust.

3) D-Bus Issues in Unreleased plasma-setup KDE Package

This new KDE component was first named KISS (KDE initial system setup), but meanwhile has been renamed to plasma-setup. Its purpose is to perform initial system configuration based on a graphical wizard, when a Linux system has been freshly installed.

Our openSUSE KDE packagers asked for a review of this new component, expecting it to be part of a major KDE release in autumn. It turned out that this had not been planned by upstream after all (or plans changed). Still the review we performed turned out to be useful, since we identified various security problems in the existing code which could be fixed by upstream before the new component had seen production use.

The following report is based on the plasma-setup source code as of upstream commit 08ed810e0e7. While the graphical components of plasma-setup run with low privileges, there exists a D-Bus helper service running as root, kde-initial-system-setup-auth-helper, which allows to perform a number of operations with elevated privileges. These operations are guarded by Polkit authorization rules. The dedicated user account kde-initial-system-setup is allowed to invoke any of these actions without authentication. Beyond this, any locally logged-in users are also allowed to invoke the operations without authentication. The latter is quite problematic, as will be outlined below.

The implementation of the D-Bus callbacks for these actions is found in src/auth/authhelper.cpp. The following sub-sections discuss issues in a couple of these actions.

org.kde.initialsystemsetup.createnewuserautostarthook

This action receives a “username” parameter from the unprivileged D-Bus client. The username is not verified by the privileged helper, it only needs to be convertible to QString. The helper then creates all the directory components of /home/<username>/.config/autostart. After this, the file /home/<username>/.config/autostart/remove-autologin.desktop is created and fixed data is written into it.

This action allows local users to create arbitrary world-readable directories owned by root. This can be achieved by passing a string like ../../my/desired/path as “username”. Furthermore, by placing a symlink at the expected location of remove-autologin.desktop, arbitrary files in the system can be overwritten, leading to a local Denial-of-Service.

The implementation of the action also causes the created directories and files to be owned by root:root, and not by the user that actually owns the home directory, which is unclean.

Suggested Fixes

Apart from restricting access to the helper to the kde-initial-system-setup user, the implementation of this action should verify whether the passed-in username actually exists. Furthermore, the home directory of this account should be obtained via the getpwent() API, instead of assuming that /home/<username> will always be the correct home directory.

When the execution of this helper is actually limited to the initial setup context, it could be technically acceptable to operate as root in the newly created user’s home directory. For reasons of prudence and giving a good example, we still recommend to drop privileges to the target user account before actually writing the .desktop file in the user’s home directory.

org.kde.initialsystemsetup.setnewuserhomedirectoryownership

The method call associated with this action also receives a “username” parameter which is not verified. The following command line is invoked based on the “username” parameter:

chown -R <username>:<username> /home/<username>

This is on the verge of a local root exploit, save for the fact that chown expects a valid user and group account to give the ownership to, which at the same time needs to result in the proper path to operate on. A username containing path elements will fail, because the necessary characters like / are by default denied in usernames.

This action still allows to potentially change ownership of all files of arbitrary other users’ home directories. Fortunately the recursive chown algorithm is not subject to symlink attacks these days. If somebody would be able to place a symlink in place of their home directory in /home/<username>, then the symlink would still be followed, however.

The username could also be interpreted as an arbitrary command line argument to chown, thwarted only by the fact that the <username>:<username> argument is constructed here instead of just passing <username>, which will prevent proper command line arguments from being passed.

Suggested Fixes

As for the previous action, the implementation should verify if the username is valid and determine the proper home directory and group via getpwent(). The assumption that username and group are equivalent is also problematic here.

Why this operation would be needed at all for a newly created home directory is questionable. When new user accounts are created, file ownership should already be correct. If this action is supposed to fix the ownership of files created by other plasma-setup actions in the home directory as root (as is seen in the createnewuserautostarthook action), then this is only a hack which should be removed in favor of not creating files as root in unprivileged users’ home directories in the first place.

org.kde.initialsystemsetup.setnewusertempautologin

Again this method receives a “username” parameter which is not verified. The implementation writes the following content to the file /etc/sddm.conf.d/99-kde-initial-system-setup.conf:

[Autologin]
User=<username>
Session=plasma
Relogin=true

This SDDM configuration snippet is supposed to automatically login the given user account. For some reason that we did not investigate more deeply, the configuration was not effective during our tests on openSUSE Tumbleweed. We could verify that the configuration file created this way was parsed and evaluated in SDDM, however, so something else must have been amiss.

The automatic login is supposed to work, though, and if it does, then any local user account can call this action with root as username, which should cause an automatic login of the root user the next time SDDM runs.

By passing crafted strings for “username”, the content of the drop-in configuration file can even be fully controlled by local users. The following “username” would create a General section with a crafted “RebootCommand”, for example:

user\n[General]\nRebootCommand=/home/myuser/evil

Provided the configuration snippet is actually in effect in SDDM, this action allows for a local root exploit.

Suggested Fixes

As for the other actions, the implementation should verify whether the passed “username” is valid and does not equal root.

Upstream Fixes

We privately approached KDE security on 2025-09-22 with a detailed report about these findings. As a result we established contact with the plasma-setup developer and discussed fixes for the issues. It was decided to perform the bugfix in the open, since the component was not yet part of a stable release of KDE. We reviewed an upstream merge request during the course of two weeks and upstream managed to arrive at a much improved version of the KAuth helper component.

As of commit e6eb1cd9a8d the privileged helper carefully scrutinizes the input parameters received via D-Bus, and it also drops privileges to the calling user before operating in the unprivileged user’s home directory. Also the KAuth actions provided by the helper are now restricted to the plasma-setup service user and no longer accessible to all locally logged-in users. The latter would still be problematic, since it would allow to setup automatic login for arbitrary other users in the system, for example.

4) Discussion about Granting setgid Privileges to the plocate Binary

An openSUSE community member approached us about granting special setgid privileges to the plocate binary. plocate is a modern and fast replacement for the classic locate program. Upstream supports operation of the plocate program with the setgid bit assigned to the plocate group. This means that the program is granted plocate group privileges during execution.

When updatedb, locate’s utility for indexing files, would be invoked with full root privileges, then the database in /var/lib/plocate would contain information about all files in the file system. This way locate would grant all users in the system read access to this information, resulting in an information leak, because users can see paths that they would not normally be allowed to list, like all the files stored in the /root home directory. For this reason the plocate-updatedb system service on openSUSE Tumbleweed runs as nobody:nobody, resulting in a system-wide plocate database which only contains information about publicly accessible paths in the system. For being able to locate their own private files, users need to create their own user-specific databases instead.

The purpose of the setgid privilege is to address this locate database access issue. plocate supports a mode in which updatedb is invoked with full root privileges, but the ownership of the central database is changed to root:plocate and file mode 0640. When plocate is installed as setgid-plocate then it is still allowed to access the central database. The program drops the special group credentials quickly again, right after opening the database. The program then ensures that the calling user will only be able to retrieve information about files that it is allowed to access based on its real credentials.

There is a minor security issue found in this approach. Since the plocate database does not contain metadata about the files it indexed, the plocate program needs to check the ownership of files in the file system at the time the search query runs. This is a sort of a TOCTOU (time-of-check time-of-use) race condition. There can be situations when the verification in plocate yields wrong results:

root# mkdir --mode=1777 /shared
root# mkdir --mode=0700 /shared/secret-dir
root# touch /shared/secret-dir/secret-file
root# updatedb

# root will be able to locate any files in secret-dir
root# locate /shared/se
/shared/secret-dir
/shared/secret-dir/secret-file

# non-root cannot locate the secret-file
user$ locate /shared/se
/shared/secret-dir

# now consider root deletes the secret-dir again
root# rm -rf /shared/secret-dir

# now the unprivileged user takes ownership of this path
user$ mkdir --mode=0755 /shared/secret-dir

# this only works before `updatedb` is called again, because then it will
# notice that secret-file no longer exists and delete it from the database.
#
# when the unprivileged user calls locate this time, the secret-file will show
# up, since the "secret-dir" is now controlled by the unprivileged caller.
user$ locate /shared/se
/shared/secret-dir
/shared/secret-dir/secret-file

This problem likely cannot be easily fixed in the plocate code, since it would require changing the database format radically, increasing database size as a result, only to fix an unlikely problem.

The information leak is minor and should rarely be exploitable. For this reason we left it up to the openSUSE plocate package maintainer whether the setgid-plocate approach should be used, or not.

5) Local Root Exploit in OpenStack’s non-production virtualbmc Project

By way of our efforts to monitor newly introduced systemd services in openSUSE Tumbleweed, the python-virtualbmc package caught our attention. The program allows to emulate a board management controller (BMC) interface for use with libvirt.

Part of the package is a daemon running with full root privileges, listening for ZeroMQ API requests on localhost. A number of unauthenticated API calls in this context raised our suspicions, which is why we scheduled a full review of this package. A closer look showed that the unauthenticated API calls were indeed problematic, even allowing for a full local root exploit.

We filed a detailed private bug report on LaunchPad for the OpenStack project, but had difficulties getting a response. After some weeks we reached out to an individual member of the OpenStack security team and learned from the reply that the virtualbmc project was not intended for production use at all, but is rather a utility intended for use in testing environments. This is also documented in the repository’s README, which was overlooked by us. As a result we filed a delete request for the python-virtualbmc package in openSUSE Tumbleweed, and the package has already been removed.

For completeness, a detailed report of the security issues in the virtualbmc daemon follows below.

Lack of Authorization and Input Validation in vbmcd

When the virtualbmc systemd service is started, then /usr/bin/vbmcd runs with full root privileges. It offers a ZeroMQ-based network API, listening on localhost port 50891 by default. Any local user in the system can talk to the daemon this way.

A simple request which can be sent to the daemon (in JSON format) is the following stop command, for example:

{
        "command": "stop",
        "port": 1234,
        "domain_names": ["../../home/myaccount/mydomain"],
}

The domain_name passed here will be used by the daemon to lookup a supposedly trusted per-domain configuration file, which is by default located in /root/.vbmc/<domain>/config. Since the daemon does not scrutinize the input domain_name, a local attacker can include directory components in the name, to trick the daemon into accessing an attacker-controlled configuration file.

In the context of the stop command used here, the daemon will try to update the domain’s configuration file in case a change of domain state is detected. The path for writing out the updated configuration file will be constructed using the domain_name found in the input configuration file. Thus the local attacker can place data like this into /home/myaccount/mydomain/config:

[VirtualBMC]
domain_name = ../../etc/sudoers.d
port = 1234
active = true
address = some
  evil stuff
  myaccount ALL=(ALL:ALL) NOPASSWD: ALL

The daemon will now believe that the domain’s state changed, because the input configuration file contains active = true, while the daemon was asked to stop the domain. This will trigger logic to write out an updated configuration file with the new state of the domain configuration. The logic for this is found in the _vbmc_enabled() member function.

Since the domain_name found in the crafted configuration file is set to ../../etc/sudoers.d, the daemon will write the new configuration file into /root/.vbmcd/../../etc/sudoers.d/config. To get an advantage from this, the attacker must get the daemon to write out at least one valid sudoers configuration line into the new configuration file.

The attacker has only a limited degree of freedom at this stage, because the daemon will write out the new configuration file via the Python configparser module and will only consider the [VirtualBMC] section as well as any of the configuration keys listed in the VBMC_OPTIONS list defined in the daemon’s code.

To help with the exploit, the configparser multiline syntax comes to the rescue: any lines following an assignment which are indented will be accepted as part of the configuration value. When writing the settings out to a new configuration file, these multiline settings will be preserved. This is put to use in the example above, which contains a final line myaccount ALL=.... This line will now appear along with the rest of the configuration data in /etc/sudoers.d/config.

As a result, when the attacker now invokes sudo su -, a couple of sudoers parsing errors will appear, but in the end, access is granted and a root shell will be obtained by the attacker.

This approach of using a sudoers drop-in configuration file is just one of the more obvious approaches that came to mind. There’s a lot of different ways to exploit this, however, for example by overwriting shell scripts or script snippets in /etc or /usr/bin and then waiting for a privileged process to run them. This would be even easier, because shell scripts have less strict syntax requirements compared to the sudoers configuration file. The effect would not be immediate, however, like in the sudoers approach.

Reproducer

We offer a Python script for download, which is a Proof-of-Concept (PoC) to reproduce the local root exploit in the context of an arbitrary unprivileged user on the system, when vbmcd is running with its default configuration. sudo needs to be installed, naturally, for the exploit to work.

Further Concerns

In general, the API offered by vbmcd on localhost is missing input sanitization and authorization. Authorization seems only to be performed indirectly via libvirt. In this context clients can also pass crafted libvirt_uri parameters, for example, which seem to make it possible to let the daemon connect to arbitrary URLs via SSH. There also is no isolation between different users’ domain configurations, e.g. the “stop” command used above can be issued for any domain configured by another user in the system.

To make this API safe, we believe there needs to be an ownership model for each domain’s configuration, a verification of the client’s credentials in some form (a UNIX domain socket would allow this more easily) and sanitization of all input parameters to avoid any unexpected side effects.

Since the daemon listens on an unprivileged port on localhost, other unprivileged users can try to bind to this port first and provide a fake vbmcd service. Since the API requests can also contain secret credentials, this would pose a major local information leak. For safe operation, the API would need to bind to a privileged port on localhost instead.

6) Revisit of the snapd Package Manager

In 2019 we received a request to add the snapd package manager to openSUSE, which involved a review of the setuid-root program snap-confine. At the time we were generally satisfied with the code quality and design of the program, but still found a few low to medium severity security issues and gave recommendations on how to improve the code in some spots. The packagers have meanwhile been busy with other topics and we never saw an updated openSUSE package containing the necessary changes, which is why we closed the related bugs after a period of inactivity.

In August we received a follow-up request for addition of an updated snapd package. We revisited the privileged components and again provided feedback to upstream. This time all remaining issues could be resolved and the new package has been allowed to become part of openSUSE Tumbleweed. We are happy to see these old efforts not going completely to waste, and welcome the possibility to use Snap packages on openSUSE Tumbleweed in the future.

7) Conclusion

Again we hope we’ve been able to give you some additional insight into our efforts to maintain the security of SUSE distributions and open source software. We are looking forward to the next edition of the spotlight series, which will be published in about three months from now.

While testing the latest Elasticsearch release with syslog-ng, I realized that there was already a not fully documented elasticsearch-datastream() driver. Instead of fixing the docs, I reworked the elasticsearch-http() destination to support data streams.

So, what was the problem? The driver follows a different logic in multiple places than the base elasticsearch-http() destination driver. Some of the descriptions were too general, others were missing completely. You had to read the configuration file in the syslog-ng configuration library (SCL) to configure the destination properly.

While preparing for syslog-ng 4.11.0, the OpenSearch destination received a change that allows support for data streams. I applied these changes to the elasticsearch-http() destination, and did a small compatibility change along the way, so old configurations and samples from blogs work.

Read more at https://www.syslog-ng.com/community/b/blog/posts/changes-in-the-syslog-ng-elasticsearch-destination

A photo posted to Reddit and followup media coverage about computers being discarded in large amounts due to software policies should ignite public concern on the use of taxpayer money being used responsibly.

The image shows a large pallet of PCs that were thrown out because they were not upgraded to a newer operating system.

The post highlights a growing concern among critics of government technology policy where public hardware is being retired not because it has failed, but because it no longer aligns with policy requirements.

Seeing stacks of computers that are still capable of using Linux operating systems like openSUSE and others raises a lot of questions about how tax money is being spent, especially in a country with uncontrollable runaway debt ($38.6 trillion at the time of publication). Migrating to open-source solutions could be an easy win for cost savings and government efficiency. The Government Accountability Office (GAO) report notes the federal government spends more than $100 billion annually on IT and cybersecurity, which includes thousands of software licenses that do not isolate Windows alone.

Extended support for Windows 10 ends on Oct 13, 2026, according to endof10.org. End of 10 is an information campaign focusing on reducing unnecessary e-waste driven by software policy decisions.

The image illustrates how public policy choices can contribute to waste of taxpayer funds even when they appear in the form of discarded hardware. Serviceable computers are being retired not because they are broken, but because public institutions are locked into closed, inflexible software decisions.

Advocates for fiscal responsibility can point to Europe’s Public Money, Public Code principle, which is championed by the Free Software Foundation Europe, as an example to emulate. The Public Money, Public Code effort began as an information campaign that argued publicly funded software should remain open, adaptable and reusable, which extends the useful life of public hardware.

Supporters of the approach say open, publicly owned code can reduce costs by allowing agencies to reuse software rather than rebuilding similar systems repeatedly. They also argue that shared development spreads costs across governments, improves transparency through independent review, and extends the useful life of computer hardware.

A Federal Source Code Policy directed US agencies in 2016 to release at least some custom code as open source, but it has not mandated an “open-by-default” approach to mirror the logic of Public Money, Public Code.

This lack of policy further extends government debt and enriches shareholders through transferring wealth from the taxpaying public to private equity shareholders.

Though the Public Money, Public Code campaign originated in Europe, its goals can resonate with the taxpaying voter and it is a more responsible approach for the environment and usage of taxes. Environmental advocates like Joanna Murzyn, who spoke at the KDE Akademy conference in 2024, warns about the increasing problem of electronic waste (e-waste). Analysts are estimating that tens of millions of PCs are being scrapped as a result of software lifecycle decisions, which are equally reflected in government policies.

E-waste, which includes discarded laptops, desktops and other electronics, releases toxic substances like lead, mercury and cadmium into the environment, according to Murzyn. These substances can contaminate soil and water as well as cause long-term harm to ecosystems and human health. Murzyn urged people to resist the urge to “upgrade” to new hardware and instead explore solutions like Linux that extend the life of existing devices.

Join End of 10 to learn how extending the life of existing computers can reduce waste, lower public costs and promote more responsible technology policies.

This is part of a series on End of 10 articles where we offer reasons to transition from Windows to Linux.

I started with this page today! Currently only one article and I wish one article per month. I prefer do not describe game before I end it, but I known it is not possible.

So, check it out: https://futureofgamming.com.

Page will be created in Polish, maybe seldom text in English.

Opublikowałem tę stronę dzisiaj. Obecnie tylko jeden artykuł, postaram się jeden na miesiąc. Wolę nie opisywać gry, zanim ją skończę. Wiem, że to nie możliwe.

Sprawdź: https://futureofgamming.com.

Strona będzie prowadzona w języku Polskim, może okazjonalnie zamieszczę jakiś tekst w języku Angielskim.