Europe’s first federated AI initiative has chosen openSUSE as part of its foundation aimed sovereign AI.

OpenNebula Systems officially announced the launch of Fact8ra, which is Europe’s first federated AI-as-a-Service platform.

This initiative marks a major milestone under of a €3 billion Important Project of Common European Interest (IPCEI) on Next Generation Cloud Infrastructure and Services (IPCEI-CIS).

“Fact8ra is able to combine computing resources from eight EU Member States,” according to the press release on July 9.

Those states are France, Germany, Italy, Latvia, the Netherlands, Poland, Spain, and Sweden where Fact8ra aims to deliver sovereign, open source AI capabilities across Europe’s High Performance Computing (HPC), cloud and telco infrastructure.

The technology of openSUSE, which is a global open-source project sponsored by SUSE, was selected as a core component of Fact8ra’s sovereign AI stack.

The validation by one of Europe’s largest public-private cloud projects is a credit to the trust in openSUSE’s stability, adaptability and openness. It can be used not only for server-grade applications but also for advanced AI/ML workloads.

The stack not only incorporates openSUSE, but other European open source technologies such as OpenNebula and MariaDB, according to the release.

The platform enables deployment of private instances of open source large language models (LLMs), including Mistral and EuroLLM, while offering native integration with external catalogs like Hugging Face.

The inclusion of openSUSE with Fact8ra is more than a technical choice, it’s a strategic endorsement.

Fact8ra’s mission centers on European technological sovereignty and reducing dependence on foreign platforms for AI innovation.

The operating system’s ability to support cloud-native environments, container orchestration with Kubernetes, and hardware acceleration tools for AI inference has earned it a place in one of the EU’s most ambitious digital projects to date.

The openSUSE Project is seeking community input to determine whether it should continue supporting 32-bit ARM architectures.

Maintaining support for legacy platforms is increasingly challenging. The openSUSE team cited limited upstream support and dwindling maintenance resources as key factors behind the potential decision to retire 32-bit ARM (ARMv6 and ARMv7) support.

Devices like the Raspberry Pi 1 , Pi Zero, BeagleBone, and other older embedded boards rely on 32-bit ARM. If you’re using openSUSE on any of these platforms, the team wants to hear from you.

Take the survey at survey.opensuse.org to help the team determine a path for 32-bit ARM architectures.

The survey will go until the end of July.

Get Involved

If you’re interested in helping maintain 32-bit ARM support through testing, bug reports, or documentation, join one of the following communication channels:

IRC: #opensuse-arm on Libera.Chat

Matrix: #arm:opensuse.org

Mailing List: lists.opensuse.org

Contributors and community members are encouraged to celebrate the openSUSE Project’s 20th anniversary by sharing some of their favorite moments from the past two decades.

Over the years, it has grown into a global movement, powering desktops, servers and development environments across the open source world.

To celebrate the project’s vibrant history, we are collecting photos from across the globe that capture the spirit of the project from conferences and hackathons to community meetups, swag collections and personal milestones.

Members are encouraged to submit up to 20 images drop file. Submissions will be used in presentations showcasing the 20th anniversary and shared amongst members of the community.

People are encouraged to celebrate something in their town or locally and share their photos to news and presentations.

Community members are encouraged to present the 20-year history of the project at conferences and summits. A presentation using the images will be made available on the openSUSE Wiki.

Members are also encouraged to celebrate the 20th Anniversary on August 9 in the openSUSE bar where members can reminisce with others in the global community.

During the openSUSE.Asia Summit, there will be a quiz to win 20th Anniversary t-shirts.

This is a celebration of the people who have made openSUSE what it is today. It’s an accomplishment that happened through seasoned and new contributors along with passionate users. Every photo tells a piece of our shared story.

High-resolution images are appreciated and a minimum 300 dpi resolution image is ideal.

The openSUSE Project was launched on August 9, 2005.

Anyone having group photos at openSUSE Conferences are asked to email them to ddemaio@opensuse.org

The openSUSE.Asia Summit 2025 will take place from August 29 to 31 at MRIIRS in Faridabad, India, and we’re excited to welcome community members from across Asia and around the globe.

To make the summit more accessible, the Travel Support Program (TSP) is available to assist participants who may need financial support to attend. Funded by the Geeko Foundation, the TSP helps cover some of the travel expenses presenters might incur with traveling to the summit.

If you’re attending the summit and need support, submit your TSP application no later than July 31.

Key Dates:

TSP Application Deadline: July 31, 2025

Summit Dates: August 29 – 31, 2025

Location: MRIIRS, Faridabad, India

This is a great opportunity to connect with fellow open-source enthusiasts, share knowledge, and help shape the future of openSUSE and Linux in Asia.

For details on how to apply, visit: https://en.opensuse.org/openSUSE:Travel_Support_Program and reach the Geeko Foundation’s travel policy.

The foundation will work with the summit’s organizers to determine the level of support that will be able to be provided to participants.

As we dive into the European summer, Agama development goes on steady. And what is more refreshing than a new version of a Linux installer? Enjoy Agama 16, loaded with bug fixes and several features covering both unattended and interactive scenarios.

Regarding the former, we keep expanding the configuration options that are accessible using the Agama command line tools and the JSON profiles. So let's start by taking a look to those features before jumping into the more visible user interface changes.

More options to configure the software to install​

In particular the software section of the configuration schema received a couple of extra features in this version, like the ability to define additional repositories and the possibility to ignore optional dependencies, installing only those packages that are strictly required.

See the documentation of the corresponding section to learn more about the new extraRepositories and onlyRequired configuration options.

Better match of storage devices​

Another aspect of Agama that unleashes its full potential when using JSON profiles is the setup of the storage devices (disks, RAIDs, partitions, LVM, etc.). In that regard, this new version adds the new keyword sort that can be used when matching existing devices with the definitions at the JSON configuration.

That is used in the following example to indicate that an MD RAID must be created using the two biggest disks in the system.

"storage": {
  "drives": [
    {
      "search": {
        "sort": { "size": "desc" },
        "max": 2,
      },
      "alias": "big"
    }
  ],
  "mdRaids": [
    {
      "devices": [ "big" ],
      "level": "raid0"
    }
  ]
}

See more examples of the syntax at the description of the corresponding pull request.

Reporting installation status via IPMI​

The features discussed previously allow more flexibility for unattended and massive deployments. But in addition to configuring the installation process, it is also important to be able to monitor its progress. For that purpose, Agama 16 introduces status reporting via IPMI (Intelligent Platform Management Interface), a set of standard interfaces that, among many other things, allow system administrators to install operating systems remotely.

Now Agama can report to the BMC (Baseboard Management Controller) the status of the installation process like STARTED, FINISHED or FAILED. Of course, Agama's own monitoring mechanisms can additionally be used to get more fine-grained information that goes beyond the intentionally generic IPMI specification.

Reorganization of the Agama commands​

And talking about Agama tools for monitoring and configuring the installation, we also decided it was time for a consistency check on our commands, especially agama config and agama profile. Compared to previous versions of Agama:

• agama profile import is replaced by agama config generate | agama config load.
• agama profile evaluate and agama profile autoyast are replaced by agama config generate.
• agama profile validate is renamed to agama config validate.
• All sub-commands use stdio in a consistent way, using a new --output option when needed.

See more information at the command-line reference.

Identify conflicting patterns​

Although many of the improvements at Agama 16 are targeted at automated installations and advanced scenarios, we also found time to partially polish some basic aspects of the graphical web-based interface.

For example, we added a first basic mechanism to detect and fix conflicts in the selection of the software patterns to install. You can see it in action at the following screenshot.

Initial support to use existing MD RAIDs from the web interface​

As mentioned above, Agama allows to create very advanced storage setups combining LVM, MD RAID and other technologies. But currently only a limited subset of those options are available at the graphical interface. As a first step to expand the usefulness of that interface in advanced scenarios, Agama now offers the possibility to select any existing MD RAID device and use them for the same operations that are available for regular disks.

Define the scope of network connections​

Another aspect of the installation that can get really complex is the network configuration. We would need a whole series of blog posts to fully explain all the associated challenges. As a simplistic summary, let's say Agama 16 introduces two new related features at the user interface.

On the one hand, the UI now allows to associate a given network connection to a fixed network interface, either by interface name or by MAC address.

On the other hand, we made the concept of "persistent" network connections visible, allowing the users to decide which connections should be used only during installation and not configured in the installed system.

Moreover, if Agama detects that no network will be explicitly configured by the installer at the target system, it now alerts the user about the implications.

More friendly experience for remote installations​

And talking about network, one of the main features of Agama is the possibility to install remotely using a browser to interactively control the installation process from another device. But there was a small usability problem in that scenario. At the end of the process, Agama offers the possibility to reboot into the new system. But the users received no visual feedback after clicking that "reboot" button.

That is fixed now, see the corresponding pull request if you are interested in the most intrincate technical details.

Check strength of the typed passwords​

But that was not the only usability issue addressed at Agama 16. We also took the opportunity to pay a historical debt - the lack of a mechanism at the user interface to discourage the usage of weak passwords.

Now Agama relies on libpwquality to perform some basic checks and alerts the user if any of the provided passwords fails to match the quality standards of that library.

But the recent improvements go beyond Agama itself.

Installer media news: Wayland and rescue mode​

We often make the distinction between Agama and the Agama Live ISO. The former is the installer application itself, while the latter refers to the Live image that can be used to boot a minimal Linux system that runs Agama and a full-screen web browser to interact with it.

Although the Agama team is not in charge of the installer media of the different (open)SUSE distributions, our Live ISO serves as some kind of reference implementation of the expected environment to execute Agama. So we decided to invest a bit into it.

First of all, we introduced the option to boot the Live ISO without executing Agama or any graphical session. We did it with the intention to mitigate the pain of those users missing the classical Rescue System that is traditionally integrated into the openSUSE installation images. But the new option is far from being a full replacement for that special system, check the corresponding pull request for more information.

On the other hand, and thinking in the long term, we decided is about time to jump into the Wayland boat. So we dropped X.Org and decided to rely on Wayland for running Firefox during installation.

The new installer image is still a bit rough around the edges. First of all, it is considerably bigger than the former X11-based image. And we lost some keyboard shortcuts in the process. We plan to put some work into it in the short term, but any help is greatly appreciated.

Get involved​

We want Agama to be the official installer for the upcoming openSUSE Leap 16.0 and SUSE Linux Enterprise 16.0. And for that we need the installation media to be tested in as many scenarios as possible. Especially with that recent switch from X11 to Wayland. So do not hesitate to test the latest development version.

If you got questions or want to get involved further, please contact us at the Agama project at GitHub and our #yast channel at Libera.chat. Of course, we will also keep you updated on this blog. Stay tuned!

Last week, I was in Nürnberg for the openSUSE conference. The project turned 20 years old this year, and I was there right from the beginning (and even before that, if we also count the S.u.S.E. years). There were many great talks, including a syslog-ng talk from me, and even a birthday party… :-)

This year marks not just 20 years of openSUSE but also a major new SLES and openSUSE Leap release: version 16.0. There were many talks about what is coming and how things are changing. I already have a test version running on my laptop, and you should too, if you want to help to make version 16 the best release ever! :-) Slowroll also had a dedicated talk. It is a new openSUSE variant, offering a rolling Linux distribution with a bit more stability. So it is positioned somewhere between Leap and Tumbleweed, but of course it is a bit closer to the latter.

That said, I also had a couple of uncomfortable moments. I ended up working in open-source, because it’s normally a place without real-world politics. In other words, people from all walks of life can work together on open-source software, regardless of whether they are religious or atheist, LGBTQ+ allies or conservatives, or come from the east or the west. And even though I agree that we are in a geopolitical situation in which European software companies are needed to ensure our digital sovereignty, it’s not a topic I was eager to hear at an open-source event. I enjoy the technology and spirit of open-source, but I’m not keen on the politics surrounding it, especially at this time of geopolitical tensions.

As usual, I delivered a talk on log management, specifically about message parsing. While my configuration examples came from syslog-ng, I tried to make sure that anything I said could be applied to other log management applications as well. I also introduced my audience to sequence, which allows you to create parsing rules to parse free-form text messages: https://github.com/ccin2p3/sequence-RTG In the coming weeks, I plan to package it for openSUSE.

Happy birthday to openSUSE, and here’s to another successful 20 years!

June brought a fresh wave of updates across openSUSE’s rolling release. There were major feature enhancements, performance improvements, and several critical security fixes.

KDE Plasma 6.4 as a the forefront of these updates alongside KDE Frameworks 6.15.0 and KDE Gear 25.04.2. The Linux kernel had a few updates and packages like GNU Compiler Collection 15, Mesa 25.1.3 and PipeWire 1.4.6 enhanced use of modern hardware, improved rendering capabilities and enhanced audio processing. Among the most crucial updates this month were those addressing security vulnerabilities.

A significant number of packages received important security patches this month. From libsoup, Mozilla Firefox, Python, libssh, Salt, ClamAV, gdm and more, multiple Common Vulnerabilities and Exposures (CVEs) were addressed to keep users and developers happy..

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

KDE Plasma 6.4: This version brings a smoother and more customizable desktop experience. Key updates include flexible tiling layouts for each virtual desktop, enhanced window management, and a redesigned Spectacle for better screenshots and annotations. Accessibility sees keyboard navigation and Wayland enhancements. UI changes boost contrast and readability, especially in dark mode. Notifications now support direct update installs, full-screen “Do Not Disturb” mode, and mic-mute alerts. Widgets highlight new apps, media playback controls, and disk repair tools. Digital artists benefit from improved stylus configuration and relative mode support. The system also does a better job managing screen colors and performance with modern hardware. KRunner now visualizes color codes, while System Monitor adds GPU tracking and sensor data. Other tweaks improve file dragging, browser integration and Wayland protocol support.

KDE Frameworks 6.15.0: A major improvement in this version is the switch to QDoc, a modern documentation tool that is clearer and easier to for developers working with components like KArchive, Baloo, and Bluez Qt. Bug fixes across modules such as KArchive and KTextEditor improve stability and performance. User-interface frameworks like KWidgetsAddons and Kirigami received visual and functionality improvements. Accessibility features have also been enhanced. If you use KDE text editors like Kate and KWrite, you’ll see better support for different programming languages like Cap’n Proto and FreeFem.

KDE Gear 25.04.2: Kdenlive benefits from this update with fixes for several crashes, including fixing issues for gradients, histograms, and rendering. The update enhances NeoChat mobile support with better space switching and room management. Calligra improves formula handling to prevent crashes, and Akonadi now correctly handles tag editing and deletion. KDE Connect gains better compatibility with Qt 6.9, and the Konsole terminal app also got fixes..

ceph 18.2.7: This major update includes numerous architectural changes, performance improvements, and new features. One of the most notable changes is the deprecation of FileStore, which signals a full transition to BlueStore for all new deployments. There were enhancements for RADOS, include the introduction of a read balancer and the deprecation of cache tiering in favor of more modern storage strategies. The perf dump and perf schema commands have also been replaced with counter dump and counter schema for improved counter management. Additional updates include IPv6 fixes, orchestrator stability improvements, and updated Python binding patches for mgr modules. This release also disables ceph-mgr-cephadm and includes various build and compatibility patches to ensure smooth integration with modern toolchains and Python versions.

python-psutil 7.0.0: This major update has some significant changes. Support for Python 2.7 has been officially dropped and aligns with broader ecosystem shifts. A crash related to extremely high memory usage in Process.memory_maps() has been resolved and improves the stability for processes handling hundreds of gigabytes.

python-rich 14.0.0: This major version update introduces new features and behavioral changes that impact terminal output and error handling. A notable addition is the TTY_COMPATIBLE environment variable, which allows users to manually control TTY support detection. This is especially useful in headless or unusual terminal environments where automatic detection may fail. Notable changes include how Rich interprets color control variables and it now displays exception notes added via Exception.add_note() that enhances debugging clarity.

Key Package Updates

webkit2gtk3 2.48.3: This update brings stability and performance enhancements for GTK-based web applications and browsers like Epiphany. A major crash fix addresses issues introduced by the new threaded rendering system using the Skia graphics Application Programming Interface; users who experienced instability with recent rendering updates will see improvements. Rendering performance has also been refined by optimizing how dirty regions are processed across worker threads, which leads to smoother visuals and lower CPU usage. Dirty regions are parts of the screen or user interface that have changed and need to be redrawn during rendering. This update enhances both the usability and reliability in WebKit-based applications on GNOME and other GTK environments.

python313 3.13.5: This update provides security fixes and stability improvements. Notable changes include patching CVEs related to tarfile extraction vulnerabilities, fixing a use-after-free in the unicode-escape decoder, and restoring correct behavior for random.getrandbits() with integer-like objects. Library updates improve the handling of IPv6 addresses, email parsing, and zipfile operations. Some generator-related changes from 3.13.4 were rolled back to maintain backward compatibility. Upgrading is recommended for all users to ensure security and stability.

iproute2 6.15: An addition in this release is the support for 64-bit hardware packet counters in tc_util, which enables more precise monitoring of high-throughput interfaces that exceed 32-bit limits. The iprule utility now allows users to specify ports in hexadecimal notation and it improves compatibility and readability when working with low-level network protocols or masks. All backported patches from previous versions have been dropped in favor of upstream-clean code.

kernel-source 6.15.0 and 6.15.3: The 6.15.3 addresses a PCIe hotplug issue where late-arriving device detection signals (Presence Detect Changed) caused unnecessary errors . It also improves how background tasks are handled in I/O scheduling and resolves regressions in WiFi driver compatibility . The update fixes target power management, cryptographic operations, and file system handling (including btrfs and gfs2 ) for better data integrity and performance. The 6.15.0 Kernel reverts the “x86/smp: Eliminate mwait_play_dead_cpuid_hint()” commit to address stability issues and enables support for the Haoyu Microelectronics HYM8563 RTC module that is widely used on ARM64 platforms like Rockchip SoCs. Several patches were integrated to improve ACPI build handling and a number of critical bug fixes from the 6.14.8 update were carried forward, particularly in memory management, DMA engine handling, and I/O subsystems, improving reliability under complex workloads and reducing memory leaks in error paths.

gcc 15: This update introduces new language support and adds packages for Modula-2 and Cobol, which expands its already broad range of supported programming languages. The main toolchain now defaults to GCC 15, the -build flavor remains at version 13 to ensure compatibility and stability for environments requiring a proven compiler backend. The release also includes performance gains, better diagnostics and expanded offloading support, which makes it a recommended upgrade for developers.

fwupd 2.0.12: This update adds support for HP Portable USB-C hubs, more Foxconn 5G modems, and Intel Arc Battlemage GPUs. Some new features include Thunderbolt host controller emulation, enforcement of immutable device enumeration and improved handling of UEFI secure boot variables.

Mesa 25.1.3: Notable changes in this version include fixes for rendering issues in games like DOOM: The Dark Ages and improved driver behavior across Vulkan and OpenGL implementations. Support for osmesa has been dropped as it’s now considered redundant with EGL surfaceless contexts. Several patches were updated or removed, including adjustments to build fixes, SPIR-V translation, and Clover OpenCL handling.

gpg2 2.5.8: This release has a key improvement in the ability to show revocation reasons directly in standard key listings (-k), making it easier to track why a key was revoked without needing additional queries. The update also ensures better interoperability with external tools by emitting revocation reasons as comments in “pub” records and improving compatibility with systems that parse GnuPG key outputs. Two critical regressions were addressed; one affecting decryption and the other impacting the export of SSH keys from smart cards. Additionally, gpg --fetch-key no longer requires a keyserver to be configured, allowing direct key retrieval from URLs or local files, which simplifies key management workflows.

cryptsetup 2.8.0: This release has a key addition that enables better performance by using hardware sectors with additional metadata space. It makes all keyslot types self-contained and improves re-encryption workflows with options like --key-description, --new-key-description, and support for resuming re-encryption using tokens or volume keys. The update also enhances memory handling for Argon2 KDF (used in LUKS2), and improves error reporting for low-memory scenarios. It also optimizes metadata writes in LUKS2 and expands veritysetup capabilities with options like --error-as-corruption.

pipewire 1.4.6: This update fixes crasher bugs in the filter-chain and Advanced Linux Sound Architecture plugin. Latency reporting has been improved in module-combine-stream, and the module-filter-chain now better handles activation and deactivation to avoid crashes. A new option allows users to disable RAOP (Remote Audio Output Protocol) via a context property, offering more control over audio routing.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month. Common Vulnerabilities and Exposures this month are:

Security Updates

libsoup:

• CVE-2025-32911: Fixed a buffer over-read in libsoup’s chunked transfer parser.
• CVE-2025-32910: Resolved out‑of‑bounds access in libsoup’s header parsing.
• CVE-2025-32906: Patched insufficient validation in libsoup’s cookie handling.
• CVE-2025-32912: Fixed HTTP/2 session hijacking vulnerability in libsoup.
• CVE-2025-32909: Addressed memory leak in libsoup’s multipart parser.
• CVE-2025-4948: Fixed wolfSSL QUIC SSL peer verification bypass in libcurl.
• CVE-2025-4969: Patched buffer overflow in libcurl’s dynbuf API.
• CVE-2025-4945: Fixed an out-of-bounds read in the Linux kernel’s USB subsystem leading to potential information disclosure.

Mozilla Firefox 139:

• CVE-2025-5263: Prevented cross-origin script execution leakage in Firefox.
• CVE-2025-5264: Fixed newline-escaping flaw in “Copy as cURL” feature that allowed code execution.
• CVE-2025-5265: Patched similar “Copy as cURL” code-execution bug in Firefox.
• CVE-2025-5266: Fixed event leak from script elements across origins.
• CVE-2025-5267: Fixed clickjacking flaw that exposed saved payment card details.
• CVE-2025-5268: Addressed multiple memory safety bugs in Firefox/Thunderbird.
• CVE-2025-5270: [Reserved: details pending public disclosure.]
• CVE-2025-5271: [Reserved: details pending public disclosure.]
• CVE-2025-5272: [Reserved: details pending public disclosure.]
• CVE-2025-49709: Patched memory corruption in canvas surfaces.
• CVE-2025-49710: Fixed unspecified memory safety issue in Firefox 139.0.4.

python313 3.13.5:

• CVE-2024-12718: Patched Python 3.12+ tarfile filter bug allowing metadata or permission changes outside the extraction directory.
• CVE-2025-4138: Fixed a buffer overflow in libarchive’s ZIP filter handling that could lead to memory corruption.
• CVE-2025-4330: Patched out-of-bounds read in SQLite’s JSON extension when parsing invalid JSON input.
• CVE-2025-4517: Resolved a race condition in OpenSSL’s session cache causing potential use-after-free scenarios.
• CVE-2025-4516: Fixed a use-after-free in CPython’s bytes.decode("unicode_escape", errors="ignore|replace"), preventing memory corruption.

python311:

• CVE-2025-4516: Fixed a use-after-free in CPython’s bytes.decode("unicode_escape", errors="ignore|replace") that could lead to memory corruption.

libssh

• CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions.
• CVE-2025-4878: Use of uninitialized variable in privatekey_from_file().
• CVE-2025-5318: Likely read beyond bounds in sftp server handle management.
• CVE-2025-5351: Double free in functions exporting keys.
• CVE-2025-5372: ssh_kdf() returns a success code on certain failures.
• CVE-2025-5449: Likely read beyond bounds in sftp server message decoding.
• CVE-2025-5987: Invalid return code for chacha20 poly1305 with OpenSSL backend.

Salt:

• CVE-2024-38822: Fixed improper access control in Salt file client functionality.
• CVE-2024-38823: Addressed command injection risk from untrusted pillar data.
• CVE-2024-38824: Patched insecure deserialization in Salt event system.
• CVE-2024-38825: Resolved directory traversal via improperly sanitized paths.
• CVE-2025-22240: Fixed remote command execution through crafted Salt minion returns.
• CVE-2025-22236: Salt minions could overwrite unintended files under specific conditions.
• CVE-2025-22241: Addressed denial-of-service caused by malformed Salt return payloads.
• CVE-2025-22237: Resolved issue where Salt master logs sensitive return data.
• CVE-2025-22238: Patched exposure of minion keys in debug logs.
• CVE-2025-22239: Addressed misconfigured ACLs leading to privilege escalation.
• CVE-2025-22242: Fixed input validation issue in Salt’s ssh module.

xorg-x11-server:

• CVE-2025-49176: Fixed an integer overflow vulnerability bypassing the size check.

libtpms 0.10.1:

• CVE-2025-49133: Fixed an out-of-bounds read vulnerability in the CryptHmacSign function of libtpms, which could be triggered by malicious commands to a TPM 2.0/vTPM, causing service disruption.

ClamAV:

• CVE-2025-20260: PDF parser buffer overflow allowing DoS or remote code execution with large scan limits.
• CVE-2025-20234: UDF parser buffer overflow that may leak data or cause denial-of-service.

gdm:

• CVE-2025-6018: Security risk from use of pam_env in authentication stack.

pam_pkcs11:

• CVE-2025-6018: Same issue as in gdm — use of pam_env in auth stack.

jq 1.8.0:

• CVE-2024-23337: Signed integer overflow in jvp_array_write and jvp_object_rehash.
• CVE-2024-53427: Reject NaN with payload while parsing JSON.
• CVE-2025-48060: Heap buffer overflow in jv_string_vfmt.

pam 1.7.1:

• CVE-2024-10963: pam_access improperly resolves display tokens as hostnames.
• CVE-2025-6020: Privilege escalation in pam_namespace.

xwayland 24.1.7:

• CVE-2025-49175: Fixed an out-of-bounds access issue in the X Rendering extension related to animated cursors.
• CVE-2025-49176: Prevented integer overflow in the Big Requests Extension.
• CVE-2025-49177: Prevented data leaks in the XFIXES extension.
• CVE-2025-49178: Ensured proper handling of input buffer bytes to ignore.
• CVE-2025-49179: Addressed integer overflows in the X Record extension.
• CVE-2025-49180: Fixed integer overflows in the RandR extension, preventing potential crashes or memory corruption.

yelp 42.3:

• CVE-2025-3155: Patched a JavaScript execution flaw in the Yelp help viewer that allowed arbitrary file reads via crafted help documents.

perl-CryptX 0.87.0:

• CVE-2025-40914: Fixed CryptX that embeds a version of the libtommath library that is susceptible to integer overflow.

glib2 2.84.3:

• CVE-2025-6052: Patched integer overflow in GLib’s GString expansion (g_string_maybe_expand), preventing potential buffer overflows.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

June had multiple vulnerability fixes and also had multiple firmware packages that were updated to version 20250613. This includes improvements for Qualcomm, Mediatek, Realtek, and Cirrus sound chips, along with a Bluetooth firmware upgrade and better symlink handling. There were also multiple Xfce panel plugins updates (mailwatch, mount, mpc, netload, notes, places, and sensors) to new versions. These package updates were for transitioning builds to Meson, replacing deprecated dependencies like Exo with libxfce4ui 4.21.0, automating copyright management, improving code structure, fixing build warnings and updating translations. Security was a major theme this month, with critical vulnerabilities patched across Firefox, Python, Salt, ClamAV, libssh, and more. Happy updating!.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Today, SUSE has released a new fine-tuned version of the language model, Cavil-Qwen3-4B, as open source on openSUSE’s Hugging Face in order to make legal compliance automation more accessible to developers across the open-source ecosystem.

The release is built on the excellent Qwen3-4B base model and uses a LoRA adapter (Low-Rank Adaptation) to detect legally relevant text like license declarations in code and documentation. The model stems from openSUSE’s compliance tool Cavil, which provides transparent and collaborative open-source legal tooling.

The 4B parameter model size offers a great balance between performance and deployability, since it provides strong language understanding and is compatible with consumer-grade GPUs. All Qwen3 variants are using the OSI-approved Apache 2.0 license, which allows commercial use and redistribution as long as licensing requirements are met.

“This model brings enterprise-grade legal classification to the broader developer community,” said Sebastian Riedel, a contributor to the project. “It’s a practical tool for any project that wants to stay ahead of compliance risks without heavyweight infrastructure.”

The project’s approach uses a 150,000-sample dataset and the Alpaca instruction format to train the model on identifying license headers and similar legal text. Evaluated against several open models, Cavil-Qwen3-4B demonstrated high accuracy with quantization options for efficient use on smaller devices.

The dataset and validation tools used to create the model will also be available via Hugging Face to allow researchers and developers to reproduce and extend the work.

The team welcomes ongoing feedback and contributions. Developers are encouraged to use the model and Hugging Face to share insights, suggested improvements or to get involved. huggingface.co/openSUSE. Developers can also be found on the openSUSE Factory mailing list.

Dear Tumbleweed users and hackers,

Week 25 of 2025 brought us five snapshots — 0612, 0613, 0614, 0616, and 0617 — packed with updates and fixes from all corners of the project. It’s awesome to see everyone’s work coming together to keep things fresh and smooth. Let’s take a quick look at what landed this week and get ready to keep pushing openSUSE forward!

The most relevant changes were:

• qemu 10.0.2
• audit 4.0.2
• Linux kernel 6.15.2
• rdma-core 57.0
• Nano 8.5
• Mozilla Firefox 139.0.4
• GCC 15 is now the default compiler. Package maintainers: please check the status of your packages in the devel projects. We are not planning to rebuild the entire Factory project this time around
• FreeRDP 3.16.0

Things that are currently brewing in the staging areas or are being tested by QA are:

• KDE Plasma 6.4.0
• KDE Frameworks 6.15.0
• Graphviz 12.2.1
• xwayland 24.1.7
• PAM 1.7.1
• Using grub2-bls as the default bootloader on UEFI systems
• CMake 4.0
• Ceph 18.2.7