Member
CzPAutomatic configuration of the syslog-ng wildcard-file() source
Reading files and monitoring directories became a lot more efficient in recent syslog-ng releases. However, it is also needed manual configuration. Version 4.11 of syslog-ng can automatically configure the optimal setting for both.
Read more at https://www.syslog-ng.com/community/b/blog/posts/automatic-configuration-of-the-syslog-ng-wildcard-file-source
syslog-ng logo
Declarative RPM: Cleaning Up Your Spec Files
This article was written by Marcus Rueckert, Build Service Engineer at SUSE. This article originally appeared on the ‘Nordisch by Nature‘ blog under the same title and has been slightly updated for the suse.com blog. The End of Spec File Sprawl? Enter Declarative RPM For decades, the RPM spec file has been the “Swiss Army […]
The post Declarative RPM: Cleaning Up Your Spec Files appeared first on SUSE Communities.
Tumbleweed – Review of the week 2026/4
Dear Tumbleweed users and hackers,
Just in time for the weekend, we have managed to get a snapshot out. You likely noticed the gap between Jan 13 and Jan 21; this was due to some tricky conflicts between Postfix and SELinux. While the pause dragged on longer than we would have liked, the resolution was successful.
Crucially, nothing broke on existing systems, and new submissions to Factory continued to be processed in the background. This resulted in a massive accumulation of changes rolling into snapshot 20260121.
The accumulated changes include:
- 389-ds 3.2.0
- ImageMagick 7.1.2.13
- Mozilla Firefox 147.0
- alsa 1.2.15.3
- Amarok 3.3.2
- KDE Plasma 6.5.5
- FreeRDP 3.20.2
- Linux kernel 6.18.6
- libvirt 12.0.0
- PHP 8.4.17
- Postfix 3.10.7
- Ruby 4.0.1
- Shadow 4.19.2
- util-linux 2.41.3
From an end-user perspective, the result is essentially the same as receiving five smaller snapshots, though major updates like KDE Plasma 6.5.5 had to simmer a bit longer than usual before reaching you.
With the blockage cleared, we look forward to returning to our regular pace. Here is what is coming your way soon:
- Mozilla Firefox 147.0.1
- Pipewire 1.5.85
- PackageKit 1.3.3
- Cockpit 354
- Linux kernel 6.18.7
- Pam 1.7.2
- libzypp (adding support for UAPI style configuration)
Planet News Roundup
This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.
The community blog feed aggregator lists the featured highlights below from Jan. 16 to Jan. 22.
Blogs this week highlight mentoring with the Season of KDE 2026, efforts to tackle the Y2K38 problem, an announcement about the call for proposals for the openSUSE Conference, news about a high-end executive laptop by Slimbook and several other topics. Other topics include discussions about KDE, Myrlyn 1.0, testing of syslog-ng’s 4.11 release, adding Firefox’s Nightly Repository and much more.
Here is a summary and links for each post:
Season of KDE 2026 Projects Announced
The KDE Blog reveals the selected projects for Season of KDE 2026, which is a mentorship program that pairs contributors with experienced developers to create impactful open-source features over several months. This year’s cohort includes diverse initiatives such as improving accessibility in KWin, enhancing KDE Connect’s file transfer reliability, developing a new vector-based icon theme, and integrating AI-assisted coding tools into Kate and KDevelop.
Myrlyn 1.0 Released: A New Package Manager for openSUSE
Victorhck reports that Myrlyn, the modern Qt6-based graphical package manager for openSUSE, has reached its 1.0.0 milestone. The new version brings community repository support on Leap 16.0, improved package search (including RPM Recommends), and a more organized transaction history view. Myrlyn continues to evolve with usability enhancements that simplify installing, updating, and removing software.
A New Era for Calligra Plan and Key Productivity Improvements This Week in KDE Apps
The KDE Blog reports progress with the release of Calligra Plan 4.0.0, which is the first version of the project planning tool built on Qt 6. Recent updates include improved Gantt chart rendering, better resource allocation tools, and enhanced file compatibility with other project management formats. The roundup also covers updates across the ecosystem, including improvements in NeoChat, Kaidan, Drawy, Kdenlive, Kate, and more.
Call for Testing: syslog-ng 4.11 is Coming
Peter Czanik invites the community to help test the upcoming syslog-ng 4.11 release. Key features under test include support for Elasticsearch/OpenSearch data streams, a new Kafka source, and various CMake build fixes.
Add the Firefox Nightly Repository in openSUSE
Victorhck explains how to install Firefox Nightly on openSUSE using Mozilla’s official RPM repository. The Nightly version offers early access to new features and performance improvements, and can coexist alongside the stable Firefox release without conflict. Instructions include adding the repository via zypper, refreshing package metadata, installing the browser, and optionally adding language packs for localization.
Accessibility with Free Technologies – Episode 11: EU, Fediverse, Open Data, Apps, Joomla, and Inclusive Talent
The KDE Blog highlights the long-awaited return of a Spanish-language podcast focused on digital inclusion through open-source tools. Episode 11 covers a wide range of topics including EU accessibility initiatives, Fediverse client recommendations and more.
Open-Source Community Tackling Y2K38 Epoch
The openSUSE Project reports on the growing community efforts to address the Y2K38 problem, which is a timekeeping crisis set to occur on January 19, 2038. Testing by openSUSE developers has already revealed failures in compilers, version control systems, desktop toolkits, and core utilities when simulating post-2038 dates, even on modern 64-bit systems. The blog highlights actions related to toolchain improvements, build system hardening, and advocacy for safer time types like int64_t.
Amarok 3.3.2 Released with Improved Usability and Stability
Victorhck and the KDE Blog cover the release of Amarok 3.3.2, which is KDE’s beloved music player. This version includes refined playlist handling, better metadata synchronization, and fixes for crashes related to large libraries and online service integrations. The update also bumps the dependency to KDE Frameworks 6.5.
Register and Submit a Presentation for openSUSE Conference 2026
The openSUSE Project has opened registration and the call for proposals for the openSUSE Conference 2026, which is scheduled to be held in Nuremberg, Germany, from June 25–27. Attendees can submit talks or workshops in categories such as Lightning Talks (10 min), Short Talks (30 min), Long Talks (45 min), and Workshops (1 hour), across tracks including Cloud, Community, Embedded Systems, Open Source for Business, and more. The event coincides with other major open-source conferences in Central Europe. Submissions are accepted until April 30.
KDE Express Episode 64 – Happy New Year 2026 with Love from Phoronix
The KDE Blog presents the latest episode of KDE Express, hosted by David Marzal, and summarizes key developments in KDE and the wider free software ecosystem at the start of 2026. Highlights include KDE dominating Phoronix’s most-read stories of 2025 and KDE’s fundraising efforts.
Open Source in Data Centers with Eduardo Collado – Compilando Podcast
The KDE Blog features a new episode of Compilando Podcast where host Paco Estrada interviews Eduardo Collado, a respected expert in telecommunications and open source infrastructure. They discuss the strategic role of open source software in modern data centers, and cover topics like digital sovereignty, Linux’s dominance in production environments, and real-world applications in networking, automation, and cloud services.
Dark Mode Toggle and Global Push-to-Talk in Plasma
The KDE Blog highlights new features being merged ahead of Plasma 6.7, including a system-wide dark mode switch that lets users instantly flip between light and dark themes. A global push-to-talk option is also coming that allows all microphones to remain muted until a chosen key is held down.
Slimbook Executive Range Renewed
The KDE Blog reports that Slimbook has refreshed its high-end Executive laptop lineup with updated hardware and improved connectivity for professional Linux users. The renewed models emphasize powerful performance, a high-resolution display, and premium build while maintaining strong Linux compatibility.
openSUSE Tumbleweed Weekly Review – Week 3 of 2026
Victorhck and dimstar provide an overview of openSUSE Tumbleweed snapshots released during the third week of January 2026. They highlight key updates such as Linux kernel 6.18, GNOME 49.3 components, and AppArmor 4.1.3. The review points out reports by GNOME users who have experienced some crashes with Bluetooth devices.
The Journey of Auditing UYUNI
The SUSE Security Team blog details the comprehensive security audit of Uyuni. The audit identified several vulnerabilities to include XSS flaws and unprotected endpoints. The audit also identified numerous minor issues and led to code hardening suggestions.
View more blogs or learn to publish your own on planet.opensuse.org.
Call for testing: syslog-ng 4.11 is coming
The syslog-ng 4.11 release is right around the corner. Thousands of automatic tests run before each new piece of source code is merged, but nothing can replace real-world hands-on tests. So help us testing Elasticsearch / OpenSearch data-streams, Kafka source, cmake fixes and much more!
The development of syslog-ng is supported by thousands of automatic test cases. Nothing can enter the syslog-ng source code before all of these tests pass. In theory, I could ask my colleagues at any moment to make a release from the current state of the syslog-ng development branch once all tests pass. However, before my current job, I was working as a director of quality assurance, so I have a different take on testing things. Automatic test cases are indeed fantastic and help us to catch many problems during development. However, nothing can replace real-world users trying to use the latest version of your software.
Personally, I run a nightly or git snapshot build of syslog-ng on all my hosts. However, none of my machines are mission-critical, where downtime would cost $$$ with each and every passing minute. While syslog-ng snapshot builds are usually quite stable and breaking configuration changes are rare, I still do not recommend installing these builds on critical servers. On the other hand, I am a big fan of production testing on hosts where running into occasional problems is not a critical issue.
Read more at https://www.syslog-ng.com/community/b/blog/posts/call-for-testing-syslog-ng-4-11-is-coming
syslog-ng logo
Open-Source Community Tackling Y2K38 Epoch
Just 12 years remain before a fundamental limit in timekeeping threatens to disrupt unprepared computer systems; Y2K38 is the new Y2K, and open-source contributors are aiming to create actionable warnings.
Known as a Faulty Date Logic, which is a lot more common in computer systems than people may think, openSUSE is actively surfacing and fixing these issues through early testing, toolchain improvements and community-driven coordination to ensure software remains reliable well beyond 2038.
At 03:14:07 UTC on Jan. 19, 2038, the UNIX Epoch will exceed the maximum value of a signed 32-bit integer; 2,147,483,647, or 0x7fffffff. Beyond that point, systems that still rely on 32-bit representations of time risk rolling over into invalid dates, triggering failures that range from subtle data corruption to outright crashes.
While most see this as an issue for 32-bit platforms such as i586 or armv7, there are some exposures with modern 64-bit systems as covered in an openSUSE Conference talk some years ago.
Y2K38 is close enough to force action and recent testing by openSUSE developers demonstrates that the risk is immediate and tangible. By advancing a build system’s clock into the year 2038, numerous packages failed to compile or pass their test suites. Affected software in the tests included version control tools, editors, compilers, Python libraries, desktop toolkits and system components.
In some cases, basic system behavior like uptime reporting was disrupted.
Several of these failures have been corrected, but breakages in these tests show how deeply embedded 32-bit time assumptions exist.
Each new feature or refactoring carries the risk of reintroducing the problem if developers default to using int or long instead of safer types such as time_t, int64_t or long long.
The problem extends beyond applications. Commonly used protocols, including SOAP/XML-RPC and SNMP, encode timestamps using 32-bit values. Implementations must therefore take extra care to handle dates beyond 2038 without breaking interoperability.
Testing itself remains challenging. Tooling improvements are being explored as a next step for these adjustments. Discussions are underway about adding compiler warnings when code performs unsafe conversions between 32-bit integers and time-related types.
Leap 16 is 2038 safe as it comes with 32-bit (ia32) support disabled by default, but the tests show that changes in future minor releases will need to be made for affected 64-bit pieces.
Developers interested in the topic can engage with the openSUSE Factory mailing list or with the discussion on Reddit discussion about the topic.
Register, Submit a Presentation for oSC
Registration for openSUSE Conference 2026 is now open and people are encouraged to submit a talk beginning today.
The conference is scheduled to take place June 25 to 27 in Nuremberg, Germany. Flock to Fedora will take place in Prague, Czech Republic, from June 14 to 16, followed by DevConf.CZ, which will take place in Brno, Czech Republic, from June 18 and 19. Calls for proposals are currently open for all of these open-source developer conferences. With multiple major events happening across Central Europe, June is shaping up to be an excellent opportunity to travel, connect with community members, and engage with open-source developers.
Until April 30, people can submit proposals for a talk or workshop to share their expertise. People are encouraged to submit talks based on the following length and topics:
Presentations can be submitted for the following length of time:
- Lightning Talk (10 mins)
- Short Talk (30 mins)
- Long Talk (45 mins)
- Workshop (1 hour)
The following tracks are listed for the conference:
- Cloud and Containers
- Community
- Embedded Systems and Edge Computing
- New Technologies
- Open Source
- openSUSE
- Open Source for Business: Beyond Code into Sustainability Track
Volunteers who would like to help the with the organization of the conference are encouraged to email email ddemaio@opensuse.org or attend a weekly community meetings.
Conferences need sponsors to support community driven events to keep events free and open to new contributing members. Companies can find sponsorship information or donate to the Geeko Foundation to assist with funds that will go toward the conference.
Tumbleweed – Review of the week 2026/3
Dear Tumbleweed users and hackers,
This week, Tumbleweed snapshots have hit a small bump in the road. While we managed to release three snapshots (0109, 0112, and 0113), the release pipeline is currently paused. Testing for snapshot 0114 identified a regression in the recent postfix update, which prevents the service from starting. A bug report has been filed and is currently being worked on; once resolved, Tumbleweed should resume snapshot releases.
The three published snapshots contained these changes:
- Linux kernel 6.18.4 & 6.18.5
- More GNOME 49.3-related package updates
- KDE Gear 25.12.1
- KDE Frameworks 6.22.0
- AppArmor 4.1.3
- Polkit 127
- XZ 5.8.2
- Qemu 10.2.0
- wireplumber 0.5.13: Note for GNOME users: We have seen reports about crashes with Bluetooth devices. See and follow https://bugzilla.opensuse.org/show_bug.cgi?id=1256740
Despite the current snapshots being blocked by the postfix issue, we are continuing to merge changes into Factory and let them be tested by openQA. The following updates are being tested:
- Removal of Python 3.12: in preparation of the python-* packages being enabled (soon) for python 3.14, we will lower the load on the packages first by removing Python 3.12
- Ruby 3.4 interpreter is scheduled for removal after we moved to Ruby 4.0 earlier this month
- A bunch of changes on packages to support installation on transactional systems, i.e no files written to directories outside of snapshot, i.e. no /var
- Agama 19 preview
- Run0-wrappers as a replacement for sudo and pkexec, currently waiting on https://bugzilla.opensuse.org/show_bug.cgi?id=1256515
Planet News Roundup
This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.
The below featured highlights listed on the community’s blog feed aggregator are from Jan. 9 to Jan. 15.
Blogs this week highlight a strong mix of KDE desktop development, openSUSE security work, gaming on Linux, and thoughtful reflections on software sustainability and AI.
Coverage includes multiple Plasma updates and previews, KDE Frameworks and Gear release planning, an openSUSE security retrospectives, Tumbleweed snapshot reviews, and discussions on reducing e-waste through responsible software policies.
Here is a summary and links for each post:
KDE Express Episode 63: Year-End Special – KDE Express 25.12
The KDE Blog shares the latest episode of KDE Express, a community-driven video series that recaps KDE developments and highlights from December 2025. Episode 63 features a festive year-end review, covering major releases like Plasma 6.5 updates, early previews of Plasma 6.6, and reflections on KDE’s progress in accessibility, theming, and application maturity. The hosts also thank contributors and users alike, setting an optimistic tone for KDE’s roadmap heading into 2026.
My 12 Desktop Fridays of 2025
The KDE Blog celebrates a year of community creativity with a curated showcase of the author’s favorite “Desktop Friday” (#ViernesDeEscritorio) setups from 2025. Each entry highlights unique KDE Plasma customizations. The post serves as both a nostalgic recap and an inspiration for users looking to personalize their own Linux workspaces in 2026.
KDE Gear 26.04 Release Schedule Announced
The KDE Blog outlines the official release timeline for KDE Gear 26.04. Key milestones include the feature freeze and first beta on March 5 followed by the release candidate on March 27. The final code tagging on April 9, and the stable release on April 16.
SUSE Security Team Spotlight – Autumn 2025
The SUSE Security Team provides a detailed retrospective on their autumn 2025 activities to include covering code reviews, vulnerability disclosures, and security hardening efforts across multiple projects.
Plasma 6.6 Beta Released
The KDE Blog announces the beta release of Plasma 6.6. The version is expected to include further panel customization options, smoother animations, and deeper integration with KDE’s ecosystem of apps and frameworks.
Fifth Update for Plasma 6.5 Released
The KDE Blog announces the fifth maintenance update for Plasma 6.5. The update is strongly recommended for all Plasma 6.5 users, as it refines the desktop experience without altering core functionality.
Changes in the syslog-ng Elasticsearch Destination
Peter Czanik details recent improvements to syslog-ng’s Elasticsearch integration. The update aligns the driver’s behavior with modern Elasticsearch practices and improves compatibility with existing configurations. Documentation gaps have also been addressed by incorporating clearer configuration logic directly inspired by recent OpenSearch destination updates in syslog-ng 4.11.0.
Pixel Wheels 1.0.0 Released
Victorhck announces the stable 1.0.0 release of Pixel Wheels, which is an open-source, retro-style arcade racing game built with libGDX and fully compatible with Linux. The game features local multiplayer support, procedurally generated tracks, and a charming pixel-art aesthetic, all under a permissive Apache 2.0 license. Designed to be lightweight and accessible, Pixel Wheels is now considered feature-complete and ready for use.
3 Native Real-Time Strategy (RTS) Games for Linux
The KDE Blog showcases three native real-time strategy games that run natively on Linux. The list includes both classic and modern titles that leverage open-source engines or are fully developed for Linux. These games demonstrate that Linux continues to be a viable platform for RTS enthusiasts who value freedom and cross-platform play.
Set Up a Timer and Much More in KDE Plasma
Victorhck explores the versatility of KDE Plasma’s built-in timer and stopwatch utilities, showing how they integrate seamlessly into the desktop workflow via the Digital Clock widget or standalone apps. Beyond basic timing functions, he demonstrates advanced features like custom alarms, recurring notifications, and keyboard shortcuts that enhance productivity.
Software Policies Can Fuel Waste
The openSUSE News team examines how restrictive software policies like forced obsolescence, lack of long-term support, and vendor lock-in—contribute to electronic waste and environmental harm. The article advocates for a more responsible approach to software design and deployment.
FutureofGamming.com – A New Hub for Open Gaming Insights
NintyFan introduces FutureofGamming.com, a new website dedicated to exploring the future of gaming with a focus on open-source technologies, Linux compatibility, and community-driven development. The platform aims to cover game porting efforts, performance benchmarks on open systems, and interviews with indie developers embracing open ecosystems.
Update Your Windows 10—Switch to Linux
The KDE Blog encourages Windows 10 users facing the end of official support to consider migrating to Linux as a secure, modern, and user-friendly alternative. The post highlights KDE Plasma’s polished desktop experience, strong hardware compatibility, and seamless integration with everyday tools. It also provides practical tips for trying Linux without immediately abandoning Windows, such as using live USBs or dual-boot setups.
An Internet Artisan Facing the AI Prompt
Victorhck reflects on maintaining a personal blog in the age of AI, rejecting the idea of using AI to generate or suggest content for his posts. He contrasts the deliberate, skill-based craft of traditional computing with the convenience (and opacity) of large language models, expressing both admiration for AI’s power and concern over its impact on deep technical understanding.
Car of the Year Edition Arrives in Plasma This Week
The KDE Blog announces a “Car of the Year” themed edition for this week, featuring custom wallpapers, widgets, and system sounds inspired by automotive design. The limited-time release celebrates KDE’s tradition of playful seasonal and event-based desktop themes. There is also a video on how Mercedes is using QT.
Twenty-Second Update of KDE Frameworks 6
The KDE Blog reports on the release of KDE Frameworks 6.22, the twenty-second monthly update since the major transition from Qt5/KF5 to Qt6/KF6 in February 2024. This update continues KDE’s commitment to delivering predictable, incremental improvements that underpin Plasma 6 and KDE applications. The post also introduces a new series explaining the 83 libraries that make up KDE Frameworks, which is categorized into four tiers based on dependency complexity and functionality.
OpenCV 4.13.0: Performance, Robustness, and Maturity for Production Computer Vision
Alessandro de Oliveira Faria highlights the release of OpenCV 4.13.0, emphasizing its enhanced performance, improved stability, and expanded support for production-grade computer vision applications. The article details deep optimizations across x86, ARM, RISC-V, and other platforms, and improvements to classic algorithms and DNN modules. It also notes enhanced bindings (Python, JavaScript, Java), better video and codec support, and future-oriented features like CUDA 13.0 compatibility.
openSUSE Tumbleweed Weekly Review – Week 2 of 2026
Victorhck and dimstar summarize the openSUSE Tumbleweed snapshots released during the second week of January 2026. The updates include key package upgrades such as GCC 14, systemd 257, and Mesa 25.0, alongside routine maintenance and security fixes.
View more blogs or learn to publish your own on planet.opensuse.org.
The Journey of auditing UYUNI
Table of Contents
- 1) Introduction
- 2) The methodology
-
3) Audit results
- CVE-2024-49502: spacewalk-web: Reflected XSS in Setup Wizard, HTTP Proxy credentials pane
- CVE-2024-49503: spacewalk-web: Reflected XSS in Setup Wizard, Organization Credentials
- CVE-2025-23392: spacewalk-java: reflected XSS in SystemsController.java
- CVE-2025-46809: Plain text HTTP Proxy user:password in repolog accessible from the UYUNI 5.x webUI
- CVE-2025-46811: Unprotected websocket endpoint
- CVE-2025-53883: spacewalk-java: various XSS found on search page
- CVE-2025-53880: susemanager-tftpsync-recv: arbitrary file creation and deletion due to path traversal
- Other minor findings
- 4) Conclusions
- 5) What’s next?
- 6) Links
1) Introduction
UYUNI is an open source system management solution, forked from Spacewalk and upstream community project from which SUSE Multi-Linux Manager is derived.
The audit started in January 2024 with the perimeter definition. Since it’s not feasible to audit everything, a list of packages was chosen and submitted to UYUNI product owner. The criteria for including a package in the perimeter were:
- the package implementing UYUNI web UI
- the package implementing API or websocket layer
- the package implementing UYUNI backend
- the
saltpackage (fundamental for UYUNI server and minions interaction) - packages not included in previous UYUNI audits
In March 2024 the code scanning activities effectively started.
2) The methodology
Auditing a complex codebase like UYUNI is not just running a static analysis tool and waiting for it to complete. It is a complex and long-running journey that took one year and a half to complete.
Some numbers about the codebase
The codebase is big with a lot of sub-packages. Each sub-package was treated as a standalone audit with its own Bugzilla bug, its own list of affected vulnerabilities and its own report. The final report was produced by combining the reports of all sub-packages.
The audited codebase is more than 4.5 millions lines of code, with at least 7 different programming languages.
| Language | Files | Lines of code |
|---|---|---|
| JavaScript | 2547 | 3805282 |
| Java | 4052 | 369100 |
| Go | 795 | 250684 |
| Python | 407 | 103965 |
| JSP | 641 | 36861 |
| Shell | 86 | 6744 |
| Perl | 65 | 6070 |
As you may wonder, using a single catch-all tool to analyze such a heterogeneous codebase is not possible.
Every package in the scanning perimeter was audited looking at the source both using tools and by manual inspection. The running server was continuously inspected dynamically looking for low-hanging fruit like cross-site-scripting (XSS), SQL injection and similar, and for business logic flaws.
Each security issue was then triaged and if necessary a CVE identifier was assigned and the vulnerability put under EMBARGO. Using the openSUSE coordinated disclosure policy as a framework, we coordinate with upstream and disclose the issue when solved.
The activity tracking
We use Bugzilla as tracking authority for audits and vulnerabilities found during the activity. A master bug (boo#1218619) was created with the purpose of acting as a main container for all sub-packages audit bugs.
Each audit bug contains all affecting vulnerabilities and, of course, a vulnerability bug can be set as blocker to more sub-packages.
The setup
For the activity, a set of KVM-powered machines were created:
- a UYUNI server instance
- a UYUNI proxy instance
- a couple of minions, Linux workstations attached and managed centrally by the master.
The server is the main UYUNI component orchestrating minions attestation and enabling system administrators to launch commands and interact with minions using the web interface.
A minion, in the UYUNI slang, is a Linux-powered machine (ideally it is a client in a local network), connected to the server.
A UYUNI proxy is a particular kind of server, used to fetch packages from software distribution channels and centrally store software packages for an efficient distribution to minions. Distribution channels are software repositories and a system administrator subscribes his own UYUNI instance to different repositories.
Each server was running openSUSE MicroOS as underlying operating system and minions were running either openSUSE Tumbleweed or Ubuntu Linux distributions.
The attacker’s corner
For the testing activities we used two different machines. A virtual machine running openSUSE Tumbleweed, used for source code inspection and a virtual machine running Kali Linux installed to help in penetration testing activities.
The tools
Burp Suite community was the main tool used trying to spot security issues in the running application.
To help, during the UYUNI application browsing, a custom tool was developed. While browsing the web UI trying to find business logic flaws, I felt the need for something running in the background spotting low-hanging fruit in web pages form, cookies and more. The tool eventually became an OSS project named nightcrawler-mitm. It’s a mitmproxy extension implementing both an active and a passive scanner running several security controls in the background.
Also for auditing the source code, opensource tools were used. Some of the tools used are famous OSS projects, like:
To help me during the activities, I also used some SAST tools previously written by myself, like:
The reporting method
As discussed before, every finding was tracked on a separate bugzilla bug. Each bug was linked, marking as a blocking bug, to any sub-package audit bug affected by the associated vulnerability.
Of course, every vulnerability was confirmed by a successful exploitation, before being added to our Bugzilla tracking system. Vulnerabilities were assigned to UYUNI developers and tracked until a fix was released. A CVE was also assigned if required by the issue severity.
The standard CVSS version 4 was used as a scoring system and to assign a severity. The rationale is that if a CVSS is lower than 5, then the severity is low, it is medium if CVSS is between 5 and 7 and high otherwise. The same approach was used to assign a triage score to each sub-package. The triage score will be used in the future to decide if the sub-package must be in future audit perimeter or not.
At the end of the audit, the list of issues and the triage score created a technical report sent to UYUNI developers.
3) Audit results
During the audit, seven CVEs were found and fixed, and numerous minor issues were addressed, improving the product’s reliability and overall security posture.
CVE-2024-49502: spacewalk-web: Reflected XSS in Setup Wizard, HTTP Proxy credentials pane
A reflected cross-site scripting has been found in the HTTP proxy pane of the setup wizard UI element. Tracked in boo#1231852
CVE-2024-49503: spacewalk-web: Reflected XSS in Setup Wizard, Organization Credentials
A reflected cross-site scripting has been found in the Organization Credentials pane of the setup wizard UI element. Tracked in boo#1231922
CVE-2025-23392: spacewalk-java: reflected XSS in SystemsController.java
Some URLs, served by the SystemsController.java class are vulnerable to a reflected XSS vulnerability. Some example of vulnerable URLs are listed in the Github advisory as well. The
advisory
was filed by an external independent researcher following
our coordinated disclosure policy.
Tracked in boo#1239826
CVE-2025-46809: Plain text HTTP Proxy user:password in repolog accessible from the UYUNI 5.x webUI
Credentials to be used in UYUNI HTTP proxy are disclosed in the error log in case of wrong port number or misspelled hostname. Tracked in boo#1245005
CVE-2025-46811: Unprotected websocket endpoint
During an internal assessment, a customer found an issue with the remote-commands websocket endpoint (/rhn/websocket/minion/remote-commands).
Using websockets, anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client with no authentication. The customer using our coordinated disclosure policy as a reference, reported the issue which was then fixed and publicly disclosed. Tracked in
boo#1246119
CVE-2025-53883: spacewalk-java: various XSS found on search page
During an internal assessment, a customer found that some reflected cross-site scriptings were possible due to improper input validation. The issue was tracked in the private SUSE bugzilla instance, since some customer sensitive information was included. However the issue is described in the public CVE-2025-53883 page.
CVE-2025-53880: susemanager-tftpsync-recv: arbitrary file creation and deletion due to path traversal
A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of allowed IP addresses. The unprivileged user has write access to a directory that controls the provisioning of other systems, leading to a full compromise of those subsequent systems. Tracked in
boo#1246277
Other minor findings
Additional vulnerabilities were identified that, while valid, did not meet the criteria for CVE assignment:
- boo#1231900: VUL-0: arbitrary log messages in API can lead to a disk space exhaustion (and so to a denial of service)
- boo#1245740: VUL-0: Default venv-salt-minion environment is activated on the different user accounts
- boo#1243679: VUL-0: Insecure communication in TFTP proxy sync.
- boo#1243768: VUL-0: Potential Command InjectionPattern in check_push Function. No activity: a follow-up was requested.
- boo#1239636: VUL-0: log pollution in class TraceBackEvent
- boo#1237368: VUL-0: unhandled exception when dealing with numeric request parameters
- boo#1243087: VUL-0: spacewalk-search: unexploitable XSS in XML RPC Server.
- boo#1227577: VUL-0: spacecmd and spacewalk-backend: usage of unsafe third party library for XML.
Last but not least, during the audit also some codebase improvements were suggested to raise the security posture even further:
- boo#1228945: AUDIT-FIND: spacewalk-utils: Sensitive information disclosure in backup file
- boo#1223313: AUDIT-FIND: Possible deserialization issue in spacewalk-client-tools (affecting only SUMA 4.x)
- boo#1228116: AUDIT-FIND: spacewalk-admin: mgr-monitoring-ctl doesn’t sanitize PILLAR parameter
- boo#1231983: AUDIT-FIND: spacewalk-web: generatePassword() improve namespace entropy
- boo#1246941: AUDIT-FIND: saline: Hardening Against Insecure Deserialization
- boo#1247015: AUDIT-FIND: saline: Race Condition in Service Startup Allows for IPC Hijacking on Systems with a Permissive umask
- boo#1227579: AUDIT-FIND: spacecmd: get rid of pickle to read and parse configuration files.
4) Conclusions
The UYUNI audit was an intense and rewarding run. The good results in term of number of found vulnerabilities and the fast reaction to release the fixes, confirmed UYUNI as a solid and reliable product for the community.
As all software, of course it can be improved in terms of code quality by applying safe coding patterns, using secure and reliable third-party libraries and consolidating the usage of one or two programming languages. This is an important step, because it creates a common ground for engineers and a solid codebase for the community to entice contributions and pull requests.
A vibrant codebase, using a balanced mix between standard and cutting edge technologies can increase adoption of the product and it can attract developers and contributors.
It also helps in adopting safe coding best practices that are widely updated and developed for newer technologies rather than ancient and not actively used programming languages.
The low number of vulnerabilities found, and the reaction time in fixing the serious ones, indicate that the project is well-curated and actively maintained. The security posture is good and it can be safely deployed in production.
5) What’s next?
Like every journey, the final destination is not the reward itself. The UYUNI project is actively under development with a monthly (more or less) release cycle.
The next audit will start in the first quarter of 2026 and it will be another one year and a half rollercoaster ride, with rabbit holes, false positives, suspected CVEs turning out to be not exploitable and real root dance issues.
The fun part is to audit code written in multiple languages, with different stacks and libraries.
It’s not rewarding only from a security perspective, it’s a real learning experience.
6) Links
- The master Bugzilla bug.
- The latest stable version 2025.10 of UYUNI containing all the relevant fixes.
- The nightcrawler-mitm tool, written to actively and passively scan the web application in the background.
- The dr_source tool, written as a SAST companion tool mainly for Java but improved with support for other programming languages.
- The UYUNI source code on Github
- The openSUSE coordinated disclosure policy