Dear Tumbleweed users and hackers,

Because August 1st is Switzerland’s national holiday, I took the day off last Friday — which is my excuse for skipping last week’s review. The most noteworthy technical change was mostly invisible: we switched FTP tree generation from product-builder to product-composer. This is essentially a rewrite, trimming years of accumulated features back to a more manageable set. One side effect is that product descriptions are now in YAML instead of XML — easier on the eyes.

The published FTP tree looks largely unchanged, aside from a brief bug where appstream metadata wasn’t registered, causing software centers like Discover and GNOME Software to miss it (now fixed). The main visible change affects ARM users: we merged the FTP trees for armv6, armv7, and aarch64 into a single tree under the ports/aarch64 namespace. This saves several gigabytes on our mirrors by sharing large noarch packages.

Since this results in bigger repodata containing all architectures, the new product composer supports “split repodata for merged trees” — also used in Leap 16.0. ARM users who prefer smaller metadata can append /$basearch to the end of their OSS repo URL, and zypp will then only refresh the relevant subset.

Other than that rather technical-only change, we of course also published nine snapshots (0725, 0727, 0728, 0730, 0801, 0803, 0804, 0805, and 0806) for your updating fun, containing these changes:

• Apache 2.4.65
• pipewire 1.4.7
• Mozilla Firefox 141.0
• GStreamer 1.26.4
• Linux kernel 6.15.8
• mozilla-nss 3.113
• mozjs 128.13.0 (javascript engine used by e.g GNOME)
• Virtualbox 7.1.12a
• nvme-cli 2.15 (if you have scripts using the short parameter –output, you will need to change that to –output-format)
• Mesa 25.1.7
• libvirt 11.6.0
• GCC 15.2 RC
• gnutls 3.8.10
• container-selinux 2.240.0: containers no longer have the implicit right to change SELinux labels. If you require this, you will need to enable the new boolean container_modify_selinux_labels
• gnome-shell 48.4

The next changes being prepared and tested currently are:

• Mozilla Firefox 141.0.2
• KDE Plasma 6.4.4
• Linux kernel 6.16.0
• openSSL 3.5.2
• Mesa 25.2
• python pytest 8.4.1
• glibc 2.42
• openSUSE-welcome: prepare infra to have different ‘welcome apps’ per desktop (e.g gnome-tour on gnome)
• GNU gettext 0.25.1
• nftables 1.1.4: issues detected by openQA in combination with netavark
• Bash 5.3

I’m happy to announce the release of Himmelblau 1.0, which now supports Intune MDM policy enforcement on Linux. This is a major milestone for the project—and honestly, for the broader Linux community—because it means we finally have a working, transparent, and open-source alternative to Microsoft’s half-baked Intune client for Linux.

Let’s talk about what’s new, why it matters, and how to enable it.

Intune Policy Enforcement – Now Built In

With 1.0, Himmelblau can fetch and enforce device compliance policies from Microsoft Intune. This includes things like:

• Password requirements (applied to the Linux Hello PIN, FYI)
• Disk encryption requirements
• OS version requirements
• Script policies

Policies are enforced at login time, and any non-compliant device will be reported as such during Intune check-in. This works out of the box, with no browser hacks, GUI prompts, or extra fluff. In Himmelblau, it’s all seamless to the user.

To enable policy enforcement, just add the following to your config:

# /etc/himmelblau/himmelblau.conf
apply_policy = true

Then restart the service and watch your login enforcement and compliance status just work.

Why Microsoft’s Intune Client Just Doesn’t Cut It

Let’s be blunt for a moment: Microsoft’s official Intune for Linux client is a mess.

Here’s why:

• It’s unreliable. In my testing, it usually doesn’t work. You’ll find guides online suggesting you install Edge first, or tweak your environment in weird ways just to get the thing to launch. That’s ridiculous. A tool that claims to support Linux shouldn’t require browser voodoo to function.
• It frequently crashes. Again, this is based on my own experience. The client crashes. A lot. That’s not enterprise-grade—it’s barely alpha.
• It’s hardwired to Ubuntu and RHEL. Microsoft only builds packages for those two distros. Himmelblau supports many more: Ubuntu, Debian, openSUSE, Fedora, Rocky, RHEL, SLE, Oracle, NixOS (yes seriously, even NixOS)—and I’m happy to work with the community to expand that list. Just ask, we’ll add it.
• Policy enforcement is GUI-dependent. You can’t enforce policy without logging into the desktop session. This is so broken I don’t even know where to begin. What about headless servers? SSH? Seriously?
• It’s a bizarre mix of Rust and Java. I like Rust, but what were they thinking intermingling it with Java?
• It requires Microsoft Edge. Because of course it does. Classic Microsoft move: shove their browser into every workflow, whether it belongs there or not.
• It’s bound to a local account. That’s not cloud integration, it’s cloud side-loading.
• It’s closed source. If we can’t inspect the code and see how it works, how can they expect us to trust this thing?
• They clearly don’t understand Linux. That’s the bottom line. This is not a tool made by people who know how Linux is used in the real world. It’s a checkbox product.

Himmelblau exists because we can—and should—do better.

Important: No Custom Compliance Policies Yet

Microsoft offers a feature in Intune called Linux Custom Compliance policies. These allow you to define your own compliance scripts that Intune will evaluate on managed Linux devices.

Himmelblau does not support these (yet). So please, do not assign Linux Custom Compliance policies to devices managed by Himmelblau. If you do, they’ll be marked as non-compliant, and Himmelblau will prevent users from logging in.

This feature is in progress and will land in a future version. Until then, stick to the regular Intune compliance settings—those are supported.

This Changes Everything for Linux in the Enterprise

With Himmelblau 1.0, we finally have:

• A reliable Intune-compatible agent
• Real enforcement of Microsoft’s compliance rules
• No GUI dependency
• Support for many Linux distros
• Open code, real transparency, and community-driven development

You no longer have to settle for Microsoft’s broken Linux client. You don’t have to pretend it’s “fine” just because it has the Microsoft logo on it.

Now there’s a better option—one by the community, for the community.

Entering RC Phase

openSUSE Leap 16.0 has officially transitioned from Beta into the Release Candidate phase with the Build 148.4.

The biggest challenge for the Release Team prior to Autumn release is source code management, as we want to transition both Tumbleweed and Leap 16.0 from legacy OBS SCM to Git.
This will also require a new maintenance model for Leap.

Users can expect a few more builds before we announce our Gold Master candidate.
Given the nature of Leap 16 being built on top of binaries from SUSE Linux Enterprise 16, we can only do so once SUSE Linux Enterprise 16.0 announces their Gold Master in late September.

If all goes well with the maintenance setup we could aim for the delivery according to the roadmap in October shortly before SLES 16.0.

More details can be found in the roadmap and newly also in calendar.opensuse.org.

New installer

Leap 16.0 is using the latest Agama for both online and offline installation aside. You can get install images at get.opensuse.org. Alternatively, users can pick one of our appliance images.

Being among the first to deliver Xfce on Wayland

We offer only Wayland-based Desktop Environments in the installer. Xfce on Wayland has recently joined the list.
Thanks to the openSUSE Xfce team, we’re among the first to deliver it as an experimental preview to users.
The Xfce mailing list was quite active as we were getting closer to RC.

Users can enjoy the minimalistic Wayland-friendly greetd and gtkgreet as a replacement for LightDM.

Get the Leap 16.0 install image and try it out!

Please be aware that the Wayland support in Xfce is experimental and there are plenty of issues.
We could use help in improving our patterns and making the experience with Wayland-ready apps on Xfce more complete.
Join the Xfce mailing list if you’re interested in the effort.

YaST stack reduction

A clean install of Leap 16.0 comes with no YaST packages installed.
Users can use the new package Myrlyn, which is a drop-in replacement for legacy YaST Software Management, which provided a bit more than just a nice UI frontend to Zypper.
Some limited set of YaST packages will still be around as Agama depends on them, therefore they won’t be dropped on migration.
The long-term goal is to go in favor of Cockpit.

SELinux is the new default

All new installations will use SELinux by default.
Users can switch to AppArmor post installation.

Steam, Wine, 32-bit support

SUSE Linux Enterprise 16.0 does not support 32-bit binary execution.
Leap users can install grub2-compat-ia32, which enables it by passing ia32_emulation=1 to the kernel.
We’ve recently dropped Steam from the Non-OSS repository due to a limited set of 32-bit libraries.
Steam users will want to install selinux-policy-targeted-gaming, which is not installed by default.

New Repository structure and parallel downloads in zypper

The biggest changes for users migrating from 15.6 will likely be the absence of dedicated update repositories for SLES packages.
Leap 16.0 essentially uses just a single repository repo-oss that contains both community and SLES packages and their respective updates.
We now use separate repodata per architecture, as well as parallel downloads in Zypper for a more “snap” user experience.

Migration

I personally advise Leap 15.6 users migrating to 16.0 to look into the new opensuse-migration-tool.
The tool has some useful optional post-migration scripts such as 32-bit binary enablement, migration from PulseAudio to PipeWire, and AppArmor/SELinux selection.

sudo zypper in opensuse-migration-tool
opensuse-migration-tool --dry-run # optionally check how it looks
sudo opensuse-migration-tool

Users migrating manually will want to drop all update repositories and keep only oss/non-oss repos prior to running zypper --releasever 16.0 dup.
Details are at our System upgrade wiki page.

Revamped release notes

A preview of our new modular release-notes can be found here.
We were able to reduce the build/publish infrastructure for Release Notes to basically just GitHub, as the installer no longer requires an RPM with a local copy of release notes.

Submitting Bug Reports

Your feedback is critical at this stage.

We know that people really start testing new release with RC. Please report any issues on bugzilla.opensuse.org. Please make sure to check Known bugs wiki page prior reporting a new bug.

Thank you for testing and being part of the openSUSE community. Let’s shape Leap 16.0 together!

Several software packages were updated in openSUSE Tumbleweed during July that brought a large amount of enhancements, new features and critical security fixes across a wide range of components.

Major upgrades included hwinfo 25, systemd-rpm-macros 26 and Amarok 3.3.0. A couple GStreamer updates also landed in the rolling release along with curl 8.15.0, nvme-cli 2.15 and more.

These advancements were complemented by updates to the KDE ecosystem, including Plasma 6.4.3, KDE Frameworks 6.16.0 and KDE Gear 25.04.3. Other essential tools like vim 9.1.1508 gained Wayland clipboard support and improved language syntax, while myrlyn 0.9.7 enhances secure privilege escalation.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

hwinfo 25.0: This major introduces several new features and improvements that enhance hardware detection and reporting capabilities. There were USB improvements that add support for capturing USB alternate settings and interface associations, which allows for more accurate classification and detailed reporting of complex USB devices. There is new support for reporting NVMe-oF (NVMe over Fabrics) and iSCSI device information that is more useful in enterprise and networked storage environments.

systemd-rpm-macros 26: This new version adds the %udev_trigger_with_reload() macro, which ensures packages properly trigger udev events and reload rule files. Changes align with transactional system behavior and certain changes only take effect after reboot. Packages requiring user or group creation during installation should now use sysusers_create_package() to ensure correct file ownership during installation.

amarok 3.3.0: The music player is now based on Qt 6 and KDE Frameworks 6. The release features a reworked GStreamer-based audio engine to improve playback support and flexibility. This version also includes important internal improvements like upgrading the database character set to support full UTF-8 values and enhancing compatibility with non-Latin characters in music metadata.

KDE Frameworks 6.16.0: Notable updates include safer compression handling in KArchive, improved file renaming in KIO, expanded accessibility in Properties dialogs, and enhanced timezone and date handling in KCoreAddons. Kirigami receives critical crash fixes and design refinements, while Breeze Icons adds new device and action icons. Developers working in Python get new example integrations for KDateValidator and KIconUtils. Syntax highlighting expands with better Perl, HTML, and XML support.

KDE Plasma 6.4.3 and 6.4.2: With 6.4.3, KWin Window Manager and Wayland Compositor gain updates that improve the user experience, including better handling of tablet input and high-resolution (HiDPI) displays, and smoother resizing and scaling for applications and windows. Pop-up windows now close correctly when switching between applications, and panels such as the taskbar function. Multi-monitor setups also benefit from improved screen calibration and output identification. The lock screen has been adjusted to avoid immediately prompting for a password after activation to give users more control. A race condition that could affect login via PAM has been mitigated and the software center Discover now highlights interactive actions more clearly when pressed. The Plasma Welcome screen has been updated to be more accessible and user-friendly.

KDE Gear 25.04.3: This release early in the month brought fixes for better link handling in Akregator, improved file compression in Ark, and a fix for search not opening in Audiotube. Dolphin no longer leaks system resources when viewing folder properties and KAlarm prevents pop-up messages from stealing focus. Kitinerary adds support for more travel confirmations including LeShuttle, DJH, Eurostar, and Leo Express, which have better handling of dates, languages, and ticket formats. Other fixes include improved PDF ticket support, better handling of membership cards, and enhanced public transport data.

myrlyn 0.9.7: This new version changes how myrlyn-sudo now builds its own environment, helping avoid issues with XWayland and ensuring the XDG_RUNTIME_DIR environment variable is preserved. This makes running programs with elevated permissions smoother and more secure. The update improves how configuration files are handled and provides cleaner code and better formatting in .desktop files. A new Root Authentication help menu was added to assist users during setup, and support for prompt arguments in myrlyn-askpass has been introduced. Several issues were fixed, including how file paths and environment variables are handled during system commands. A number of small bugs related to style, typos, and configuration backups have also been addressed.

vim 9.1.1508: This release improves how the package handles file types like correctly recognizing files used by programming languages like Haxe, Numbat, QuickBMS, and Flix. It also adds new navigation shortcuts for Go and enhances syntax highlighting for better readability. A fix adds Wayland clipboard support and allows users on modern Linux desktops to copy and paste text seamlessly between Vim and other applications. The update also ensures symlinks are properly resolved when changing directories with the cd command.

Key Package Updates

kernel-source 6.15.8, 6.15.7, 6.15.5 and 6.15.4: Four kernels for the month and the 6.15.8 version had a key fix to address KVM for x86/xen. It did this by correcting cleanup logic in the emulation of Xen schedop poll hypercalls, which helps ensure more reliable virtualization performance. Another significant update improves the SMB client by making smbd_post_send_iter() respect the peer’s maximum send size. The 6.15.7 version improves Bluetooth reliability and prevents disconnection issues and the kernel had fixes for memory leaks, connection problems and network drivers and protocols like vsock, tcp, phy, atm, stmmac to prevent crashes. It also enhanced audio drivers compatibility with Intel and Qualcomm hardware. The 6.15.5 Linux kernel made fixes across the networking stack, including virtio-net, txgbe, and Bluetooth subsystems. RTC drivers received minor corrections, while MMC/SDHCI updates enhanced SD card error handling and UHS-II support. The update also addressed crashes in modules such as ALSA, RDMA, VSOCK, and SCSI. The 6.15.4 version resolves a regression in io_uring, improves memory accounting and stability for asynchronous I/O operations. Several crypto drivers, including qat and marvell/cesa, now handle shutdowns and request chaining more reliably.

Mesa 25.1.5 and 25.1.5: The 25.1.6 resolves a range of critical issues affecting both everyday desktop users and gamers. These fixes include resolving graphics glitches in Team Fortress 2, preventing crashes in applications like sddm-greeter when using modern drivers (nvk + zink), and stopping system reboots or crashes on FirePro W4100 cards. The release also fixes memory leaks, Vulkan threading issues on X11, and several driver-specific regressions for AMD, Intel, and arm . Like 25.1.6, there were no new features in the 25.1.5 release but it did address several crashes, memory issues, rendering glitches and regressions across drivers and platforms. Notably, this release resolves problems like ground texture flickering in DOTA 2, GPU process crashes with WebGPU shaders, and driver-specific Vulkan and OpenGL inconsistencies. Fixes cover a wide range of drivers and tools, including AMD radeonsi, Intel support, as well as panfrost, zink, and Vulkan components such as anv and radv.

curl 8.15.0: This update has better handling of non-blocking input and fixes for long-standing bugs in SFTP path handling (like /~) and LDAP integration. The --retry option now correctly reports exit codes and makes automation scripts more reliable. Under the hood, OpenSSL sees several fixes for buffered data, engine usage, and PKCS#11 provider checks, while HTTP/2 and HTTP/3 reporting are now more consistent. The addition of CURLINFO_TLS_SSL_PTR for QUIC connections helps developers debugging encrypted transfers.

bind 9.20.11: This release addresses a critical security issue that could cause the named resolver process to crash when stale-answer-client-timeout was set to 0. This update also introduces support for the CO flag in the dig tool. Bug fixes include correcting the default interface-interval from 60 seconds to 60 minutes, which resolves a purge-keys issue when zones use multiple views, and ensuring delv +ns now properly performs IPv6 queries.

ddcutil 2.2.1: This package, which improves reliability and usability for users who adjust monitor settings from the command line, fixes several bugs that could cause crashes or incorrect behavior when communicating with displays using DDC/CI, especially on systems with older Nvidia drivers or when using the KDE Plasma desktop environment. Users should experience more reliable detection and communication with displays, better feedback during command execution, and fewer issues with power management tools like KDE PowerDevil. It also adds better reporting when running as root or with elevated privileges, and improves error messages for more meaningful feedback during display configuration.

netpbm 11.11.0: This image processing toolkit has tools like pamflip, which now support -inverse and -reflect for easier transformations, and smoother circle drawing has been implemented via floating-point calculations. Utilities like pnmquantall, ppmtogif, and pnmtofiasco received critical security and stability fixes, and address vulnerabilities and long-standing issues dating back over a decade. File naming in pamdice has also been corrected to avoid unnecessary slice digits.

php8 8.4.10: This update has improvements that include fixes for memory leaks in curl, openssl, intl, and pdo_sqlite, better error handling in pg_cancel_query() and SOAP, and corrected behavior in DatePeriod, SimpleXML, and DOM. Several critical vulnerabilities were also resolved and this release enhances overall reliability for developers using PHP in web, CLI, and FPM contexts.

xen 4.20.1: This update addresses several critical issues, including security vulnerabilities such as XSA-471, which mitigates AMD-based transient execution attacks, and XSA-470.

sudo 1.9.17p1: This release improves security by enforcing stricter behavior when resolving environment settings and password requirements. Other fixes include improved password handling in edge cases (e.g., via pwfeedback), better SSH suggestions when no terminal is allocated, and safeguards against information leaks in sudo -l. There’s also improved behavior with run from serial consoles, a return to using TCSAFLUSH to discard stray password input, and added support for SUDO_TTY to track the user’s original terminal.

GStreamer 1.26.4 and 1.26.3: The multimedia framework 1.26.4 update resolves issues with reverse playback in adaptive streaming and improves compatibility with services like AWS MediaLive and LiveKit. The update also adds support for more precise timestamping in MP4 files and fixes potential deadlocks when using WebRTC, which is common in video conferencing apps. Version 1.26.3 resolves a security issue in the H.266 video parser and fixes problems with WAV files and subtitles that could previously cause crashes or excessive memory usage. Improvements were made to video caption rendering, audio/video sync, large MP4 file creation, and support for live video formats like MPEG-TS and fragmented MP4. A new AI speech synthesis feature using the ElevenLabs API was added, and improvements were made to accessibility features like closed captions.

nvme-cli 2.15: This release adds new commands for power management, arbitration, volatile write cache control, temperature thresholds, and timestamps, giving users more insight and control over their devices. Output formatting has been expanded with more detailed and verbose logs. Plugins for major vendors such as HPE, Western Digital, NetApp, Micron, and MangoBoost received updates for broader device support and improved error handling. Memory handling and device discovery were improved to prevent leaks and incorrect reporting, while new NUMA and arbitration features align with libnvme changes.

libnvme 1.15: This update improves system stability and compatibility by fixing memory handling issues, refining documentation, and enhancing support for power management, health monitoring, and temperature thresholds. It also adds better handling for NVMe path discovery. Numerous tests were added or extended to cover ioctl functions, sysfs handling, and feature sets to boost overall reliability. Documentation was refreshed.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month. Common Vulnerabilities and Exposures this month are:

Security Updates

sudo 1.9.17p1:

• CVE-2025-32462: Fixed local privilege escalation vulnerability in sudo via the --host option.
• CVE-2025-32463: Resolved local privilege escalation issue in sudo related to the chroot option.

qt6-base:

• CVE-2025-5992: Prevented denial-of-service via out-of-range values in Qt’s QColorTransferGenericFunction.

bind 9.20.11:

• CVE-2025-40777: Fixed a heap buffer overflow in libvirt’s secret_xml_extract_value() that could lead to remote code execution.

ImageMagick 7.1.2.0:

• CVE-2025-53101: Fixed improper validation in OpenJDK’s XML parsing, preventing crafted XML attacks.
• CVE-2025-53014: Patched integer overflow in libjpeg-turbo’s JPEG decompression that could cause crashes.
• CVE-2025-53015: Addressed buffer underflow in libjpeg-turbo during color space conversion.
• CVE-2025-53019: Fixed out-of-bounds write in libjpeg-turbo’s progressive JPEG decoder.

libavif:

• CVE-2025-48175: Patched stack buffer overflow in Bash when expanding environment variables.
• CVE-2025-48174: Fixed use-after-free in Bash’s associative array handling during parameter expansion.

php8 8.4.10:

• CVE-2025-1735: Fixed improper URL validation in Apache HTTP Server leading to possible path traversal.
• CVE-2025-6491: Patched integer overflow in SQLite vulnerable to denial-of-service via crafted queries.
• CVE-2025-1220: Resolved out-of-bounds read in libpng when processing malformed PNG chunks.

git 2.50.1:

• CVE-2025-27613: Fixed integer overflow in libxml2’s DTD parsing with malicious entities.
• CVE-2025-27614: Patched buffer overflow in libxml2’s XML external entity handling.
• CVE-2025-46334: Addressed memory leak in systemd when processing malformed unit files.
• CVE-2025-46835: Fixed out-of-bounds read in zlib during deflate processing of crafted data.
• CVE-2025-48384: Resolved use-after-free in PulseAudio’s module loading when unloading quickly.
• CVE-2025-48385: Patched buffer under-read in PulseAudio’s sample format conversion.
• CVE-2025-48386: Fixed race condition in PulseAudio’s client disconnect handling causing crashes.

apache2-mod_php8 8.4.10:

• CVE-2025-1735: Fixed improper URL validation in Apache HTTP Server leading to possible path traversal.
• CVE-2025-6491: Patched integer overflow in SQLite vulnerable to denial-of-service via crafted queries.
• CVE-2025-1220: Resolved out-of-bounds read in libpng when processing malformed PNG chunks.

xen 4.20.1:

• CVE-2025-27465: Fixed incorrect exception handling in Xen’s x86 instruction replay stubs, which could lead to a hypervisor crash and cause Denial of Service (DoS) by an unprivileged guest.

poppler 25.06.0:

• CVE-2025-52886: Fixed out-of-bounds read in libxml2’s xmlParseNameComplex() that could lead to denial of service (DoS).

Mozilla Firefox 141 and 140:

• CVE-2025-8027: Fixed JavaScript engine bug where only a partial return value was written to the stack.
• CVE-2025-8028: Addressed issue where a large branch table could lead to truncated instructions.
• CVE-2025-8041: Corrected URL truncation flaw in Firefox for Android.
• CVE-2025-8042: Patched issue allowing sandboxed iframes to initiate downloads.
• CVE-2025-8029: Fixed vulnerability where javascript: URLs could execute in <object> and <embed> tags.
• CVE-2025-8036: Resolved DNS rebinding issue that allowed circumvention of CORS restrictions.
• CVE-2025-8037: Patched vulnerability where nameless cookies could shadow secure cookies.
• CVE-2025-8030: Fixed potential user-assisted code execution risk in the “Copy as cURL” developer tool command.
• CVE-2025-8043: Addressed another incorrect URL truncation issue.
• CVE-2025-8031: Corrected improper URL stripping in CSP (Content Security Policy) reports.
• CVE-2025-8032: Fixed XSLT documents being able to bypass CSP restrictions.
• CVE-2025-8038: Patched enforcement issue where CSP frame-src was not correctly applied to paths.
• CVE-2025-8039: Resolved privacy issue where search terms persisted in the URL bar.
• CVE-2025-8033: Fixed JavaScript state machine bug affecting generator functions.
• CVE-2025-8044: Patched memory safety bugs in Firefox 141 and Thunderbird 141.
• CVE-2025-8034: Fixed memory safety vulnerabilities in Firefox ESR 115.26, ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-8040: Resolved memory safety bugs in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141.
• CVE-2025-8035: Patched memory safety vulnerabilities in Firefox ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-6424: Use-after-free in FontFaceSet.
• CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID.
• CVE-2025-6426: No warning when opening executable terminal files on macOS.
• CVE-2025-6427: connect-src Content Security Policy restriction could be bypassed.
• CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com.
• CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag.
• CVE-2025-6431: An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications.

mozjs128 128.13.0 and 128.12.0:

• CVE-2025-8027: Fixed JavaScript engine bug where only a partial return value was written to the stack.
• CVE-2025-8028: Addressed vulnerability where a large branch table could cause truncated instructions.
• CVE-2025-8029: Fixed issue allowing javascript: URLs to execute in <object> and <embed> tags.
• CVE-2025-8030: Patched potential user-assisted code execution vulnerability in the “Copy as cURL” command.
• CVE-2025-8031: Corrected improper URL stripping in Content Security Policy (CSP) reports.
• CVE-2025-8032: Fixed flaw allowing XSLT documents to bypass CSP restrictions.
• CVE-2025-8033: Addressed JavaScript state machine bug affecting generator functions.
• CVE-2025-8034: Patched multiple memory safety bugs in Firefox ESR 115.26, ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-8035: Fixed memory safety vulnerabilities in Firefox ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-6424: Fixed use-after-free vulnerability in FontFaceSet that could lead to memory corruption.
• CVE-2025-6425: Resolved exposure of a persistent UUID via the WebCompat WebExtension.
• CVE-2025-6426: Addressed lack of warning when opening executable terminal files on macOS.
• CVE-2025-6429: Fixed URL parsing flaw that could allow embedding content from youtube.com improperly.
• CVE-2025-6430: Corrected handling of the Content-Disposition header when files are included via <embed> or <object>.
• CVE-2025-5283: Fixed double-free vulnerability in the libvpx encoder.
• CVE-2025-5263: Patched improper isolation of error handling for script execution from web content.
• CVE-2025-5264: Fixed local code execution risk in the “Copy as cURL” developer tool command.
• CVE-2025-5265: Addressed another local code execution vector via the “Copy as cURL” command.
• CVE-2025-5266: Resolved cross-origin information leak through script element events.
• CVE-2025-5267: Fixed clickjacking vulnerability that could expose saved payment card details.
• CVE-2025-5268: Patched multiple memory safety issues in Firefox 139, Thunderbird 139, and ESR 128.11 releases.
• CVE-2025-5269: Fixed additional memory safety bug in Firefox ESR 128.11 and Thunderbird 128.11.

openssl-3 3.5.1:

• CVE-2025-5278: Fixed unintended evaluation of stylesheet rules in WebKit.
• CVE-2025-4575: Corrected OpenSSL’s -addreject flag misuse to prevent unintended trust marks. raptor:
• CVE-2024-57822: Patched memory corruption in LibreOffice’s XML parser via crafted documents.
• CVE-2024-57823: Addressed use-after-free in LibreOffice’s graphics handling layer.

djvulibre 3.5.29:

• CVE-2025-53367: Fixed various bugs, added corrupted file tests, and resolved clang warning issues.
• CVE-2021-32490: Fixed out-of-bounds write in DjVu decode function.
• CVE-2021-32491: Resolved memory corruption via malformed JB2 streams.
• CVE-2021-32492: Addressed improper bounds checks in the IW44 decompression code.
• CVE-2021-32493: Fixed heap buffer overflow in the RLE decoder.
• CVE-2021-46310: Patched denial-of-service vulnerability due to infinite loop in JBIG2 decoding. libxml2:
• CVE-2025-49794: Fixed heap use-after-free vulnerability that could lead to denial of service (DoS).
• CVE-2025-49795: Patched null pointer dereference issue that could cause a denial of service (DoS).
• CVE-2025-49796: Resolved type confusion vulnerability potentially leading to denial of service (DoS).
• CVE-2025-6021: Fixed integer overflow in xmlBuildQName() that could cause a stack buffer overflow.
• CVE-2025-6170: Addressed stack buffer overflow vulnerability that could result in application crashes.

apache2 2.4.64:

• CVE-2025-53020: Fixed denial-of-service vulnerability in Apache HTTP Server’s HTTP/2 implementation that could cause excessive memory usage.
• CVE-2025-49812: Addressed TLS upgrade attack in mod_ssl that could compromise encrypted connections.
• CVE-2025-49630: Patched denial-of-service issue in mod_proxy_http2.
• CVE-2025-23048: Fixed access control bypass in mod_ssl when using TLS session resumption.
• CVE-2024-47252: Corrected improper escaping of variables in mod_ssl error logs.
• CVE-2024-43394: Resolved SSRF vulnerability on Windows caused by improper handling of UNC paths.
• CVE-2024-43204: Fixed SSRF issue when mod_headers was used to set the Content-Type header.
• CVE-2024-42516: Patched HTTP response splitting vulnerability in Apache HTTP Server.
• CVE-2025-54090: Fixed logical flaw in Apache HTTP Server 2.4.64.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

July continued openSUSE Tumbleweed’s tradition of delivering powerful improvements to the Linux desktop and infrastructure stack. From hardware tools like hwinfo to desktop environments powered by KDE Plasma 6.4.3, and from multimedia upgrades in GStreamer to security-focused enhancements in sudo, bind, and libxml2, the rolling release reinforced its reputation for cutting-edge stability. With critical CVEs addressed across dozens of core packages, users benefit not only from new features but also from hardened security.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Recently, several people have asked me about the syslog-ng project’s view on Artificial intelligence. In short, there is cautious optimism: we embrace AI, but it does not take over any critical tasks from humans. But what does this mean for syslog-ng?

Read more at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-development-and-ai