Another round of changes for the request index beta feature! This time we improved working with requests for a group by using the request index ui you already use in package, project and in “Your Requests”. We also expanded the request index by adding two more filters. We started the redesign of the request index in August 2024 introducing a new UI to list all the requests replacing the “Tasks” place in the menu. In...

If you read only one long article this month, it should be The Anti-Social Century by the The Atlantic.

I planned to write about tribalism for a long time, as it bothers me a lot and often puts me in trouble. Unfortunately, most people think in tribes, such as “I’m a Democrat”, “I’m a Republican”, or “You’re either with us, or against us”. Something similar also exists here in Hungary. When I agree with something that others also support, those people think that I belong to their tribe. However, as soon as I disagree with them about something, those same people immediately think that I belong to another tribe. But nothing could be further from the truth–I do not belong to any tribe. If I agree on something with the Democrats, it does not mean that I reject everything what the Republicans say. And the same is true the other way round.

And this applies not just to politics, but to all aspects of life, including IT. Just think about my operating system affiliations. I consider myself a FreeBSD guy at heart. Still, I use openSUSE as my main OS on my laptop, as it provides the best installation and hardware support (often better than Windows) and has most of the software I need. My colleagues have a lot more trouble using the same company laptop with other operating systems. That said, I also use Windows, even if my title is “open-source evangelist”: Teams and PowerPoint for work, while Capture One and Ableton for my hobbies. And even if I use FreeBSD, openSUSE and Windows as my daily drivers, most of my friends are from the Fedora / RHEL (& compatibles) community, as most syslog-ng users use CentOS and friends, which means that I spend most of my time with those people. Would it help in any way if I embraced a tribal mindset for the various Linux distros or operating systems? Certainly not.

Long story short: Forget tribalism and be social! The article in The Atlantic describes many changes that led to this situation. If we are aware of these, we can hopefully reverse the trends.

In my previous OneIdentity Active Roles blog, you learned how to forward Active Roles logs to a central syslog-ng server to parse and store the logs. In this blog, I’ll show you how to:

• Work with parsed Active Roles logs.
• Store logs to various document stores.
• Prepare long-term storage.
• Send alerts for some critical events.

Even if this blog about commercial software, the name-value pairs concept I describe in this blog in depth is the same in the open source syslog-ng.

https://www.syslog-ng.com/community/b/blog/posts/working-with-parsed-active-roles-logs-in-syslog-ng

This week, I reorganized the speakers in my room and wanted to test the change by listening to a wide variety of music. The first piece that came to my mind was “Rhapsody in Blue” by Gershwin https://en.wikipedia.org/wiki/Rhapsody_in_Blue, as I have a fantastic recording of it made by the Pittsburgh Symphony Orchestra. That said, I know that I’m not a music maniac enough, as I do not have it on vinyl, but rather as a digital download from HDTracks: https://www.hdtracks.com/#/album/5de7b4c75935a842dd765e23. Rhapsody in Blue already sounded great with the original setup, but placing the speakers farther away from each other and turning up the volume made wonders. Even in a middle-sized room, it suddenly sounded as if I was in a huge concert hall.

TIDAL: https://listen.tidal.com/album/79240363

Once the album was over, I wanted to experiment further. That’s when I realized that I have a few more recordings of Rhapsody in Blue. Well, not the original, but various adaptations. The next one I listened to had a completely different style: progressive metal. It is on the third album of Liquid Tension Experiment. This was the only time when the new setup did not improve the sound. I mean, it wasn’t bad at all, but a bit more bass would have helped :-) I listened to this music from a Blu-ray disk.

TIDAL: https://listen.tidal.com/album/168567035

The third song featuring the melodies of Rhapsody in Blue was recorded by Hiromi, a jazz pianist from Japan. I have this album as a CD from Japan, but I also have it in high resolution FLAC files from HDTracks: https://www.hdtracks.com/#/album/5dfb7dc30a58de3182f046f0. I know the sound of the piano pretty well, as there was at least one piano in my home most of my life. Turning up the volume a bit and listening to a good recording made wonders: it was a lot more lifelike than usual.

TIDAL: https://listen.tidal.com/album/119047940/

The new speaker arrangement gives a nicer, more realistic sound. However, it also needs to be louder, as I’m farther away from the speakers. So, for now, I just note the position of the speakers and move back everything as it was previously…

I am looking for even more Rhapsody in Blue recordings. Do you have any recommendations, either for the original or for other arrangements?

Dear Tumbleweed users and hackers,

This has been a very productive week with 7 published snapshots (0220…0226). Naturally, some snapshots were a bit smaller than others.. It does not matter if you update to all intermediate snapshots or skip a few. Tumbleweed is built to be resilient against this and should not care much. We frequently hear that people fire up a VM that was last used one year ago, running zypper dup, and being positively surprised that this all works. But you should be allowed to expect that.

The 7 snapshots from this week brought you these changes:

• KDE Plasma 6.3.1
• GPG 2.5.4
• MariaDB 11.7.2
• Poppler 25.02.0
• LibXML 2.13.6
• PostgreSQL 17.4
• Mesa 25.0.0
• Linux kernel 6.13.4
• Boost 1.87.0
• ZStd 1.5.7
• move to openmpi5

Staging projects are well occupied – testing these changes/updates:

• KDE Plasma 6.3.2
• Linux kernel 6.13.5
• GCC 15: We will run the well-tested 2-phase approach from previous years: first, switch the used libraries to the ones generated by gcc15 (the phase we are currently working on), then later switch to GCC 15 being the compiler.
• glibc 2.41: please help work out the errors in https://build.opensuse.org/project/show/openSUSE:Factory:Staging:O
• Python 3.13 as the default Python interpreter: Pending issues can be seen at https://build.opensuse.org/project/show/openSUSE:Factory:Staging:A. Just 1 more package to go: CEPH!

AI’s latest escapade into software piracy has left Microsoft scrambling, but let’s be honest; why even go through the hassle? If people are looking at not paying for an operating system, they don’t need to look far when alternatives like openSUSE exist?

With Linux distributions like openSUSE, there are no activation codes, no shady workarounds, no costs; just a fully functional, open and freely available operating system so users don’t have to break the law to break free from Windows’ licensing fees.

The Financial Benefits of Moving to Linux

Millions of computer users face a financial decision as they prepare for the end support for Windows 10 in October 2025; upgrade their operating systems at a cost depending on the users location, purchase new hardware with an OS installed or explore alternatives. Or, as Copilot seems to suggest, they could just ask an AI how to pirate Windows; because nothing says “secure computing” like taking legal advice from a chatbot.

For those feeling the pinch of rising costs due to stagflation, Linux distributions, particularly openSUSE’s Leap and Tumbleweed, offer a compelling, cost-effective alternative.

With no licensing fees, extended hardware compatibility and an abundance of software applications, Linux operating systems provide a compelling solution to reduce expenses while maintaining productivity, security and extending hardware lifespans to reduce electronic waste.

As part of our Upgrade to Freedom! campaign, this write-up focuses on the financial benefits of switching to openSUSE or another Linux operating system.

No Licensing Fees

One of the most immediate savings people notice when switching to Linux is the elimination of licensing fees. Licensing fees for some commercial operating systems can cost more than $100 USD per device. Enterprise solutions often incur additional costs for maintenance and upgrades.

Instead, people can save that money by going to get.opensuse.org and downloading an operating system without needing any codes or paying any money.

This zero-cost licensing model translates to significant savings to individual users, small businesses and large enterprises.

Investing in Linux is investing in one’s knowledge; it’s an investment into freedom. People get a professional-grade operating system without recurring costs using openSUSE.

Extend the Life of Your Hardware

Newer versions of Windows may require specific hardware features like TPM 2.0 and Secure Boot. For many older devices, this could render these devices incompatible and force users to purchase new machines.

The cost of a new laptop can run $350 USD or more, which is a substantial expense in a struggling economy. For a business, multiple devices could come at a hefty cost.

By contrast, openSUSE is optimized to run efficiently on a wide range of hardware, which includes older machines. Leap provides long-term stability, while Tumbleweed offers the news software updates to ensure devices remain relevant and functional for years to come. Members of the openSUSE community can also recommend using distributions like Slowroll, Aeon and Kalpa.

By switching to Linux, users may extend the life of their existing hardware and avoid contributing to any unnecessary e-waste; a cost that is much more precious than financial savings.

Apps and Open-Source Software

The financial benefits of Linux extends well beyond the operating system itself. The distributions provide access to a vast library of free, open-source applications that can replace costly proprietary software.

• Office Suites: LibreOffice is a powerful alternative to office suites that charge a premium.
• Creative Tools: GIMP and Inkscape provide robust alternatives to graphic design and image editing software, which can cost upwards of $600 per year for subscriptions.
• Development Tools: Developers can access free Integrated Development Environments like Visual Studio Code, JetBrains’ IntelliJ IDEA Community Edition and Eclipse.

For users who require specific Windows applications, tools like Wine, Bottles and Proton can help run those programs on Linux, which eliminates the need for additional software purchases. Linux systems are renowned for stability and security along with the reduction of time and money spent on IT support and maintenance.

Set up tools like YaST and advances with Agama provide intuitive ways to manage systems, updates, configurations and software installations, which can make it easy for non-technical users.

For businesses, the cost savings of switching to Linux can be immense. Companies running Windows often incur costs for server licenses and client access licenses (CALs). By moving to open-source solutions like openSUSE and its enterprise-focused sibling, SUSE Linux Enterprise, businesses can significantly reduce their IT expenses.

Small and medium-sized businesses can save thousands of dollars annually by adopting Linux. It’s not just about the initial savings but an ongoing reduction to operational costs.

As Windows 10 nears its expiration date, users and businesses have a choice: switch to openSUSE for a free, reliable solution; or start asking AI for sketchy workarounds and hope for the best.

Here is a step-by-step guide to start installing openSUSE.

This is part of a series on Upgrade to Freedom where we offer reasons to transition from Windows to Linux.

Agama development goes on at good pace and, approximately one month after our latest blog post, we have more news for you. Not only a new version of Agama with a completely refreshed user interface and other significant changes, but also some information about the future.

New visual appearance​

Let's start with the most obvious change introduced at Agama 12. You may know that the Agama web interface relies on the Patternfly framework, the same design system used by Cockpit. In this version of Agama, we migrated to the latest major version of Patternfly (v6), which brings several improvements and quite noticeable visual changes. Moreover, we took the opportunity to align with the SUSE branding guidelines regarding aspects like typography, colors, etc.

More than ever, in this case a picture is worth a thousand words.

But the changes on the user interface go far beyond cosmetic aspects and general usability improvements. On top of that, some sections went through an overhaul.

Revamped Storage section​

In previous Agama releases, the section of the user interface used to configure the storage devices (partitions, LVM, etc.) was very powerful. It allowed to create complex setups over single or multiple disks based on partitions and/or LVM volume groups, to use hard disks directly formatted (without partitions), to reuse existing partitions or volume groups (optionally re-formatting them) and much more. But it had some problems.

On the one hand, most users failed to discover how to access to all those features. The interface was not self-explanatory enough. On the other hand, we were struggling to find a way to add more functionality (especially software RAIDs) in a consistent way. To make things a bit more problematic, the configuration generated by that user interface was not fully aligned with the usual mindset of our users currently relying on profile-based configuration (ie. unattended installation).

Thus, a couple of months ago, we decided to change the approach of that user interface. But it took us some time to reach a point in which the new interface is functional enough for basic configurations.

The new section is still far from its final form and also from providing all the possibilities of the previous interface. So expect significant updates on future releases, like bringing back the support to define LVM volume groups. Meanwhile, you can read about its existing and future capabilities at the corresponding section of the Agama user documentation.

Changes in authentication management​

Security is a topic that demands constant re-evaluation. When it comes to a Linux system, one of the first aspects of security is the way to organize users, privileges and authentication. SUSE and openSUSE have been reconsidering lately how to approach that and it seems clear that the traditional role of the root user and the default configuration of sudo are going to change in future releases of SLE and openSUSE Leap.

Agama 12 already takes the first steps to adapt to the new situation, removing the mandatory step to set a password for the root user and introducing a new Authentication section instead of the former Users one.

This is just the first iteration for a part of Agama that will receive several improvements regarding usability and wording in upcoming releases.

Post-partitioning script​

Not all changes at Agama 12 affect the user interface. Unattended installation also received a bunch of improvements, including the ability to execute scripts right after setting up the storage layout.

As you may know, both AutoYaST and Agama offer the possibility to specify custom scripts that can be executed at several points of the installation workflow. In previous versions Agama already offered the so-called pre-installation scripts, post-installation scripts and init scripts. But now Agama 12 offers also post-partitioning scripts that can be used, among many other things, to deploy configuration files before the packages are installed, modifying with that the behavior of the scripts included at RPM packages.

Information about AutoYaST compatibility​

And talking about unattended installation, we cannot forget one of the main features of Agama - its backwards compatibility with AutoYaST. Such a compatibility is not perfect and never will be, due to the difference in scope between both Agama (focused on installation) and AutoYaST (a more general configuration tool).

Now when Agama reads an AutoYaST profile it informs the user about the sections that will be ignored, making a difference between those sections that will be supported soon by Agama and those that are considered to be out of its scope even for the future.

The report can be disabled by specifying agama.ay_check=0 as a boot parameter.

We also took the opportunity to update the corresponding information at the AutoYaST compatibility reference document. What is even better, we introduced some mechanisms to generate such a document based on the same information used by Agama to generate the compatibility report during execution, so we can make sure the documentation is in sync with the actual implementation.

Improvements at the Live ISO​

Most users will execute Agama using the default installation media for SUSE or openSUSE distributions, which we unsurprisingly call Agama-live (since it is just a live Linux system running Agama).

Although the installation media is relatively independent from Agama itself, we take every Agama release as an opportunity to announce some of the latest improvements. In this occasion that includes some tweaks to the underlying window manager (IceWM), less aggressive settings for both power saving and the screensaver and the ability to open a terminal emulator by pressing ctrl+alt+t.

Find the latest version of the openSUSE Agama Live ISO image, including Agama 12, at its usual location.

A glance into the future​

This time we will use the release of Agama 12 as an opportunity to announce something else. We decided to add a Roadmap section to the Agama home page.

They say "plans are useless, but planning is indispensable". That may be the case of the Agama roadmap. We have a clear goal in the mid term, but we are constantly re-evaluating our priorities and the next steps to be taken. As such, you can expect that document to be updated often. Do not carve it into stone!

See you soon!​

As you can see in the mentioned roadmap, we plan to release Agama 13 by the end of March. And of course that will mean another blog post for you to enjoy the YaST Team adventures.

Meanwhile, you can also find us at SUSECON 2025, which will take place at Orlando (USA). Part of the team will be there to meet our beloved users and conduct a couple of sessions about Agama.

If you cannot be there in person, you can of course meet us at our usual online channels, like the Agama project at GitHub and the #yast channel at Libera.chat.

Have a lot of fun!

During CES Nvidia announced a new AI desktop supercomputer: Project DIGITS. Starting at $3000 it puts AI processing capabilities on the desktop what just recently needed multiple servers and a few more zeroes at the end of the price tag.

As an IBM Champion for POWER my first thought was that Project DIGITS is nice, but I’d love to see something based on POWER. Of course it’s just a game of thoughts, as IBM left the workstation business many years ago, both for x86 and POWER. So, even if I had some ideas, I did not care much about them. However, at FOSDEM someone described almost the same dream AI system. It means that I’m not alone, and it’s worth sharing this idea :-) And, of course, even if it is never implemented as a workstation, the technologies are interesting to learn about.

POWER 10 already has some extra instructions related to AI, making it efficient at AI tasks even without using a GPU. You can read more about it in the IBM blog at https://developer.ibm.com/blogs/run-ai-inferencing-on-power10-leveraging-mma/. Power 11 is coming this year, and will be include these instructions while being both faster and more energy efficient.

At IBM it’s not just Power CPUs when it comes to AI. They are also working on a dedicated AI accelerator card, called Spyre. I’m an environmental engineer by degree, so I very much appreciate IBM’s approach here. They focus on energy efficiency. If a single card does not provide you with enough processing capabilities, you can use multiple easy to cool cards, which also helps to reduce hardware failure rates.

After all this introduction I guess you could figure out our idea: a Power 11 + Spyre AI accelerator workstation. Just the smallest Power 11 CPU coupled with a single Spyre AI accelerator card and an entry level graphics card, all nicely packed in a well sealed silent case. The GPU here is just to drive the screen, not for AI. It could lower the entry barrier to AI on Power, and make developers more passionate about their jobs.

Why a workstation, and why do I mention passion? Having a workstation is not a requirement to develop for an architecture. However, I know from talking to people at FOSDEM, many other conferences or on-line, that most developers have more passion working on things on a machine on / under their desk. In the open source world, many important developments are born due to passion, in spare time, even by paid developers. Having a Power workstation with AI also could help in keeping POWER relevant in the open source world.

This month delivered multiple snapshots and a wide range of updates plus a major default change highlighted in mid-February and a major version update of the Mesa 3D Graphic Library. GIMP 3.0.0~RC3 appears close to being final with GTK 3.24.48 integration. KDE Plasma 6.3 enhances fractional scaling, introduces a refined zoom effect, and overhauls drawing tablet settings. Meanwhile, KDE Gear 24.12.2 refines usability, gdb 15.2 improves debugging efficiency and fwupd enhances firmware update handling. Other notable updates include postgresql 17.3, Ruby 3.4.2, and critical security fixes in OpenSSL 3.4.1.

As always, be sure to roll back using snapper if any issues arise.

Happy updating and tumble on!

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

Mesa 25.0: This release introduces Vulkan 1.4 support on radv/gfx8+, along with multiple new Vulkan extensions for panvk, including VK_KHR_dedicated_allocation, VK_KHR_global_priority, VK_KHR_multiview, VK_KHR_shader_float16_int8, VK_EXT_image_robustness, and more. Initial GFX12 (RDNA4) support is also added for radv. Performance optimizations were made for radv, anv, and panvk, improving stability across different applications. Additional fixes improve Wayland and X11 compatibility, correct video decoding issues, and resolve memory leaks affecting various games and workloads.

GIMP 3.0.0~RC3: The latest RC finalizes GTK 3.24.48 integration, resolves crashes in Wayland and improves Right-To-Left text rendering. Image graph enhancements prevent unnecessary bit-depth conversions, which preserves detail in non-destructive edits. Thread-safe projection fixes eliminate crashes from multi-threading conflicts. The Script-Fu Application Programming Interface introduces a new named-argument syntax to make scripts more flexible and readable. Official AppImage distribution ensures a clean, upstream-supported package for Linux users. GEGL optimizations refine filters and floating-point operations. With only a few remaining bug fixes, GIMP 3.0 is nearly ready for release.

KDE Plasma 6.3: KDE Plasma 6.3 refines fractional scaling in Window Manager and Wayland Compositor KWin to provide sharper visuals and align elements to the pixel grid. The zoom effect provides a pixel-perfect magnification with a grid overlay that can be useful for designers. The Drawing Tablet settings receive a major overhaul with stylus pressure curve adjustments and better calibration. The system monitor improves CPU tracking while using fewer resources; its Info Center now displays GPU details and battery cycle counts. App store Discover enhances security by highlighting permission changes in sandboxed apps, and the Weather widget adds Deutscher Wetterdienst as a data source. Usability tweaks include touchpad auto-disable for mouse users, a reorganized launcher menu, and a refined kickoff behavior that switches categories only on click. Customization options expand with panel cloning, scriptable opacity adjustments, and flexible launcher icons.

gdb 15.2: This major version update improves startup performance with background DWARF reading and refines debugging features, including new commands for missing debug handlers and thread management. GDB now generates sparse core files, provides better error messaging, and supports configurable timeouts for inferior function calls. Changes in GDBserver simplify debugging options, and new Python API functions enhance scripting capabilities. The update also deprecates MPX-related commands and refines existing commands for clarity and consistency.

fwupd: This update introduces new features such as fwupdtool efiboot-hive for setting the nmbl cmdline, improved inhibition reason handling in fwupdmgr, and USB-provided hidraw support for DS-20 descriptors. Bug fixes include proper dbx deployment on MSI hardware, Lenovo version parsing corrections, improved Logitech HID++ detection, and performance optimizations. Additionally, support has been added for HPE Gen10/Gen10+ devices using Redfish, along with better handling of future Huddly devices and more reliable Logitech Rallybar updates.

KDE Frameworks 6.11.0: KDE Frameworks 6.11.0 improves Baloo’s database handling by propagating failure reasons and reducing manual management of m_env. Breeze Icons introduces a 12x12 version of the open-link icon and updates close icons to black X symbols. KConfig now reads defaults from the Windows registry and improves nested group value handling. Kirigami refines SwipeListItem’s keyboard navigation and fixes deep nesting in ActionsMenu. KIO addresses symlink path resolution in file properties and enhances file dialog undo behavior. KTextEditor improves bookmark cycling and refines theme config margins. KSVG enhances render cache thread safety, and KWallet removes unused functions for a leaner codebase.

KDE Gear 24.12.2: KDE’s Dolphin improves icon scaling and overlay handling, while Kdenlive fixes crashes, enhances effect stacking and improves rendering progress visibility. KMail and Kontact streamline account management, preventing duplicate entries when deleting accounts. KTrip and KWeather clean up unused strings for a smoother mobile experience. Kate ensures proper selection handling and fixes search match exports. Okular prevents hangs in forms with numerous choice fields and correctly responds to palette changes.

postgresql 17.3: This update addresses various security fixes and performance improvements. A key security fix strengthens encoding validation in PQescapeString and related functions to prevent potential SQL injection risks. Connection privilege checks and limits are now properly enforced for parallel workers. Several bug fixes improve database stability, including preventing catalog corruption during vacuum operations, fixing race conditions in parallel queries, and resolving unexpected transaction errors. Other enhancements include improved handling of SQL/JSON deparsing, better collation consistency in UNION queries, and optimizations for VACUUM and indexing.

Ruby 3.4.2: Key fixes for this package address segmentation faults in ripper, stack consistency errors in -ne, and unexpected behavior in Array#sum and Numeric subclasses. Parsing issues in prism and parse.y have been resolved, including recursion depth inconsistencies and handling of unnamed forwarding variables. Other fixes include improved compatibility with GNU Compiler Collection 15, corrections for Module#autoload? performance, TCPSocket error handling, and ensuring encoding consistency in ENV.inspect. Additionally, a TLS fix for ARM64 has been backported, and various syntax inconsistencies have been addressed.

wireplumber 0.5.8: This update introduces support for handling UCM SplitPCM nodes in the Advanced Linux Sound Architecture monitor and improves PipeWire channel remapping via loopbacks. New functions enable marking WpSpaDevice child objects as pending, which enhances the handling of asynchronously created loopback nodes. ALSA node name deduplication has been improved, which prevents unnecessary .2, .3 suffixes. Fixes include resolving duplicate Bluetooth SCO (HSP/HFP) sources in UIs, correcting stream-restore behavior for device loopback nodes, and addressing issues in wp_lua_log_topic_copy(). Additionally, test scripts have been updated for improved object identification consistency.

python-cryptography 44.0.0: This major pypi update drops support for LibreSSL < 3.9 and deprecates Python 3.7, which will be removed in a future release. Linux wheels are now compiled with OpenSSL 3.4.0. The update enforces RFC 5280 rules preventing empty extended key usage extensions, allows timestamp extraction for MultiFernet, and relaxes Authority Key Identifier requirements on root CA certificates. Support for Argon2id KDF is added when using OpenSSL 3.2.0+, along with support for the Admissions certificate extension. Additionally, PKCS7 decryption, including S/MIME 3.2, is now supported via new decryption functions.

python-pyOpenSSL 25.0.0: This major pypi update removes deprecated APIs, including CRL, Revoked, dump_crl, and load_crl, and transitions users to cryptography.x509 for CRL functionality. The sign and verify functions have been removed in favor of cryptography.hazmat.primitives.asymmetric signature APIs. Deprecated features include OpenSSL.rand (use os.urandom() instead), X509Extension, and elliptic curve functions. Future deprecations are planned for X509 and PKey objects, with users encouraged to migrate to cryptography.x509.Certificate and cryptography private keys. The update also introduces an as_cryptography argument for get_certificate and related functions, allowing cryptography.x509.Certificate objects to be returned.

Key Package Updates

Kernel Source 6.13.4, 6.13.3, 6.13.2: These updates includes various fixes and improvements across multiple subsystems. It addresses issues in Btrfs, including a lockdep splat fix and better handling of transaction aborts. Security improvements address x86 SRSO mitigation for missing IBPB on VM-Exit, HID device handling fixes for winwing and thrustmaster, and multiple pinctrl bug fixes. The updates also refined DRM and AMD display components, improving HDMI, DSC passthrough, and backlight quirks. Additional fixes improve schedulers, IRQ handling, logging, and filesystem stability. Various DRM bridge, panel, and connector updates enhance ELD handling and synchronization. Other enhancements improve safesetid policy checks, WiFi drivers, and device-specific optimizations.

curl 8.12.1: This update includes various security fixes, such as resolving password leaks between hosts, HSTS cache entry overwrites and an eventfd double-close vulnerability. Enhancements include support for PKCS#11 keys, QUIC 0RTT with GnuTLS, improved HTTP authentication tracking, and extended error handling for connection reuse. Notable bug fixes address TLS upgrade issues, DNS resolution improvements, HTTP retry handling, and performance optimizations across multiple protocols.

selinux-policy 20250211: This update sets SELinux as the default Linux Security Module (LSM) for all new installations. While AppArmor remains available, SELinux will be in enforcing mode by default on fresh installs, including the minimalVM variant. SELinux updates will continue refining the implementation in the coming weeks.

sdbootutil: This update introduces improvements to PCR 15 measurements, including a validator service and predictive capabilities for crypttab changes. The update also refines cryptographic device ordering when using FIDO2 keys and removes the .conf suffix from grubenv. Additional fixes ensure proper generator behavior when /etc/crypttab is missing and improve logging output for PCR validation.

GStreamer 1.24.12: This update resolves shader compilation failures in d3d12 and corrects framerate handling in decklinkvideosink. The gst-libav module now avoids crashes in audio encoders with insufficiently aligned input data and restores compatibility with FFmpeg 4.2. Other fixes include improved seeking and duration handling in oggdemux, PTS wraparound detection in tsdemux, and race condition fixes in vtdec on macOS. Enhancements were made to qtdemux for better matrix transformation and flipping support, while webrtc now prevents duplicate payload types when using RTX and multiple video codecs. Additional refinements were applied to wpe, x264enc, and win32-pluginoader, along with various memory leak and stability fixes.

XFSProgs 6.13.0: This update introduces significant improvements, including enhanced support for realtime volumes, quota handling, and metadata directories. The mkfs tool now allows recursive subvolume deletion and improved protofile parsing. xfs_repair adds support for quota inodes in metadata directories, while xfs_scrub accelerates phase 8 processing using histograms. Additional fixes address error reporting, device encoding, and concurrency improvements for realtime allocation groups. Various build, documentation, and tooling enhancements further refine the XFS ecosystem.

kdump 2.0.16: This update improves reliability with a fix for KDUMP_AUTO_RESIZE, addressing issues in crash dump resizing. The update also resolves a critical bonding configuration bug in dracut, which previously caused network failures in kdump initrd. The issue stemmed from improper parsing of bond device parameters, where MAC address colons led to errors. The fix ensures kdump correctly filters out problematic bond keys, preventing parsing failures.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month. Common Vulnerabilities and Exposures this month are:

qemu:

• CVE-2023-2861: Fixed a flaw in the 9p passthrough filesystem (9pfs) implementation that could allow a malicious client to escape the exported 9p tree by creating and opening a device file in the shared folder.

curl:

• CVE-2024-11053: Fixed a credential leak when using .netrc files in combination with HTTP redirects.
• CVE-2024-9681: Resolved an issue where HSTS subdomain entries could overwrite parent domain cache entries, potentially leading to incorrect HTTPS enforcement.
• CVE-2025-0665: Addressed a double close vulnerability with eventfd, which could lead to undefined behavior or application crashes.

emacs:

• CVE-2025-1244: Details about this CVE are currently unavailable. For the latest information, please refer to the official Emacs news page.

OpenSSL 3.4.1:

• CVE-2024-12797: Fixed an issue where clients using RFC7250 Raw Public Keys (RPKs) might not detect server authentication failures, potentially exposing TLS/DTLS connections to man-in-the-middle attacks.
• CVE-2024-13176: A timing side-channel vulnerability in ECDSA signature computations could allow attackers to recover private keys. This primarily affects the NIST P-521 curve and requires local access or a high-speed, low-latency network connection to exploit.
• CVE-2024-9143: Fixed an out-of-bounds memory access issue in low-level GF(2^m) elliptic curve APIs, which could lead to memory corruption or crashes.

postgresql 17.3:

• CVE-2025-1094: Fixed an SQL injection vulnerability in the psql interactive tool caused by improper neutralization of quoting syntax in certain functions.

ffmpeg:

• CVE-2025-22921: Addressed a segmentation violation in jpeg2000dec.c, preventing potential crashes.
• CVE-2025-22919: Fixed a reachable assertion in handling crafted AAC files, mitigating denial-of-service risks.
• CVE-2025-0518: Resolved a stack-based buffer overflow allowing remote authenticated attackers to execute arbitrary code.
• CVE-2025-25473: Fixed multiple vulnerabilities enabling authenticated remote attackers to execute arbitrary commands.
• CVE-2024-12361: Addressed a flaw in certificate data handling that could lead to denial-of-service conditions.

grub2:

• CVE-2024-45781: Fixed a strcpy overflow in the UFS filesystem.
• CVE-2024-56737: Resolved a heap-based buffer overflow in the HFS filesystem.
• CVE-2024-45782: Addressed a strcpy overflow in the HFS filesystem.
• CVE-2024-45780: Fixed an overflow issue in TAR/CPIO handling.
• CVE-2024-45783: Corrected a reference count overflow in the HFS+ filesystem.
• CVE-2025-0624: Fixed an out-of-bounds write during the network boot process.
• CVE-2024-45774: Resolved a heap overflow in the JPEG parser.
• CVE-2024-45775: Addressed a missing NULL check in the extcmd parser.
• CVE-2025-0622: Fixed a use-after-free issue when handling hooks during module unload in command/gpg.
• CVE-2024-45776: Corrected an overflow in .MO file handling.
• CVE-2024-45777: Fixed an integer overflow in the gettext function.
• CVE-2025-0690: Resolved an integer overflow that could lead to an out-of-bounds write via the read command.
• CVE-2025-1118: Ensured the dump command is blocked when GRUB is in lockdown mode.
• CVE-2024-45778: Removed the BFS filesystem from lockdown-capable modules.
• CVE-2024-45779: Fixed a heap overflow in the BFS filesystem.
• CVE-2025-0677: Addressed an integer overflow leading to an out-of-bounds write when handling symlinks in UFS.
• CVE-2025-0684: Resolved an integer overflow leading to an out-of-bounds write when handling symlinks in ReiserFS.
• CVE-2025-0685: Fixed an integer overflow leading to an out-of-bounds write when handling symlinks in JFS.
• CVE-2025-0686: Corrected an integer overflow leading to an out-of-bounds write when handling symlinks in ROMFS.
• CVE-2025-0689: Fixed a heap-based buffer overflow in UDF that could lead to arbitrary code execution.
• CVE-2025-1125: Addressed an integer overflow leading to an out-of-bounds write in the HFS filesystem.
• CVE-2025-0678: Resolved an integer overflow leading to an out-of-bounds write in SquashFS.

libtasn1 4.20.0:

• CVE-2024-12133: Fixed inefficient handling of specific certificate data, which could allow an attacker to send a specially crafted certificate, causing a denial of service attack.

libxml2 2.13.6:

• CVE-2025-24928: Fixed a stack-based buffer overflow in the xmlSnprintfElements function, which could be exploited during DTD validation of untrusted documents, leading to denial of service or code execution.
• CVE-2024-56171: Resolved a use-after-free vulnerability in the xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables functions, potentially leading to arbitrary code execution when processing crafted XML documents or schemas.
• CVE-2025-27113: Addressed a NULL pointer dereference in the xmlPatMatch function, which could cause application crashes when processing certain inputs.

gnutls 3.8.9:

• CVE-2024-12243: Addressed a flaw where decoding certain DER-encoded certificates could cause excessive resource consumption, leading to denial-of-service conditions.

mozjs128 128.7.0:

• CVE-2025-1009: Fixed a use-after-free vulnerability in XSLT that could lead to an exploitable crash.
• CVE-2025-1010: Resolved a use-after-free issue in the Custom Highlight API, potentially leading to a crash.
• CVE-2025-1011: Addressed a bug in WebAssembly code generation that could result in a crash and possible code execution.
• CVE-2025-1012: Fixed a use-after-free during concurrent delazification, which could lead to a crash.
• CVE-2024-11704: Corrected a potential double-free vulnerability in PKCS#7 decryption handling.
• CVE-2025-1013: Resolved an issue where private browsing tabs could be opened in normal browsing windows, leading to a potential privacy leak.
• CVE-2025-1014: Fixed improper certificate length checking when added to a certificate store.
• CVE-2025-1016: Addressed multiple memory safety bugs that could potentially be exploited to run arbitrary code.
• CVE-2025-1017: Resolved additional memory safety bugs present in the browser engine.

webkit2gtk3:

• CVE-2025-24143: Fixed a vulnerability that could lead to arbitrary code execution when processing maliciously crafted web content.
• CVE-2025-24150: Resolved an issue where visiting a malicious website may lead to address bar spoofing.
• CVE-2025-24158: Addressed a memory corruption issue that could allow an attacker to execute arbitrary code.
• CVE-2024-24162: Fixed a vulnerability where processing maliciously crafted web content could lead to arbitrary code execution.

Python311:

• CVE-2025-0938: Fixed improper URL parsing in urllib.parse functions, which accepted invalid domain names with square brackets, potentially leading to security issues.

PAM-PKCS 0.6.13:

• CVE-2025-24032: Fixed an issue where an attacker could create a token with a user’s public certificate and a known PIN, allowing unauthorized login without requiring the private key.
• CVE-2025-24531: Addressed a potential authentication bypass in error situations when using smart cards for login.

krb5:

• CVE-2025-24528: Resolved a flaw where an authenticated attacker could cause kadmind to write beyond the end of the mapped region, leading to potential security risks.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

KDE users will notice a more polished and efficient experience with the latest KDE Gear, Frameworks and Plasma updates. Beyond the visible improvements, Tumbleweed continues to strengthen its foundation with essential security patches for curl, mozjs128, grub2 and PostgreSQL, along with optimizations in XML processing through libxml2. These ongoing enhancements ensure Tumbleweed remains a dependable, high-performance open-source platform for developers and users alike.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

One Identity Active Roles allows you to easily and securely manage Active Directory (AD), Entra ID and M365 Identity objects. While Active Roles stores its log messages into Windows Event Log, most log management and log analytics applications expect to receive log messages over the syslog protocol. This is where syslog-ng Premium Edition (PE) can help you. The syslog-ng Windows Agent can collect and forward Active Roles log messages from Windows Event Log, while the syslog-ng server can collect, process, store and forward Active Roles log messages to multiple destinations.

Installing syslog-ng PE together with Active Roles has many advantages, one of which is central log collection. This means that you do not have to log in to individual hosts to check logs, but instead can view logs from every host in a single location. This also enhances security, as logs are available even when they disappear from the original location due to a hardware failure or security incident.

From this blog, you can learn how to configure the syslog-ng Windows Agent to collect and forward Active Roles log messages from Windows Event Log, and how to parse and store the incoming log messages on the syslog-ng server side.

Read the rest at https://www.syslog-ng.com/community/b/blog/posts/collecting-active-roles-logs-centrally-using-the-syslog-ng-windows-agent