Over the years, I have noticed that the biggest challenges during upgrades usually involve 3rd-party repositories, mostly due to their unavailability for the new release or delays in catching up.

Another challenge has been constant changes to distribution repositories. For example, in Leap 15.3 we removed the ports repositories as part of the Closing the Leap Gap initiative and also introduced SLE Update repositories.

Now, with Leap 16.0, update repositories are being removed entirely. Leap Micro 6.X also no longer has dedicated update repositories.

In the past, users had to manually modify distribution repositories. Fortunately, openSUSE-repos automates this process and puts distribution repositories under RPM management. This is now the default behavior for both Leap Micro 6 and Leap 16. This dramatically simplified the whole upgrade and distribution migration process.

Why use opensuse-migration-tool

Upgrading your system doesn’t have to be scary or complicated. The opensuse-migration-tool is designed to make the process simple, safe, and predictable. I got inspired by our jeos-firstboot, which uses dialog for smooth interactions. The tool also greets you with a nice green dialog, thanks to a customized dialogrc—giving it that familiar openSUSE look and feel right from the start.

Here’s what it can do for you:

1. Install updated distribution repository definitions automatically
2. Disable non-distribution repositories to avoid conflicts
3. Run zypper dup for a smooth, safe upgrade
4. Offer post-upgrade scripts to adopt new defaults—or keep your preferred settings, for example AppArmor vs SELinux
5. Perform pre-migration checks to make sure your system is ready, including verifying x86_64-v2 support
6. Reboot
7. Optional snapper-rollback or simply boot to older snapshot from grub

The tool isn’t limited to just Leap n → Leap n+1. You can also upgrade to SUSE Linux Enterprise, Slowroll, or Tumbleweed. Slowroll → Tumbleweed upgrades work too, and recent requests include Leap Micro → Slowroll Micro. As long as it’s an upgrade, it will simply work.

Want to see it in action? Check out LowTechLinux’s opensuse-migration-tool review on YouTube for a hands-on demo and external validation.

Getting started

In case the tool is not yet installed on your system do sudo zypper in opensuse-migration-tool

If you are using the tool for the first time or just want to check it out, run it in test mode: /usr/sbin/opensuse-migration-tool --dry-run # no need to use sudo in dry-run mode

This will not show exactly what will be upgraded, but it will give you a good idea of what the tool can do and it will not make any changes to your system.

Once you feel confident, run: sudo opensuse-migration-tool

The tool will offer to disable non-distribution repositories, which is strongly recommended. It will then trigger zypper dup --r and automatically rerun zypper if any issues occur.

The tool also performs pre-migration system checks. If you are affected by any issues, you might want to run the latest version directly from git. Contributions are welcome.

git clone https://github.com/openSUSE/opensuse-migration-tool.git
cd opensuse-migration-tool
./opensuse-migration-tool --dry-run

Further documentation

More information can be found at openSUSE System Upgrade. This document also suggests how to perform a manual upgrade to 16.0, although I would not recommend it, especially given the positive feedback we have received for the tool.

Make sure to read Leap 16.0 release notes as well as Known bugs wiki prior to upgrading.

Future plans

I plan to provide an optional GTK4 interface that preserves the shared migration logic and power of Bash. This will use custom GTK4 dialogs to keep the openSUSE look and feel, but it will be invoked similarly to zenity. Here’s a sneak peek from the first two dialogs:

People can leave feedback on survey.opensuse.org after the general availability of the release today at 12:00 UTC when the survey becomes published regarding the release of Leap 16.

…the one that emulates your real workload. And for me (and probably many of you reading this), that would be “build a kernel as fast as possible.” And for that, I recommend the simple kcbench.

I kcbench mentioned it a few years ago, when writing about a new workstation that Level One Techs set up for me, and I’ve been using that as my primary workstation ever since (just over 5 years!).

Table of Contents

• 1) Introduction
• 2) systemd v258: Local Root Exploit in new systemd-machined API found in Release Candidates
  • The Bugfix
  • Increase in Complexity in systemd
• 3) logrotate: Issues in drop-in Configuration Files
  • Missing su <user> <group> Directives
  • Problems with Scripts Embedded in Configuration
  • Possible Improvements in logrotate
• 4) GNOME 49: D-Bus and Polkit Changes in new Major Version Release
• 5) Kea DHCP: Follow-Up Review of Network Attack Surface
• 6) chrony: Issues in chronyc Socket Creation
• 7) pwaccessd: New Varlink Service for Reading User Account Information
• 8) sysextmgr: New Varlink Service for Managing systemd-sysext Images
• 9) bash-git-prompt: Predictable Temporary File Name Offers Local Attack Surface (CVE-2025-61659)
• 10) steam-powerbuttond: Insecure Operation in Home Directories
• 11) Conclusion
• Change History

1) Introduction

Autumn is already palpable for many of us these days and this means it is time to take a look back at what happened in our team during the summer months. We have not published any dedicated security reports during that time; instead we have all the more to cover in this edition of the spotlight series which discusses code review efforts that did not lead to major findings or otherwise did not qualify for a dedicated report.

This is also the first anniversary of the spotlight series, which we started in August 2024 with the first summer spotlight edition. We are happy to provide our readers with interesting content about the daily work in our team and are looking forward to more anniversaries to come.

In this issue we will cover a local root exploit we discovered in systemd v258-rc4 before it became part of a stable release, problems found in logrotate drop-in configuration files, changes in D-Bus configuration files related to the GNOME version 49 release, and a follow-up code review of the Kea DHCP server suite. Furthermore we found a symlink attack issue in chronyc, proactively reviewed new Varlink services developed by fellow SUSE engineers and discovered a local privilege escalation issue in bash-git-prompt. Finally we will talk about a problematic script used on Steam Deck devices.

2) systemd v258: Local Root Exploit in new systemd-machined API found in Release Candidates

At the beginning of August one of our systemd maintainers asked us to review D-Bus and Polkit API changes in a release candidate of systemd 258. This major version update of systemd contains many API additions e.g. in systemd-resolved, systemd-homed, systemd-machined and systemd-nsresourced.

While looking into these changes we found an issue in systemd-machined. This daemon can be used to manage virtual machines and containers alike. In upstream commit adaff8eb35d a new Polkit action “org.freedesktop.machine1.register-machine” has been added, which was accessible to locally logged in users without authentication (Polkit yes setting). The purpose of this new API is to allow users to register existing containers with systemd-machined, that have been created by other means.

There exist two D-Bus methods which employ this Polkit action: “RegisterMachine” and “RegisterMachineWithNetwork”. Both accept a rather long list of parameters to describe the container which is supposed to be registered with the daemon. The following command line performs an example registration of a fake container:

$ gdbus call -y -d org.freedesktop.machine1 -o /org/freedesktop/machine1 \
    -m org.freedesktop.machine1.Manager.RegisterMachineWithNetwork \
    mymachine '[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16]' myservice container \
    $$ $PWD '[1, 2, 3]'

Among these parameters is the process ID (PID) of the leader process of the container. In this example $$, i.e. the shell’s own PID, is passed as leader PID. The release candidate implementation of systemd-machined failed to verify whether this process is owned by the caller and an actual member of an unprivileged user namespace belonging to a container.

The first problematic aspect we noticed about this was that systemd-machined can send SIGTERM to the process group the given leader PID belongs to (e.g. when registering a new container using the same name), allowing a trivial local Denial-of-Service against arbitrary other processes. Far more problematic was something else that we noticed: the unprivileged user was able to enter a shell in such a crafted container, like this:

user$ machinectl shell mymachine
# full root privileges, this happens in the actual host's file system
container-root# touch /evil

Since the leader PID in this case is a process belonging to the host’s initial namespaces, the root shell for the “container” is actually a root shell in the host itself, giving full root privileges over the system.

This problem is found in all release candidates of systemd v258. We reported the problem privately to systemd security, and upstream developed bugfixes right away while still in the RC phase. The local root exploit was never present in any stable release version and thus end users are not affected by the problem, which is also why no CVE was assigned.

The Bugfix

To address the issue, systemd-machined now verifies that the leader PID specified by the client is actually owned by the caller. Furthermore the authentication requirements for Polkit action “register-machine” have been raised to auth_admin_keep even for local users.

While writing this very summary we noticed that one aspect of the issue had been overlooked and was not fixed for the stable release: the verification of the user namespace membership of the target process. Thus it is still possible to gain a root shell this way, but only after authenticating as admin, which means the caller already needs admin privileges to trigger the exploit. This aspect has now been addressed for future releases by upstream, which is important, because upstream intends to relax the authentication requirements for this action to yes again at a later time.

Increase in Complexity in systemd

With this version of systemd we are seeing a noticeable increase in complexity in the implementation of a number of systemd components. In the area of container management the complexity is pretty much by design, given the intricacy of the different namespace mechanisms playing together, partly under the control of unprivileged users. There is also the addition of Varlink for Inter-Process-Communication, however, which means that two different interfaces for D-Bus and Varlink now exist in parallel for some services. This is also the case for systemd-machined.

While the D-Bus and Varlink interfaces usually call into shared functions for most of the business logic and share the same Polkit actions, there is necessarily a certain amount of redundancy in parsing and evaluation of input parameters. As a result this also increases the burden on code reviewers which now need to keep track of two different entry paths to the same logic.

We are not yet completely finished with reviewing all notable changes in systemd v258 but intend to complete the effort within the next couple of weeks. We are happy that our review efforts already prevented a local root exploit in software as widespread as systemd from ending up in production environments.

3) logrotate: Issues in drop-in Configuration Files

Missing su <user> <group> Directives

Recently we noticed that there exist a number of packages in openSUSE Tumbleweed which trigger a “logrotate-user-writable-log-dir” rpmlint diagnostic. This diagnostic is emitted when a package contains a logrotate drop-in configuration file (e.g. in /etc/logrotate.d) which points the logrotate daemon to a log directory which is controlled by non-root accounts, where it will operate with full root privileges.

Operating as root in locations controlled by other users is generally very difficult to get right and can easily lead to privilege escalation from a service user to root e.g. via symlink attacks. logrotate offers a su <user> <group> syntax to instruct the daemon to perform a privilege drop to the user owning the directory to avoid any security implications.

To start with, we had a look at the implementation of the logrotate daemon, to judge what the impact would be, when a rogue service user account tries to perform an attack against logrotate when it starts rotating logs in a directory controlled by the compromised user. The results are as follows:

• the daemon performs a sanity check on the directory to operate on and rejects any log directories which are writable by world or a non-root group. This does not include the case where the log directory is owned by a non-root user, however.
• the system calls used by logrotate always include safe flags for opening log files which will prevent trivial symlink attacks by service users from succeeding. There could still be more intricate attacks when a parent directory of the log directory is also owned by a non-root user account. This is not a common setup, however, and we could not find any package where this is the case.

In summary we believe that there are no overly dangerous situations that can result from a missing su <user> <group> directive in affected logrotate configuration files. Still we decided that it will be better to fix existing packages and enforce that packages emitting this rpmlint diagnostic are not allowed into openSUSE in the future. To this end we fixed a couple of openSUSE-specific logrotate drop-in configuration files as well as an upstream configuration file in Munge.

Problems with Scripts Embedded in Configuration

While looking into the credentials mismatch issue we noticed that logrotate can end up in even more complex usage scenarios. The configuration file format allows shell scripts to be embedded that will be executed after rotating logfiles, for example. These scripts always run with full root privileges, independently of an existing su <user> <group> directive. The likeliness of security issues is higher in this case and issues are harder to detect, since this is package-specific code possibly running as root in untrusted directories.

While exploring all embedded scripts found in logrotate drop-in configuration files in openSUSE Tumbleweed we found out that in most cases such scripts are only used to restart a systemd service or to send a signal to a daemon running in the background. In a few cases the scripts have been problematic, as is described in the following sub-sections.

python-mailman (CVE-2025-53882)

In the python-mailman package we found two problems in the embedded shell script, which consisted of these two lines:

/bin/kill -HUP $(</run/mailman/master.pid) 2>/dev/null || true
@BINDIR@/mailman reopen >/dev/null 2>&1 || true

For one, SIGHUP was sent to a PID obtained from /run/mailman/master.pid, which is under the control of the mailman service user. This would allow a compromised mailman user to direct SIGHUP to arbitrary processes in the system.

Furthermore the command line /usr/bin/mailman reopen was executed with full root privileges, which results in output like this:

Usage: mailman [OPTIONS] COMMAND [ARGS]...
Try 'mailman -h' for help.

Error: If you are sure you want to run as root, specify --run-as-root.

This shows that the intended reopen of logfiles doesn’t work as expected. Otherwise one might think that nothing harmful happens. This is not true, however. This invocation of mailman still leads to the full initialization of the logging system and all the logfiles in
/var/log/mailman are created, if not already existing, with full root privileges. Symbolic links are followed, if necessary.

This means a compromised mailman user can e.g. create a symlink /var/log/mailman/bounce.log → /etc/evil-file. After the logrotate script runs /etc/evil-file will be created. The files will be created with root-ownership, so the only impact of this should be the creation of new empty files owned by root in the system. This can still have security impact when such empty state files control sensitive settings of other programs in the system.

To fix this issue the sending of SIGHUP was completely dropped and the reopen command is invoked via sudo as the dedicated mailman service user and group. The logrotate drop-in configuration file containing the problematic script is specific to openSUSE, thus we assigned a CVE for this issue to make our users aware.

sssd

The sssd package has a very similar issue in its example logrotate configuration, where a SIGHUP signal is sent to a PID controlled by the sssd service user:

/bin/kill -HUP `cat @pidpath@/sssd.pid 2>/dev/null` 2> /dev/null || true

We created a public upstream GitHub issue to make the developers aware of the problem. There is no fix available yet for the issue.

Icinga2 (CVE-2025-61909)

In our icinga2 package there is yet another instance of sending a signal (SIGUSR1) to a PID controlled by the unprivileged icinga service user:

/bin/kill -USR1 $(cat /run/icinga2/icinga2.pid 2> /dev/null) 2>/dev/null || true

We wanted to change that into a systemctl reload icinga2.service instead, only to find out that upstream’s reload script is affected by the same issue. We reported the problem to upstream and they fixed it and assigned a CVE by now.

exim (CVE-2025-53881)

Our exim package contained a problematic prerotate shell script in its logrotate configuration which allows escalation from the mail user/group to root, when it runs. The shell script is rather complex and tries to generate a statistics report creating temporary files as root in the log directory owned by the unprivileged mail user.

To fix this, the script has been adjusted to use a private temporary directory for the report, instead. An update containing the fix will soon be available for openSUSE Tumbleweed.

This again is an openSUSE specific logrotate configuration file, thus we assigned a CVE to mark the problem.

Possible Improvements in logrotate

The issues we uncovered show also room for improvement in logrotate itself to prevent such situations in the first place. For one, the daemon could refuse to work on directories owned by non-root users, like it does for world-writable directories. Furthermore scripts could be executed using the same su <user> <group> credentials that are used for rotating the logs.

We did not reach out to upstream about these suggestions yet, but will keep you informed about any developments in this area.

4) GNOME 49: D-Bus and Polkit Changes in new Major Version Release

GNOME 49 was recently released and our GNOME maintainers asked us to look into a number of D-Bus and Polkit changes that appeared in related packages. We encountered nothing too exciting this time:

• GDM: Two changes appeared in GNOME’s display manager:
  • Some polkit actions are now tied to the gdm group instead of to the gdm user. This is related to the display manager now using dynamic user accounts.
  • The gdm group is now allowed to access smart cards managed by pcscd. This is supposed to fix a bug report where smart cards could not be accessed by GDM. Why this bug never occurred before is not completely clear, the Polkit settings are acceptable in any case.
• gnome-initial-setup: This package received the same change as GDM, Polkit actions are now tied to the gdm group, not the user.
• gnome-remote-desktop: This is the same as in gnome-initial-setup, Polkit actions are now tied to the gdm group instead of the user.
• mutter: This part of GNOME (a Wayland compositor and X11 window manager) now contains a backlight-helper. Locally logged in regular users are allowed to execute this program with root privileges to control the backlight of mobile devices. We have seen this helper program before in the gnome-settings-daemon package. It is a minimal C program consisting of 200 lines of code and we could not find any issues in it.

5) Kea DHCP: Follow-Up Review of Network Attack Surface

Earlier this year we reported a number of local security issues pertaining to the REST API in Kea DHCP. In a follow-up review we focused on the network attack surface, which usually is the more interesting part when dealing with a DHCP server suite. Alas, while looking at the network logic we stumbled over another minor local security issue regarding a temporary change to the process’s umask. Upstream addressed the problem in the meantime.

Following the actual network processing logic in Kea’s code base is no easy task. The C++ coding style uses a high level of abstraction which leads to many indirections. Untrusted data received from network peers travels far in the code without clear logical boundaries where data is verified before further processing takes place. The code base contains a lot of comments, which usually is a good thing, but in this instance it felt nearly too verbose to us, making it hard to find the relevant bits.

On the positive side of things Kea is already a matured project and there were no easy pickings to be found. Upstream also integrated AFL fuzzing into their testing infrastructure, which should allow them to find network security issues proactively. Consequently we have been unable to find any security issues in the network processing in Kea.

Kea offers advanced features like configuring custom behaviour depending on specific DHCP header fields. This naturally comes with quite some additional complexity. In this light we believe Kea is well suited for large organizations, but we would recommend a simpler DHCP server implementation for small environments where such features are not needed, to reduce attack surface.

6) chrony: Issues in chronyc Socket Creation

This finding resulted from our logrotate configuration file investigation discussed above. chrony is the default NTP time synchronization program used in openSUSE and a number of other Linux distributions. It ships a logrotate drop-in configuration file that contains this postrotate shell code:

postrotate
    /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
endscript

chronyc is the client utility used to talk to the chronyd daemon component. The communication mechanism used for this is a UNIX domain socket placed in /run/chrony/chronyd.sock. chronyc is invoked as root in the logrotate context above. At first we believed this should not be a problem, since any privileged process should be allowed to talk to chronyd. While looking at the strace output of the command line above the following system call caught our attention, however:

chmod("/run/chrony/chronyc.6588.sock", 0666) = 0

The /run/chrony directory is owned by the chrony service user:

drwxr-x--- 3 chrony chrony 100 Sep 25 09:45 .

These are the same credentials used by the chronyd daemon. When root performs the chmod call above, then a compromised chrony service user has an opportunity to perform a symlink attack, directing the chmod() operation to arbitrary files on the system, making them world-writable, thus making possible a chrony to root privilege escalation. A couple of years ago we found a somewhat similar symlink attack in the area of the pidfile creation performed by the daemon.

We approached upstream about the issue on July 15 by creating a private issue in their GitLab project. The bugfix turned out rather complex. The problem here is that the UNIX domain socket used by chrony is datagram-oriented (SOCK_DGRAM). This means there is no connection established between client and server. For the server being able to send back data to the client, the client needs to bind its socket into the file system as well and grant the server-side access to it. On Linux an autobind feature exists for Unix domain sockets, which will automatically assign an abstract address to the client socket, which is not visible in the file system. This feature is not available on other UNIX systems, however, that chrony also intends to support.

For these reasons the upstream approach to fix this involves the creation of an unpredictably named sub-directory in /run/chrony to place the client-end socket into. The directory is only writable for the client and the unpredictable directory name is not known in advance, thus no symlinks can be placed into the path anymore.

7) pwaccessd: New Varlink Service for Reading User Account Information

A fellow SUSE engineer recently finished development on pwaccessd, a daemon providing user account information via Varlink. This novel approach to providing account information allows, for example, to grant regular users access to their own shadow entry, which would otherwise only be accessible to root.

At the end of June we have been asked to review the new daemon for its security. We had a couple of hardening recommendations and found an instance of possible log spoofing, but have otherwise been satisfied with the implementation. Bugfixes and improvements have been incorporated and the new service is now ready to be used in production.

8) sysextmgr: New Varlink Service for Managing systemd-sysext Images

sysextmgr is another new Varlink service developed by SUSE, which this time helps with the management of systemd-sysext images on openSUSE MicroOS. We noticed the addition of this service to openSUSE via our monitoring of newly added systemd services in the distribution. While looking into the Varlink API we discovered a number of issues in the service like Denial-of-Service attack surface and some minor symlink issues. The issues could be resolved quickly and we are now happy with the state of the service.

9) bash-git-prompt: Predictable Temporary File Name Offers Local Attack Surface (CVE-2025-61659)

Our team is currently undertaking an effort to have a look at all kinds of shell related drop-in code like command-specific shell completion support and files installed into /etc/profile.d to manipulate the shell environment. Any packages can install such files and they can easily lead to security problems when things are not done right.

The amount of such files in a complete Linux distribution is huge, naturally, thus this is a long-term task that will require time to produce a complete list of findings. A first finding in the bash-git-prompt package already resulted from this, however. This package installs shell code into /etc/profile.d/bash-git-prompt.sh which enables an interactive Git prompt which will be displayed as soon as the Bash shell enters a Git repository. This prompt contains information about the current repository, the number of modified files and other things that can be configured by users. The prompt feature using default settings becomes active as soon as the package is installed.

While looking into the shell code that implements all this we noticed the use of a predictable temporary file in /tmp/git-index-private$$. bash-git-prompt copies the Git index file found in the current Git repository to this location. It turns out that this copy operation happens every time the interactive shell user enters a new command while being located in a Git repository. The temporary file is soon deleted again when the Git bash prompt has been fully rendered by the program.

Since an interactive bash shell session is a long-lived process it is rather simple for other users in the system to pre-create the temporary file in question and cause all kinds of issues:

• Denial-of-Service: by blocking the path, the Git prompt setup will fail to complete and the prompt will be broken. By placing a FIFO named pipe in this location the victim’s shell will even lock up completely.
• information leak: the copy of the Git index is made using the umask of the shell. When the default umask 022 is used, then the copy of the Git index becomes world-readable in /tmp. If the victim’s Git repository contains non-public data then part of that data (e.g. file names of pending change sets) leaks to other users in the system.
• integrity violation: when a local attacker places crafted data in the location of the temporary file and denies write access, then bash-git-prompt fails to write the desired Git index data to this location, but will not stop execution despite this error. The crafted Git index data will be fed to various invocations of the git command line utility, possibly leading to a crafted bash prompt or even leading to some forms of code execution. To determine the full extent of this, a low level analysis of the handling of the binary Git index format would be necessary.

The problem was discovered independently a while ago already, which is why there exists a public GitHub issue for it. An upstream author attempted to fix the issue, but rolled back the changes due to a regression and nothing happened since. The issue was introduced via commit 38f7dbc0bb8 in bash-git-prompt version 2.6.1. We added a simple patch to our packaging of bash-git-prompt which should address all issues for users of openSUSE.

At the end of September we requested a CVE from Mitre to track this issue and they assigned CVE-2025-61659.

10) steam-powerbuttond: Insecure Operation in Home Directories

Our team’s monitoring of newly added systemd services in openSUSE led us to steam-powerbuttond. It derives from a script found on the SteamOS Linux distribution for use on Steam Deck gaming devices.

The main component of this package is a Python script which runs as a systemd service with full root privileges. This script contains various security issues. During startup the script attempts to determine who “the first user” in the system is, by parsing the output of who | head -1. This user’s home directory is then used for operations later on, when a power button press event is detected. After processing the event, the file
/home/{user}/.steam/steam.pid is read and used for accessing /proc/{pid}/cmdline.

This logic leads to various possible issues, ranging from the the wrong user being selected initially, to denial-of-service when unexpected file content is placed in the unprivileged user’s home directory. We contacted one of the original upstream authors about this and offered coordinated disclosure. It turned out that the project is not supposed to be used anymore, however, and as a result the GitHub repository has been archived by the maintainer.

The openSUSE steam-powerbuttond package is now waiting to be replaced by a new script that is supposed to be found in SteamOS.

11) Conclusion

This edition of the SUSE security team spotlight was quite packed with topics. We hope this can give you an insight into all the different kind of activities we end up in on our mission to improve the security of open source software, in the Linux ecosystem in general and openSUSE in particular. We’re looking forward to the next issue of the spotlight series in about three months from now.

Change History

Version 4.10 of syslog-ng introduced file size-based log rotation. Thanks to this, storage space is no longer filled with logs with the risk that you might not see older logs if the message rate is higher than expected.

Read more at https://www.syslog-ng.com/community/b/blog/posts/file-size-based-log-rotation-in-syslog-ng

Software packages updating on openSUSE Tumbleweed hit a steady rhythm in September as snapshots were released almost daily. These updates delivered new features, performance improvements, and important security fixes for rolling release users.

GnuPG 2.5.12, file archiver 7-Zip 25.01, text editor Vim 9.1.1706 and Kernel Source 6.16.5 were just a few of the packages updated in the month’s snapshots.

The desktop experience was significantly enhanced with the arrival of GNOME 49 and Plasma 6.4.5. KDE Gear 25.08.1 brought widespread fixes to core applications. Other packages to update this month were QEMU 10.1.0, libvirt 11.6.0, tuned 2.26.0, GStreamer 1.26.6, Mesa 25.2.2 and more.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

GNOME 49: Several GNOME 49 packages were updated in Tumbleweed. Some of the changes include replacing Totem with Showtime as the new default video player and Evince with Papers for modern, feature-rich document viewing. The Calendar app is now fully keyboard-accessible and lets users export events. Web gains better ad blocking, OpenSearch integration, and site-specific menus. Remote desktop now supports multitouch and virtual monitors. New HDR wallpapers enhance visual fidelity, while lock screen media controls, Do Not Disturb in Quick Settings, and reboot/shutdown options improve usability. Two new apps join GNOME Circle; Mahjongg and Wordbook, a dictionary powered by WordNet.

KDE Gear 25.08.1: Dolphin now scrolls faster and avoids crashes when switching selection modes or creating folders, while also playing the trash-empty sound only when successful. KMail, Akregator, KAddressBook, KOrganizer, and PIM tools no longer show outdated “What’s New” screens on startup. Ark and KTorrent have been fixed to stop unnecessary notifications and excessive file writing, respectively. Text editor Kate has multiple crash fixes, especially in session handling and external tool integration, and now works better in Flatpak environments. Kdenlive sees significant stability improvements, which include fixes for crashes when deleting clips, applying effects, or opening projects. Itinerary improves flight and reservation handling, Konqueror works better on Wayland with corrected sidebar menus, and Okular now uses the correct default filename when signing PDFs. Other apps like Neochat, Tokodon, and KRDc fix link handling, image copying, and connection URL preservation.

Plasma 6.4.5: The Discover software center now correctly re-enables the Delete Settings button when reopening messages. Panel customization is smoother with better handling of the Esc key during editing, and folder views on the desktop no longer misplace icons when rearranging. System settings (KCMs) see various fixes, including proper font change notifications, improved notification configuration pages, and better focus behavior in the time zone selector. The KWin window manager improves display handling with better output identification using UUIDs with more reliable color management on Wayland.

KDE Frameworks 6.18.0: This KDE update ensures smoother performance across KDE applications like Dolphin, KMail, and Ark. The Breeze Icons theme has been cleaned up, removing outdated and non-standard icon sizes and third-party app icons to improve consistency. Core libraries such as KIO and KArchive see better handling of file operations, improve thumbnail loading in background threads, and enhanced security when processing malformed archive files. Kirigami, the framework for adaptive user interfaces used in apps like Itinerary and Plasma Mobile, fixes layout issues in navigation components and improves accessibility with better focus handling. Other updates include improved code quality checks across multiple frameworks, and bug fixes in KTextEditor.

OVMF edk2-stable202508: This update upgrades dependencies to OpenSSL 3.5.1 and Oniguruma 6.9.10, introduces Standalone MM support, and adds FF-A memory management with UUID-GUID conversion. Hardware and architecture support expands with ARM GICv5, RISC-V PEI booting, and improved exception handling. Legacy UGA support has been removed, and QEMU TLS and TPM2 handling are enhanced for stability. The release also brings numerous USB, SMM, and CPU hotplug fixes, better build system integration (including mingw-w64), and enables iSCSI boot by default for x64 OVMF.

tuned 2.26.0: This update adds support for MMC devices, improves hotplug handling, and enhances core calculation, variable inheritance, and logging for unsupported plugins. Power management profiles for this Daemon for monitoring and adaptive tuning now use med_power_with_dipm instead of min_power to prevent potential data loss while retaining energy savings. Additional refinements cover network latency tuning, scheduler performance detection, and sysfs monitoring.

7-Zip 25.01: This file archiver update improves security by changing how symbolic links are handled when extracting archives. Performance has been boosted as bzip2 compression speeds up by 15–40 percent and deflate (zip/gz) compression is slightly faster by 1–3 percent. Archive compatibility is enhanced with better support for ZIP, CPIO, and FAT formats. Security issues have been addressed, including fixes for incorrect handling of malformed RAR archives and crashes with certain malformed Compound File archives.

libvirt 11.6.0: This release introduces several new features, including a flag to compute baseline CPUs independent of the host, finer control over QEMU TLS priority strings, default disabling of deprecated CPU features for s390 domains and RBD namespace support for QEMU. Defaults for arm and RISC-V now use virtio-scsi instead of lsilogic. Other improvements include discard granularity settings, better NSS debugging, and relaxed TLS certificate requirements.

udisks2 2.10.91: This release improves storage management, including LUKS header backup, the ability to set labels when creating encrypted devices, and support for extra PBKDF options. Users can now use key files with BitLocker volumes, specify metadata versions for MD RAID, and take advantage of new Btrfs methods to get and set default subvolume IDs. Mount options have been expanded with new flags for ISO9660, f2fs, and ext3/ext4 filesystems.

polkit 126: With this release, actions can now be read from /etc/, /run/, and /usr/local/share, and a new LogControl1 protocol allows dynamic log level changes. Duktape simplifies dependencies and replaces mozjs. Translations were expanded to Slovenian and Hindi.

Key Package Updates

GnuPG 2.5.12: This update adds new flexibility and fixes across GnuPG. Keys sent to LDAP servers are now refreshed beforehand unless disabled with a new option, and a new --[no-]auto-key-upload setting controls automatic uploads. Compression handling has been improved by disabling default compression for 7z input. Support for Kyber variants in --edit-key:addkey has been added, and regressions with composite PQC and ECC algorithms have been fixed.

Vim 9.1.1706: This update resolves issues with buffer overruns, null dereferences, and incorrect popup window behavior. The tutor has been expanded with new sections on text objects and special registers, while outdated translations and docs were refreshed for clarity. Completion logic, command handling, and test coverage have also been refined.

Mesa 25.2.2: This release brings key updates and cleanup across the graphics stack. Legacy components were dropped, along with related packages such as Mesa-gallium, Mesa-libd3d, Mesa-libOpenCL, and libxatracker, reflecting a shift toward modern APIs and drivers. The update includes refreshed Rust crates for NVK, improved build requirements, and fixes for crate checksum mismatches.

sudo 1.9.17p2: This update fixes a rare issue that could cause sudo to send SIGHUP to all system processes when running commands in pseudo-terminals. Another fix addresses crashes when using the intercept and intercept_verify options with very large arguments or environment variables on Linux systems supporting ptrace_readv_string(). The configure script now properly supports mdoc man pages on systems without mandoc. Additionally, permission defaults for /usr/etc/sudoers have been corrected.

Postfix 3.10.4: This release fixes long-standing issues in postscreen, including socket errors after process restarts and cache lock problems that could block new processes. TLS handling is more robust with corrected legacy parameter support and prevention of null pointer crashes in tlsproxy. The update reduces unnecessary process restarts when database files change, removes obsolete OpenSSL engine dependencies, and cleans up TLS reporting by ignoring messages explicitly marked as not requiring encryption.

GStreamer 1.26.6: This update provides a more robust closed caption processing, decodebin3 tag handling, HLS directive parsing, and fallbacksrc shutdown behavior. Hardware and format support expands with V4L2 support for WVC1/WMV3, Vulkan decoder fixes, and updated Spotify integration via [librespot[(https://docs.rs/crate/librespot/latest) 0.7. New threadshare elements improve synchronization and performance, while videorate gains efficiency in drop-only mode.

fwupd 2.0.14, 2.0.15 and 2.0.16: The 2.0.15 update now supports Foxconn SDX61 modems, Jabra Evolve2 child devices, and NVIDIA ConnectX-6/7/8 NICs. Child devices can also inherit parent naming prefixes for clearer identification. Several bugs were fixed, including firmware reporting without --force, Firehose modem erasure, Goodix device enumeration, and handling versioning for BnR MTD hardware. The 2.0.14 update introduces greater flexibility by allowing firmware updates to ignore network connectivity requirements, UEFI capsule devices to opt out of Capsule-on-Disk, and plugins to access firmware versions during updates. Numerous fixes improve reliability, including better handling of modem devices, Lexar NVMe versioning, Synaptics RMI initialization, UF2 parsing, and ThunderBolt retimer detection. Newer hardware support expands fwupd’s reach across modern systems and peripherals.

Kernel Source 6.16.5, 6.16.6, 6.16.7, 6.16.8: The 6.16.8 update delivers broad stability and security fixes across filesystems, networking, and drivers. Btrfs resolves quota statistic leaks and subvolume deletion races, while NFS and NFSv4.2 improve serialization of O_DIRECT operations and capability handling. The 6.16.7 update adds mitigation for the newly documented vulnerability (CVE-2025-40300), extending protection to older Intel CPUs, enabling conditional IBPB, and warning when STIBP is disabled with SMT. The tar-up utility has been modernized by switching to the standard tar command, ensuring consistent ownership, sorting, and compatibility with Tumbleweed. The 6.16.6 update sees multiple race condition fixes for Btrfs to improve inode logging reliability, while audio and USB support is refined with codec fixes and better handling for Focusrite devices. Networking and wireless drivers receive extensive patches for cfg80211, iwlwifi, brcmfmac, and mt76 chipsets, addressing use-after-free bugs, race conditions, and scan stability. The 6.16.5 update addresses memory leaks, race conditions, and use-after-free bugs in device trees, networking, tracing, and I/O handling. Enhancements include better SMB client reliability under concurrent access, improved audio codec controls, fixes for HID and Intel quicki2c drivers, and refined io_uring worker management. Graphics drivers for MSM and Mediatek gain stability updates, while Bluetooth handling of disconnections and packet tracking is made more robust.

SELinux Policy 20250909: This update refines SELinux rules to improve compatibility with common services and system components. GDM can now create password lock files and bind sockets in the systemd userdbd directory, while nsswitch domains are permitted to connect to XDM over Unix sockets. Additional updates enable gnome-remote-desktop communication with tabrmd, nm-dispatcher plugins to read pidfs attributes, and chronyc to use setgid/setuid.

SETools 4.6.0: The seinfo tool can now display roles allowed for a given type, and a new sechecker module ensures kernel modules remain read-only. Support for the nlmsg extended permission has also been introduced. Behind the scenes, the codebase has been modernized with improved quality checks, expanded unit testing, and removal of deprecated methods. Packaging has been updated to use pyproject.toml with refined dependency handling and automated test execution during builds.

QEMU 10.1.0: VFIO now supports passthrough for SEV-SNP and TDX guests, while migration gains multifd post-copy acceleration, optimized pre-copy, and IPv6 RDMA support. The QEMU guest agent can query Windows VM load with a new command. Architecture updates include new ARM CPU features and boards, nested virtualization and CXL on the ARM virt board, LoongArch in-kernel irqchip, RISC-V ISA extensions and Kunminghu CPU support, and endian selection for Microblaze. Numerous fixes and deprecations are included.

CUPS 2.4.14: This update for printing patches two vulnerabilities: an authentication bypass with AuthType Negotiate (CVE-2025-58060) and a null dereference leading to remote DoS (CVE-2025-58364). It also introduced a new print-as-raster attribute, allowing jobs to be forced into raster format to work around printer firmware PDF issues. Additional improvements address job cleanup after restarts, subscription handling, IPP/PPD option parsing, memory leaks, and scheduler event reporting. Version 2.4.14 follows with a hotfix ensuring proper installation of localized templates and CUPS web UI pages, improving overall reliability.

Security Updates

Kernel Source 6.16.7:

CVE-2025-40300: A vulnerability in the Linux kernel’s virtualization layer could allow data from restricted memory to leak into user processes, potentially exposing sensitive information.

Python:

CVE-2025-8194: A HIGH-severity DoS in Python’s tarfile module where crafted tar archives with negative offsets can cause infinite loops or deadlocks.

Mesa 25.2.2:

CVE-2023-45913: A flaw with graphics drivers could cause crashes when the display system sends unexpected signals while handling windows and lead to application instability or denial of service.

CUPS 2.4.14:

CVE-2025-58060: In CUPS (the printing system), when authentication is configured to something other than “Basic”, the system may ignore a “Basic” auth header and skip password validation entirely — allowing anyone to bypass authentication.

CVE-2025-58364: In CUPS,unsafe handling and validation of printer configuration data can lead to a null pointer error, crashing the printing service across the local network (denial of service).

Xen 4.20.1_04:

CVE-2025-27466: A NULL pointer dereference fllaw may occur when updating a timer reference area, potentially crashing the hypervisor or guest environment.

CVE-2025-58142: A variant of the above issue assuming a synthetic timer page is always mapped can lead to a NULL pointer dereference when delivering a timer message, causing instability.

CVE-2025-58143: A race condition could let a guest trigger freeing of memory still in use, leading to information leaks or memory corruption.

ImageMagick:

CVE-2025-57807: A flaw with the package on 64-bit systems could cause the program to write data outside safe memory areas, leading to crashes or possible code execution by attackers.

libssh 0.11.3:

CVE-2025-8114: A NULL pointer dereference allowing an attacker to crash the client or server.

CVE-2025-8277: A memory flaw not freed properly allowing gradual memory exhaustion and potential crashes.

7zip 25.01:

CVE-2025-53816: Heap buffer overflow in 7-Zip’s RAR5 handler caused by writing zeroes outside the allocated heap buffer, leading to memory corruption and DoS.

CVE-2025-53817: A related security issue in 7-Zip (same package as CVE-2025-53816), also addressed in SUSE’s 7zip update.

libqt5-qtwebengine 5.15.19:

CVE-2024-10229: Security issue in **libQt5Pdf addressed in SUSE’s updates.

CVE-2024-10827: Another vulnerability in **libQt5Pdf fixed in SUSE’s maintenance release.

CVE-2024-12694: Yet another libQt5Pdf vulnerability included in the same SUSE security update.

CVE-2025-0436: Also listed among libQt5Pdf issues in SUSE’s security advisory.

CVE-2024-11477: Included in SUSE’s security fix for libQt5Pdf.

CVE-2025-0996: A spoofing vulnerability in Chrome’s Browser UI (Omnibox) on Android allowed a crafted HTML page to manipulate the URL bar.

CVE-2025-1426: A heap buffer overflow in GPU (as per your summary) included in SUSE’s libQt5Pdf security advisory.

tiff:

CVE-2025-8961: A flaw in the tool could let a local user corrupt memory, potentially causing crashes or instability.

Expat 2.7.2:

CVE-2025-59375: A vulnerability where a small, specially crafted document can force the parser to allocate very large amounts of memory—potentially causing a crash or denial of service.

Mozilla Firefox 143.0:

CVE-2025-10527: A use-after-free bug in Firefox’s Canvas2D graphics component that could allow code inside the sandbox to break out and run malicious actions.

CVE-2025-10528: An invalid pointer/undefined behavior issue in the same graphics area (Canvas2D) that could similarly lead to sandbox escape.

CVE-2025-10529: A weakness in browser layout code letting a page violate same-origin restrictions (i.e. read or affect data from another origin) under certain conditions.

CVE-2025-10530: A spoofing issue in the WebAuthn (web authentication) component of Firefox for Android; attacker can trick UI or credentials behavior.

CVE-2025-10531: A bypass of mitigation controls in the Web Compatibility / tooling side, potentially letting some protections be skipped.

CVE-2025-10532: An error in JavaScript’s garbage collection boundaries that may lead to out-of-bounds memory access or corruption.

CVE-2025-10533: An integer overflow bug in the SVG component that under specific inputs could lead to memory corruption.

CVE-2025-10534: A spoofing issue in the site permissions UI where it might trick the UI into showing misleading permission status.

CVE-2025-10535: Information disclosure / mitigation bypass in Firefox for Android’s privacy component, possibly leaking data.

CVE-2025-10536: A flaw in caching / networking logic allowing unintended data exposure.

CVE-2025-10537: A set of memory-safety bugs (across various components) that could lead to memory corruption or arbitrary code execution.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

September 2025 was a robust month for openSUSE Tumbleweed. From major desktop improvements in GNOME 49 and KDE Gear 25.08.1 to critical under-the-hood upgrades in the Linux kernel, QEMU and others. This month’s updates underscore Tumbleweed’s commitment to delivering a reliable, well tested rolling-release. Users are encouraged to update promptly to take full advantage of these improvements.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

The Hungarian band Asztropapucs has a special place in my heart. I have known these musicians for a long time, some of them even before they formed the band. Like almost everyone else, they started out playing cover songs years ago. Recently, however, they started writing their own songs. I have seen them perform at various concerts. They practiced regularly, and their hard work has led to continuous improvement. This weekend, they published their first song on several streaming services: “Maja” I’ve listened to it many times, and I recommend you do the same. :-)

TIDAL: https://tidal.com/album/460285061

Dear Tumbleweed users and hackers,

The week of the desktop is extending from last week into this one. GNOME 49 has been checked in to Factory and is nearing completion. It still requires a bit of patience from your side to get there. While you are waiting for GNOME 49, we have delivered five snapshots (0918, 0919, 0920, 0922, and 0923) to bridge the time until then.

The most relevant changes in those snapshots were:

• cups 2.4.14
• openSSL 3.5.3
• Mozilla Firefox 143.0 & 143.0.1
• gdbm 1.26
• texinfo 7.2
• expat 2.7.2
• Linux kernel 6.16.8

Looking into the crystal ball – or rather staging, which gives slightly better results – we can foresee these changes reaching you anytime soon:

• GNOME 49: Upgraders might run into an issue with dynamic user generation. The issue does not originate from GNOME, but rather /etc/nsswitch.conf not having nss-systemd registered for passwd/group and shadow. See https://bugzilla.opensuse.org/show_bug.cgi?id=1250513 if you are affected, and a workaround. We are looking into ways to fix this automatically
• coreutils 9.8
• Meson 1.9.1
• Poppler 25.09.1
• openexr 3.4.0
• Boost 1.89
• cURL 8.16.0
• Linux kernel 6.16.9

Members of the openSUSE Project have advanced automated testing with the integration of Model Context Protocol (MCP) into the project’s openQA framework.

This marks a pivotal step toward embedding Artificial Intelligence into its open-source software development workflows.

“The initial release will begin with three MCP tools, and the feature will grow over time based on user feedback,” wrote Sebastian Riedel on a blog announcing the MCP support. “This will be primarily used by SUSE QE engineers and members of the openSUSE community, who spend a lot of time reviewing test results and tracking down reasons for why automated tests have failed.”

MCP standardizes how AI models access external tools and data through Application Programming Interfaces (APIs), which enables large language models to interact with web services like openQA and others.

The update means that AI assistants can query openQA directly to review test results and generate summaries of job runs. For example, a request to summarize job 5324207 returned details about a failed ARM-based Tumbleweed test, while job 5265754 showed a passed x86_64 networking suite with only minor skips.

MCP support in openQA is currently limited to read-only access, letting AI tools collect information without making changes. Future updates may enable write operations, though those would require additional security settings and control methods. Most MCP clients today support bearer token authentication, so that is what openQA relies on as well.

Project maintainers say MCP support is still considered experimental and must be manually enabled in openqa.ini. Still, the integration highlights a step forward for blending AI with automated testing.

For openSUSE, it signals new opportunities for contributors, testers and developers to harness AI in monitoring and improving the distribution’s quality.

The integration of MCP into openQA positions open-source projects like openSUSE to lead in the emerging AI ecosystem. This approach helps maintain open standards while enabling interoperability in complex technology environments. Proprietary approaches risk vendor lock-in and lack transparency and standardization. Open-source solutions instead provide secure, context-aware interactions between AI and existing tools and give organizations access to a growing collaborative network.

The integration of MCP support into openQA is a key milestone for the Project as it enables open, intelligent and automated testing workflows that directly query test results. This should further enhance DevOps efficiency and reduce manual effort. Improved automation across infrastructure like openSUSE Build Service and openSUSE’s Bugzilla, which are expected to integrate MCP into future workflows, should increase productivity, contribution efforts and efficiency.

This MCP feature is now live for all users at openqa.opensuse.org and openSUSE demonstrates how open collaboration drives progress in open-source software.

Version 4.10.0 of syslog-ng is now available. Among others it adds:

• support for file size based logrotation
• a filter that test if a value is blank
• updated MongoDB driver support

For more details check the syslog-ng release notes at https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.0

This release fixes several bugs introduced in syslog-ng version 4.9.0, which is the syslog-ng version available in openSUSE Leap 16.0 and Fedora 43. It’s feature freeze (and thus package version freeze) for both distros, but do not worry: bug fixes are back ported.