This week’s openSUSE Tumbleweed snapshots varied from large to small and there was also an updated arm Tumbleweed snapshot released.

Packages to arrive so far this month have touched several portions of the rolling release.

Snapshot 20230904 had security fixes for two packages. The XML parsing package libxml2 addresses CVE-2023-39615, which pertains to a crafted XML that could potentially lead to a global buffer overflow, and libxml2-python mitigates this vulnerability with a patch.

An update of FreeRDP arrived in snapshot 20230902. The update of freerdp 2.11.0 had various input validation fixes and addresses potential vulnerabilities to enhance security. The package introduces various CMake options to provide more flexibility in building the package. There are fixes related to LibreSSL and the inclusion of support for big endian systems. The package also had changes in handling the H.264 codec by adopting a new FFmpeg Application Programming Interface. An update of php8 8.2.10 fixes a command-line interface (CLI) server crash and addresses issues in the MySQLnd extension to ensure proper authentication with password accounts and prevents segfaults. SDL2 2.28.3 introduces a gamepad mapping for the G-Shark GS-GP702 and the package fixes touchpad events for the Razer Wolverine V2 Pro controller in PS5 mode. An update of xdg-utils merges an upstream patch and has changes to support KDE Plasma 6 when releases. Several other packages updated in the snapshot including suse-module-tools 16.0.34, virtiofsd 1.7.2 and more.

More than 30 software packages were updated in the first snapshot of September. Updates for KDE Gear arrived in snapshot 20230901. File manager Dolphin can now hide temporary and backup files, which unclutters the user’s file view. Dolphin also introduces features like showing the progress of size calculations. Document viewer Okular enhances digital signing by allowing additional metadata like reason and location to be added to signatures. KDE’s travel assistant package Itinerary now supports importing online railway tickets and improves the extraction of data from various companies’ documents like Air Asia, B&B Hotels, Deutsche Bahn, Eventbrite, FlixBus and more. An update of Mozilla Firefox 117.0 has changes to take care of memory corruption in various components and fixes issues related to an integer overflow and unencrypted push notifications. The web browser update addresses 13 Common Vulnerabilities and Exposures. An update of git 2.42.0 had some notable changes that includes the ability to tweak the reference hierarchy using patterns with git pack-refs and uses a new hook program in git pack-objects to enumerate extra objects for anchoring. There are also improvements in handling GPG signature verification and the package enhances compatibility with the sparse index feature. An update of Linux Kernel 6.4.12 fixes error handling in crypto and Common Internet File System. It also has some Advanced Linux Sound Architecture (ALSA) System on Chip changes (ASoC) and stability improvements. Several other packages updated in the snapshot including PipeWire 0.3.79, python-pip 23.2.1, LibreOffice 7.6.1.1, Mesa 23.1.6, AppStream 0.16.3, samba 4.18.6 and more.

A new arm Tumbleweed snapshot 20230904 included all the package updates from the software highlighted above.

The openSUSE Project is pleased to announce its modern lightweight host operating system Leap Micro 5.5 just entered Alpha.

This release brings a host of enhancements and additions that promise to make it an even more versatile and efficient choice for users.

The most visible change is the addition of the settroubleshoot server and its integration with the cockpit-selinux module.

Packages fwupdate and fwupdate-efi for an easy integration of UEFI firmware updates are being added.

Also being added is git, skopio for image manipulation, and podman-docker for emulation of Docker CLI using podman. The QEMU Copy On Write (QCOW) version of the RAW image for both x86_64 and aarch64 is newly available.

Leap Micro does not offer a graphical user interface or desktop version. Users can use Cockpit to manage their host OS through a web browser.

The Alpha is based on SUSE Linux Enterprise (SLE) Micro 5.5 Beta and is built on top of a SLE 15 Service Pack 5 update. Users can expect Leap Micro 5.5 Beta shortly after the SLE Micro 5.5 RC is released in the second half of September 2023. The global availability is planned for the middle of October 2023 together with SLE Micro 5.5 global availability. The schedule is entirely driven by the SLE Micro readiness.

See the roadmap for more details.

Users should know that zypper is not used with Leap Micro, but transactional-update is used instead.

Leap Micro can be used for several compute environments like edge, embedded, and IoT deployments. Developers and professionals can build and scale systems for use in aerospace, telecommunications, automotive, defense, healthcare, hospitality, manufacturing, database, web server, robotics, blockchain, and more.

Users are recommended to view the Release Notes.

Users can submit bug reports here.

Large development teams can add value to their operations by trying Leap Micro and transitioning to SUSE’s SLE Micro for extended maintenance and certification.

To download the ISO image, visit get.opensuse.org.

Find the latest documenation about the release.

The openSUSE Project is pleased to announce its modern lightweight host operating system Leap Micro 5.5 just entered Alpha.

This release brings a host of enhancements and additions that promise to make it an even more versatile and efficient choice for users.

The most visible change is the addition of the settroubleshoot server and its integration with the cockpit-selinux module.

Packages fwupdate and fwupdate-efi for an easy integration of UEFI firmware updates are being added.

Also being added is git, skopio for image manipulation, and podman-docker for emulation of Docker CLI using podman. The QEMU Copy On Write (QCOW) version of the RAW image for both x86_64 and aarch64 is newly available.

Leap Micro does not offer a graphical user interface or desktop version. Users can use Cockpit to manage their host OS through a web browser.

The Alpha is based on SUSE Linux Enterprise (SLE) Micro 5.5 Beta and is built on top of a SLE 15 Service Pack 5 update. Users can expect Leap Micro 5.5 Beta shortly after the SLE Micro 5.5 RC is released in the second half of September 2023. The global availability is planned for the middle of October 2023 together with SLE Micro 5.5 global availability. The schedule is entirely driven by the SLE Micro readiness.

See the roadmap for more details.

Users should know that zypper is not used with Leap Micro, but transactional-update is used instead.

Leap Micro can be used for several compute environments like edge, embedded, and IoT deployments. Developers and professionals can build and scale systems for use in aerospace, telecommunications, automotive, defense, healthcare, hospitality, manufacturing, database, web server, robotics, blockchain, and more.

Users are recommended to view the Release Notes.

Users can submit bug reports here.

Large development teams can add value to their operations by trying Leap Micro and transitioning to SUSE’s SLE Micro for extended maintenance and certification.

To download the ISO image, visit get.opensuse.org.

Find the latest documenation about the release.

OpenObserve has an Elasticsearch compatible API for log ingestion, but syslog-ng is not mentioned in the documentation. My plan was to document how to modify the syslog-ng elasticsearch-http() destination, based on API documentation. However, as it turned out, OpenObserve has a ready to use syslog-ng configuration example in the web UI.

https://www.syslog-ng.com/community/b/blog/posts/sending-logs-to-openobserve-using-syslog-ng

The openSUSE contributor community recently completed a comprehensive survey last week aimed at determining the project’s future direction. The results were obtained from 327 respondents, and it sheds some light on various aspects of openSUSE’s development, deployment and upgrade plans.

A pdf of the survey can be found on the openSUSE Wiki.

The questions and results are as follows:

Identity and Involvement

Question: Which group would you identify yourself with the most?

Interested: 3.98%
User of openSUSE distributions: 41.90%
Contributor to openSUSE distributions: 22.02%
Contributor to the openSUSE Project-wide: 8.87%
No answer: 1.53%
Not completed or Not displayed: 21.71%

Experience in openSUSE

How long have you been involved in openSUSE?

< 6 months: 7.03%
< 2 years: 12.84%
< 5 years: 10.40%
5 years and more: 46.18%
No answer: 1.83%
Not completed or Not displayed: 21.71%

This data demonstrates a significant portion of long-term users and contributors, which is indicative of a dedicated and stable community.

Deployment of openSUSE Leap

Where are you currently deploying openSUSE Leap?

My private server: 32.42%
My private laptop / desktop: 50.15%
My work machine (desktop/laptop): 33.33%
My cloud machines: 14.68%
Not applicable: 13.15%
Not completed or Not displayed: 21.71%

These findings show that openSUSE Leap has a diverse range of use cases, from personal computers to server environments.

Upgrade Preferences for Laptops/Desktops

How often would you like to upgrade to a new version of the openSUSE Leap successor distribution on a laptop or desktop machine?

Weekly: 10.40%
Every 3-6 months: 14.07%
Every 6-12 months: 20.49%
Every 12-18 months: 20.49%
No answer: 12.84%
Not completed or Not displayed: 21.71%

Upgrade Preferences for Servers/Cloud Servers

How often would you like to upgrade to a new version of the openSUSE Leap successor on a Server/Cloud Server?

Weekly: 2.75%
Every 3-6 months: 6.73%
Every 6-12 months: 11.01%
Every 12-18 months: 33.64%
No answer: 24.16%
Not completed or Not displayed: 21.71%

Contributor Preferences

What of the following options do you prefer to contribute your efforts toward?

Linarite: 19.88%
Slowroll: 19.88%
I'd prefer not to contribute to any Leap replacement and just focus on Tumbleweed: 20.80%
No answer: 17.74%
Not completed or Not displayed: 21.71%

Community’s Vision for openSUSE

What of the following overall options would you prefer most for the direction of openSUSE ?

Linarite: 23.85%
Slowroll: 27.83%
I'd prefer no Leap replacement and just focus on Tumbleweed: 17.43%
No answer: 9.17%
Not completed or Not displayed: 21.71%

Laptop/Desktop and Server/Cloud Server Preferences

For laptop/desktop machines:

Which of the following would you prefer for use on a laptop or desktop machine?

Linarite: 18.65%
Slowroll: 23.24%
I'd prefer no Leap replacement and just use Tumbleweed: 33.94%
No answer: 2.45%
Not completed or Not displayed: 21.71%

For server/cloud server machines:

Which of the following would you prefer for use on server or cloud server machine?

Linarite: 28.75%
Slowroll: 31.80%
I'd prefer no Leap replacement and just use Tumbleweed: 15.29%
No answer: 2.45%
Not completed or Not displayed: 21.71%

The results of this comprehensive survey offer a clear snapshot of the openSUSE community’s preferences and priorities, which will undoubtedly influence the project’s future direction.

As an active member of the openSUSE Linux developer community and Chapter Leader for OWASP SP, I am now responsible for maintaining and updating the ModSecurity CRS packages on the openSUSE platform, as well as managing other important packages such as the official ZAP Core. For more information and supporting documentation, please refer to the lin: https://build.opensuse.org/package/view_file/openSUSE:Factory/owasp-modsecurity-crs/owasp-modsecurity-crs.spec

First motivation

The motivation comes from the fact that OWASP ModSecurity Core Rule Set (CRS) v3.3.4 does not detect the presence of several “Content-Type” HTTP header fields. As a result, on some platforms it is possible to cause a CRS installation to process an HTTP request body differently (due to the different content type) than how it would be processed by a backend web application. More information at https://nvd.nist.gov/vuln/detail/CVE-2023-38199.

Version 3.3.5 of CRS was released to address this vulnerability. And so I decided to update the package in the SUSE and openSUSE distribution.

Second motivation

Implementing an effective Web Application Firewall (WAF) is not the sole responsibility of the information security department; it’s a shared duty that we all must take seriously.

Below is a simplified guide for installing ModSecurity for Apache with CRS, stripping away any unnecessary complexity or “black magic.”

After the entire installation, Ricardo Martins (r00t1ng) performed the pentest to ensure the CRS protection features. Thank you!

First install the necessary packages:

# zypper in apache2  apache2-example-page owasp-modsecurity-crs owasp-modsecurity-crs-apache2 apache2-mod_security2

Now with the packages properly installed, add the apache modules:

# a2enmod unique_id
# a2enmod security2

Verify that the /etc/apache2/conf.d/owasp-modsecurity-crs.conf file has the following content:

<IfModule mod_security2.c>
       Include “/etc/owasp-modsecurity-crs/crs-setup.conf”
       Include “/etc/owasp-modsecurity-crs/rules.d/*”
</IfModule>

In your domain’s configuration file, insert the SecRuleEngine line according to the example below:

Now restart apache and READY!

# rcapache2 restart

or

# systemctl restart apache2

Criticisms and suggestions at Cabelo@opensuse.org or alessandro.faria@owasp.org

Join us in this review of ‘What is Linux‘, tracing its evolution, the significance of open source, and SUSE’s role in this journey. From humble origins to future aspirations, we spotlight the challenges and milestones that define Linux’s legacy, rooted firmly in the ethos of open-source collaboration. Table of contents: Introduction to Linux Understanding Open […]

The post What is Linux? appeared first on SUSE Communities.

Dear Tumbleweed users and hackers,

The move of OBS to the new data center has been completed and issues we had seen as a consequence of this are mostly fixed (all in working order, some performance not exactly where it used to be, but in a workable state). Yet, we only managed to release a single, small snapshot during this week: 20230828. Two more made it to QA but had to be discarded for bugs identified which slipped Staging.

Snapshot 0828 was, as mentioned small, and only brought you those changes over 0823:

• clamav 0.109.9
• Java OpenJDK 11.0.20.1
• xfce4-terminal 1.1.0

The next snapshot (0901, should it pass openQA) will bring these changes:

• Mesa 23.1.6
• Mozilla Firefox 117.0
• KDE Gear 23.08.0
• glibc fix for malloc: Enable merging of remainders in memalign, remove bin scanning from memalign
• grub 2.12~rc1
• Linux kernel 6.4.12
• XWayland 23.2.0
• Keylime 7.5.0

Staging projects have been mostly cleared up: These few things are currently being tested:

• Systemd 254.1: We are waiting for 254.2 due to identified performance regressions
• libproxy 0.5.3 (changing from 0.4.18): This is the rewrite maintained by Volkswagen Group
• FMT 10: breaks mariadb boo#1213219 and ceph boo#1213217; help welcome
• libxml2 2.11.x
• Linux kernel 6.5
• Python Sphinx 7.2.4

The rolling release for openSUSE temporarily slowed the frequency of its snapshot release cycle to support the migration efforts and data center move of the Open Build Service from last week.

The release engineer team reported in its weekly meeting that the check in of Tumbleweed builds were intentionally paused so as not put additional stress on the OBS migration that was needed.

The first check-in build happened on Monday, passed openQA and snapshot 20230828 was released to update a half-dozen packages. An update of ImageMagick 7.1.1.15 removed a Common Vulnerability and Exposure patch after it was merged upstream. Some settings for RGBA images were corrected and some image compatibility issues were resolved. An update of clamav 0.103.9 addressed a possible denial of service vulnerability fixing CVE-2023-20197. The update also includes fixes for compiler warnings that may become errors in the Clang 16 compiler. The package for hardware identification and configuration data, hwdata, updated to version 0.373 and brings updates to Peripheral Component Interconnect, USB, and vendor IDs. An update of java-11-openjdk 11.0.20.1 brought an emergency release in response to a regression in the July 2023 update and addresses an issue of an invalid Central Directory Entry header. The wtmpdb package, which is meant to help solve the Y2038 problem, updated to 0.9.1 and includes a fix to a manual page reference and had a correction of the printf format specifier on 32-bit systems. Xfce users will be happy to see an update of xfce4-terminal 1.1.0 that introduces various changes, including allowing passing arguments to custom commands, translating strings in the unsafe paste dialog and improving window synchronization for showing tabs. The package also adds support for kinetic scrolling in VteTerminal and enhances the preferences dialog.

The 20230823 build from last week resulted in a snapshot; this happened before the weekly blog came out, but after the Review of the Week was posted. This snapshot also resulted in a half-dozen packages being updated. A key package to update in the snapshot was php8 8.2.9 that addresses CVE-2023-3824, which the insufficient length checking may lead to a stack buffer overflow, and CVE-2023-3823, which could have lead to the situation where a external XML is parsed with external entities loaded; this could have lead to disclosure of any local files accessible to PHP. The update of gpgme 1.22.0 prevents the wrong plaintext during signature verification and from returning a bad data error instead of a general error. The package also added a couple of patches, had a few new interface changes, various enhancements and fixes. The secure communications library gnutls 3.8.1 added a patch to fix a missing compatibility extension and added support for the RFC 9258 external PSK importer. Other packages to update in the snapshot were apache2-mod_php8 8.2.9, gpgmeqt 1.22.0 and libupnp 1.14.18, which included a fix for a busy loop on a socket error in a miniserver.

A few things are expected to come as new snapshots begin to arrive after slowing down builds due to the migration. According to the release engineer meeting, systemd 254.1 is in the queue, but is currently being blocked due to a performance regression, the glibc performance regression fix might be released in the next snapshot and Linux Kernel 6.5 was submitted and will make its way through passing openQA testing.