Version 4.10.1 is a bugfix release, not needed by most users. It fixes the syslog-ng container and platform support in some less common situations.

Before you begin

I assume that most people are lazy and/or overbooked, just like me. So, if you already have syslog-ng 4.10.0 up and running, and packaged for your platform, just skip this bugfix release.

What is fixed?

• You can now compile syslog-ng on FreeBSD 15 again.
• The syslog-ng container has Python support working again.
• Stackdump support compiles only on glibc Linux systems, but it also used to be enabled on others when libunwind was present. This problem affected embedded Linux systems using alternative libc implementations like OpenWRT and Gentoo in some cases. It is now turned off by default, therefore it needs to be explicitly enabled.

What is next?

If you are switching to 4.10.X now, using 4.10.1 might spare you some extra debugging. Especially if you are developing for an embedded system.

Ya está disponible la versión definitiva de openSUSE Leap 16.0. La nueva versión mayor de esta distribución de GNU/Linux con soporte extendido y muchos cambios.

Las fechas se han cumplido, ningún contratiempo ha surgido y todo ha discurrido como estaba previsto. Así que ya es oficial: openSUSE Leap 16.0 ya está disponible para descargar, instalar o actualizar. En tu equipo personal, tu servidor, etc…

Según lo previsto y en la fecha indicada se ha publicado esta openSUSE Leap 16.0. La primera versión de la serie 16 que ofrece soporte y actualizaciones durante muchos meses, como ninguna otra distribución de GNU/Linux.

Qué es openSUSE Leap

openSUSE Leap es la distribución de GNU/Linux de la comunidad openSUSE, que ofrece publicaciones periódicas. Es decir, cada año se publica una nueva versión menor (o service pack) que da soporte, incluye parches de seguridad y correcciones.

Aunque en esta nueva etapa de Leap 16.0 hay un soporte extendido de 2 años. Es decir, hay soporte oficial durante 2 lanzamientos. La versión Leap 16 pasará a la 16.6 en otoño de 2031 y seguirá recibiendo actualizaciones hasta que llegue Leap 17.1 dos años después. Ninguna otra distribución de GNU/Linux da tanto soporte.

openSUSE Leap toma el código de SUSE Linux Enterprise (SLE) la distribución de GNU/Linux empresarial desarrollada por SUSE. Y sobre esa base de código se crea una versión comunitaria que es la que se ofrece en Leap.

Leap es ideal para aquellas personas que quieren un sistema estable y robusto y no priorizan el tener las últimas versiones del software. (Aunque eso no quiere decir que opciones como Tumbleweed o Slowroll no sean estables y robustas).

Qué encontraremos en Leap 16.0

Esta nueva versión trae muchas novedades:

• Kernel: 6.12 (desde SLES 16.0)
• GNOME: 48.1
• KDE Plasma: 6.4
• Xfce 4.20
• AppArmor: 4.1
• GIMP: 3.0
• RPM: 4.20
• Cockpit 334.1
• GNU Health 5.5

Tiene soporte para escritorios con Wayland, aunque desde los repositorios se puede instalar Xorg y escritorios que utilicen este servidor gráfico. También viene con soporte para tecnología de 32 bits deshabilitado, aunque se puede habilitar, ya que hay muchas librerías de 32 bits que se utilizan para jugar en Steam.

Uno de los cambios sin duda más significativos, será que en esta versión será la primera de manera oficial en openSUSE que se utilice el nuevo instalador de Agama, «jubilando» al ya veterano YaST como instalador.

A la hora de instalar nuevo software, podemos utilizar el nuevo Myrlyn, donde encontraremos una interfaz gráfica conocida. Pero donde todo el código es renovado y actual.

Zypper ya estará configurado para que permita descargas paralelas, lo que realmente «hace volar» la descarga e instalación de nuevos paquetes o actualizaciones mediante la línea de comandos. Yo lo estoy utilizando en Tumbleweed y realmente lo hace todo mucho más rápido.

Y se sustituye AppArmor por SELinux. Aunque AppArmor estará disponible después de la instalación desde los repositorios para que en el caso que alguien lo necesite, lo tenga a mano.

Migrar de Leap 15.6 a Leap 16.0

En esta nueva versión, la migración desde una versión anterior será todavía más sencilla gracias a la nueva herramienta para migrar el sistema disponible en los repositorios desde Leap 15.6. Por lo que podrás hacer la transición de una manera sencilla y seguir disfrutando de tu sistema Leap estable como si nada hubiera pasado. Eso sí, siempre haz una copia de los datos, y configuraciones importantes que no quieras perder. Pero eso ya lo hacías ¿verdad?

Además esa herramienta de migración también te permita migrar tu sistema a Tumbleweed, Slowroll e incluso a SUSE Linux Enterprise y disfrutar de soporte profesional en tu pequeño negocio.

En definitiva Leap 16.0 trae novedades y vuelve a ofrecer un gran sistema operativo que puede ser un buen reemplazo a las personas que quieran abandonar Windows (ahora que Windows 10 dejará de tener soporte oficial) y quieran iniciarse en el mundo de GNU/Linux.

Disfrutando de una distribución de GNU/Linux estable y con mucho software disponible desde los repositorios, a un golpe de clic. Un sistema operativo del que eres dueño, que no necesitas una clave de activación, que no tienes restricciones, que sabes qué hace en cada momento, que no necesitas un correo de activación, que no te espía y que te da la libertad de disfrutar de tu equipo y de utilizarlo con total libertad.

openSUSE es una comunidad global que desde todo el mundo aporta para crear un sistema operativo libre. Miles de personas en todo el mundo aportan su concimientos en favor de la comunidad: Hay empaquetadores de software, hay quienes reportan errores o corrigen errores, traducen, etc…

Tu también puedes ser parte activa de esa comunidad, embarcándote en alguna de las tareas que puedas hacer en función de tu tiempo y tus conocimientos. Pero si no puedes/quieres colaborar de ninguna manera, simplemente utiliza y disfruta de openSUSE.

Descarga la ISO y la podrás instalar en tu equipo o actualiza tu actual openSUSE Leap a la nueva versión 16.0 y have a lot of fun!

Enlaces de interés

• https://get.opensuse.org/leap/
• https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/16.0/html/release-notes-leap-160/
• https://en.opensuse.org/openSUSE:Known_bugs_16.0

CA / CS / JA / LT / SV / ES / ZH-TW

Members of openSUSE Project are thrilled to announce the release of openSUSE Leap 16.

This major version update of our fixed-release community-Linux distribution has a fresh software stack and introduces an unmatched maintenance- and security-support cycle, a new installer and simplified migration options.

“Vendors and developers should give Leap and Leap Micro a serious look and consider it as the target platform for their solutions,” said release manager Lubos Kocman. “You get 24 months of free maintenance and security updates. No other community distro offers that at no cost.”

Leap 16 as a community-supported platform will shape open-source development breakthroughs and real-world solutions in the years ahead. The release is 2038 safe and comes with 32-bit (ia32) support disabled by default. It gives users the option to enable it manually and enjoy gaming with Steam, which still relies on 32-bit libraries. The hardware requirements have changed. Leap 16 now requires x86-64-v2 as a minimum CPU architecture level, which generally means CPUs bought in 2008 or later. Users with older hardware can migrate to Slowroll or Tumbleweed.

Leap 16 channels community and enterprise distribution code by building on the foundation of SUSE Linux Enterprise Server (SLES), bringing source and binary identicality with it. Users have the option to seamlessly migrate from openSUSE Leap 16 to SLES 16. Developers can use openSUSE Leap to create, test and run workloads for later deployment on SLES.

Leap 16 ships with the new Agama installer, which offers a more modern setup experience over the deprecated YaST-based installer. Leap 16 further supports parallel downloads in the package manager Zypper to speed up software installations and updates.

Migration also gets easier with this major version update. The new openSUSE Migration tool allows users to seamlessly upgrade from Leap 15 to Leap 16 as well as to migrate to Slowroll, Tumbleweed or SLES.

Leap 16 marks the start of a new life-cycle plan. Unless the project makes strategic changes, annual minor releases are expected to continue until 2031 with the release of Leap 16.6. A successor to Leap 16 is expected in 2032. Leap Micro, the project’s immutable server distribution, is adopting the same schedule.

The release comes with SELinux as the Linux Security Module (LSM) . AppArmor remains an option that can be selected post installation. Changes in Leap related to AppArmor and 32-bit support offer a transition period for users.

More advancements will come as Leap 16 evolves toward its final release next decade as automation, containerization, system tooling and hardware encryption mature.

Those who wish to develop for Leap 16 are encouraged to participate in the weekly feature review meeting on Mondays.

Known bugs for Leap 16 can be found on the project’s wiki.

People can leave feedback about the release of Leap 16 at survey.opensuse.org.

Over the years, I have noticed that the biggest challenges during upgrades usually involve 3rd-party repositories, mostly due to their unavailability for the new release or delays in catching up.

Another challenge has been constant changes to distribution repositories. For example, in Leap 15.3 we removed the ports repositories as part of the Closing the Leap Gap initiative and also introduced SLE Update repositories.

Now, with Leap 16.0, update repositories are being removed entirely. Leap Micro 6.X also no longer has dedicated update repositories.

In the past, users had to manually modify distribution repositories. Fortunately, openSUSE-repos automates this process and puts distribution repositories under RPM management. This is now the default behavior for both Leap Micro 6 and Leap 16. This dramatically simplified the whole upgrade and distribution migration process.

Why use opensuse-migration-tool

Upgrading your system doesn’t have to be scary or complicated. The opensuse-migration-tool is designed to make the process simple, safe, and predictable. I got inspired by our jeos-firstboot, which uses dialog for smooth interactions. The tool also greets you with a nice green dialog, thanks to a customized dialogrc—giving it that familiar openSUSE look and feel right from the start.

Here’s what it can do for you:

1. Install updated distribution repository definitions automatically
2. Disable non-distribution repositories to avoid conflicts
3. Run zypper dup for a smooth, safe upgrade
4. Offer post-upgrade scripts to adopt new defaults—or keep your preferred settings, for example AppArmor vs SELinux
5. Perform pre-migration checks to make sure your system is ready, including verifying x86_64-v2 support
6. Reboot
7. Optional snapper-rollback or simply boot to older snapshot from grub

The tool isn’t limited to just Leap n → Leap n+1. You can also upgrade to SUSE Linux Enterprise, Slowroll, or Tumbleweed. Slowroll → Tumbleweed upgrades work too, and recent requests include Leap Micro → Slowroll Micro. As long as it’s an upgrade, it will simply work.

Want to see it in action? Check out LowTechLinux’s opensuse-migration-tool review on YouTube for a hands-on demo and external validation.

Getting started

In case the tool is not yet installed on your system do sudo zypper in opensuse-migration-tool

If you are using the tool for the first time or just want to check it out, run it in test mode: /usr/sbin/opensuse-migration-tool --dry-run # no need to use sudo in dry-run mode

This will not show exactly what will be upgraded, but it will give you a good idea of what the tool can do and it will not make any changes to your system.

Once you feel confident, run: sudo opensuse-migration-tool

The tool will offer to disable non-distribution repositories, which is strongly recommended. It will then trigger zypper dup --r and automatically rerun zypper if any issues occur.

The tool also performs pre-migration system checks. If you are affected by any issues, you might want to run the latest version directly from git. Contributions are welcome.

git clone https://github.com/openSUSE/opensuse-migration-tool.git
cd opensuse-migration-tool
./opensuse-migration-tool --dry-run

Further documentation

More information can be found at openSUSE System Upgrade. This document also suggests how to perform a manual upgrade to 16.0, although I would not recommend it, especially given the positive feedback we have received for the tool.

Make sure to read Leap 16.0 release notes as well as Known bugs wiki prior to upgrading.

Future plans

I plan to provide an optional GTK4 interface that preserves the shared migration logic and power of Bash. This will use custom GTK4 dialogs to keep the openSUSE look and feel, but it will be invoked similarly to zenity. Here’s a sneak peek from the first two dialogs:

People can leave feedback on survey.opensuse.org after the general availability of the release today at 12:00 UTC when the survey becomes published regarding the release of Leap 16.

…the one that emulates your real workload. And for me (and probably many of you reading this), that would be “build a kernel as fast as possible.” And for that, I recommend the simple kcbench.

I kcbench mentioned it a few years ago, when writing about a new workstation that Level One Techs set up for me, and I’ve been using that as my primary workstation ever since (just over 5 years!).

Table of Contents

• 1) Introduction
• 2) systemd v258: Local Root Exploit in new systemd-machined API found in Release Candidates
  • The Bugfix
  • Increase in Complexity in systemd
• 3) logrotate: Issues in drop-in Configuration Files
  • Missing su <user> <group> Directives
  • Problems with Scripts Embedded in Configuration
  • Possible Improvements in logrotate
• 4) GNOME 49: D-Bus and Polkit Changes in new Major Version Release
• 5) Kea DHCP: Follow-Up Review of Network Attack Surface
• 6) chrony: Issues in chronyc Socket Creation
• 7) pwaccessd: New Varlink Service for Reading User Account Information
• 8) sysextmgr: New Varlink Service for Managing systemd-sysext Images
• 9) bash-git-prompt: Predictable Temporary File Name Offers Local Attack Surface (CVE-2025-61659)
• 10) steam-powerbuttond: Insecure Operation in Home Directories
• 11) Conclusion
• Change History

1) Introduction

Autumn is already palpable for many of us these days and this means it is time to take a look back at what happened in our team during the summer months. We have not published any dedicated security reports during that time; instead we have all the more to cover in this edition of the spotlight series which discusses code review efforts that did not lead to major findings or otherwise did not qualify for a dedicated report.

This is also the first anniversary of the spotlight series, which we started in August 2024 with the first summer spotlight edition. We are happy to provide our readers with interesting content about the daily work in our team and are looking forward to more anniversaries to come.

In this issue we will cover a local root exploit we discovered in systemd v258-rc4 before it became part of a stable release, problems found in logrotate drop-in configuration files, changes in D-Bus configuration files related to the GNOME version 49 release, and a follow-up code review of the Kea DHCP server suite. Furthermore we found a symlink attack issue in chronyc, proactively reviewed new Varlink services developed by fellow SUSE engineers and discovered a local privilege escalation issue in bash-git-prompt. Finally we will talk about a problematic script used on Steam Deck devices.

2) systemd v258: Local Root Exploit in new systemd-machined API found in Release Candidates

At the beginning of August one of our systemd maintainers asked us to review D-Bus and Polkit API changes in a release candidate of systemd 258. This major version update of systemd contains many API additions e.g. in systemd-resolved, systemd-homed, systemd-machined and systemd-nsresourced.

While looking into these changes we found an issue in systemd-machined. This daemon can be used to manage virtual machines and containers alike. In upstream commit adaff8eb35d a new Polkit action “org.freedesktop.machine1.register-machine” has been added, which was accessible to locally logged in users without authentication (Polkit yes setting). The purpose of this new API is to allow users to register existing containers with systemd-machined, that have been created by other means.

There exist two D-Bus methods which employ this Polkit action: “RegisterMachine” and “RegisterMachineWithNetwork”. Both accept a rather long list of parameters to describe the container which is supposed to be registered with the daemon. The following command line performs an example registration of a fake container:

$ gdbus call -y -d org.freedesktop.machine1 -o /org/freedesktop/machine1 \
    -m org.freedesktop.machine1.Manager.RegisterMachineWithNetwork \
    mymachine '[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16]' myservice container \
    $$ $PWD '[1, 2, 3]'

Among these parameters is the process ID (PID) of the leader process of the container. In this example $$, i.e. the shell’s own PID, is passed as leader PID. The release candidate implementation of systemd-machined failed to verify whether this process is owned by the caller and an actual member of an unprivileged user namespace belonging to a container.

The first problematic aspect we noticed about this was that systemd-machined can send SIGTERM to the process group the given leader PID belongs to (e.g. when registering a new container using the same name), allowing a trivial local Denial-of-Service against arbitrary other processes. Far more problematic was something else that we noticed: the unprivileged user was able to enter a shell in such a crafted container, like this:

user$ machinectl shell mymachine
# full root privileges, this happens in the actual host's file system
container-root# touch /evil

Since the leader PID in this case is a process belonging to the host’s initial namespaces, the root shell for the “container” is actually a root shell in the host itself, giving full root privileges over the system.

This problem is found in all release candidates of systemd v258. We reported the problem privately to systemd security, and upstream developed bugfixes right away while still in the RC phase. The local root exploit was never present in any stable release version and thus end users are not affected by the problem, which is also why no CVE was assigned.

The Bugfix

To address the issue, systemd-machined now verifies that the leader PID specified by the client is actually owned by the caller. Furthermore the authentication requirements for Polkit action “register-machine” have been raised to auth_admin_keep even for local users.

While writing this very summary we noticed that one aspect of the issue had been overlooked and was not fixed for the stable release: the verification of the user namespace membership of the target process. Thus it is still possible to gain a root shell this way, but only after authenticating as admin, which means the caller already needs admin privileges to trigger the exploit. This aspect has now been addressed for future releases by upstream, which is important, because upstream intends to relax the authentication requirements for this action to yes again at a later time.

Increase in Complexity in systemd

With this version of systemd we are seeing a noticeable increase in complexity in the implementation of a number of systemd components. In the area of container management the complexity is pretty much by design, given the intricacy of the different namespace mechanisms playing together, partly under the control of unprivileged users. There is also the addition of Varlink for Inter-Process-Communication, however, which means that two different interfaces for D-Bus and Varlink now exist in parallel for some services. This is also the case for systemd-machined.

While the D-Bus and Varlink interfaces usually call into shared functions for most of the business logic and share the same Polkit actions, there is necessarily a certain amount of redundancy in parsing and evaluation of input parameters. As a result this also increases the burden on code reviewers which now need to keep track of two different entry paths to the same logic.

We are not yet completely finished with reviewing all notable changes in systemd v258 but intend to complete the effort within the next couple of weeks. We are happy that our review efforts already prevented a local root exploit in software as widespread as systemd from ending up in production environments.

3) logrotate: Issues in drop-in Configuration Files

Missing su <user> <group> Directives

Recently we noticed that there exist a number of packages in openSUSE Tumbleweed which trigger a “logrotate-user-writable-log-dir” rpmlint diagnostic. This diagnostic is emitted when a package contains a logrotate drop-in configuration file (e.g. in /etc/logrotate.d) which points the logrotate daemon to a log directory which is controlled by non-root accounts, where it will operate with full root privileges.

Operating as root in locations controlled by other users is generally very difficult to get right and can easily lead to privilege escalation from a service user to root e.g. via symlink attacks. logrotate offers a su <user> <group> syntax to instruct the daemon to perform a privilege drop to the user owning the directory to avoid any security implications.

To start with, we had a look at the implementation of the logrotate daemon, to judge what the impact would be, when a rogue service user account tries to perform an attack against logrotate when it starts rotating logs in a directory controlled by the compromised user. The results are as follows:

• the daemon performs a sanity check on the directory to operate on and rejects any log directories which are writable by world or a non-root group. This does not include the case where the log directory is owned by a non-root user, however.
• the system calls used by logrotate always include safe flags for opening log files which will prevent trivial symlink attacks by service users from succeeding. There could still be more intricate attacks when a parent directory of the log directory is also owned by a non-root user account. This is not a common setup, however, and we could not find any package where this is the case.

In summary we believe that there are no overly dangerous situations that can result from a missing su <user> <group> directive in affected logrotate configuration files. Still we decided that it will be better to fix existing packages and enforce that packages emitting this rpmlint diagnostic are not allowed into openSUSE in the future. To this end we fixed a couple of openSUSE-specific logrotate drop-in configuration files as well as an upstream configuration file in Munge.

Problems with Scripts Embedded in Configuration

While looking into the credentials mismatch issue we noticed that logrotate can end up in even more complex usage scenarios. The configuration file format allows shell scripts to be embedded that will be executed after rotating logfiles, for example. These scripts always run with full root privileges, independently of an existing su <user> <group> directive. The likeliness of security issues is higher in this case and issues are harder to detect, since this is package-specific code possibly running as root in untrusted directories.

While exploring all embedded scripts found in logrotate drop-in configuration files in openSUSE Tumbleweed we found out that in most cases such scripts are only used to restart a systemd service or to send a signal to a daemon running in the background. In a few cases the scripts have been problematic, as is described in the following sub-sections.

python-mailman (CVE-2025-53882)

In the python-mailman package we found two problems in the embedded shell script, which consisted of these two lines:

/bin/kill -HUP $(</run/mailman/master.pid) 2>/dev/null || true
@BINDIR@/mailman reopen >/dev/null 2>&1 || true

For one, SIGHUP was sent to a PID obtained from /run/mailman/master.pid, which is under the control of the mailman service user. This would allow a compromised mailman user to direct SIGHUP to arbitrary processes in the system.

Furthermore the command line /usr/bin/mailman reopen was executed with full root privileges, which results in output like this:

Usage: mailman [OPTIONS] COMMAND [ARGS]...
Try 'mailman -h' for help.

Error: If you are sure you want to run as root, specify --run-as-root.

This shows that the intended reopen of logfiles doesn’t work as expected. Otherwise one might think that nothing harmful happens. This is not true, however. This invocation of mailman still leads to the full initialization of the logging system and all the logfiles in
/var/log/mailman are created, if not already existing, with full root privileges. Symbolic links are followed, if necessary.

This means a compromised mailman user can e.g. create a symlink /var/log/mailman/bounce.log → /etc/evil-file. After the logrotate script runs /etc/evil-file will be created. The files will be created with root-ownership, so the only impact of this should be the creation of new empty files owned by root in the system. This can still have security impact when such empty state files control sensitive settings of other programs in the system.

To fix this issue the sending of SIGHUP was completely dropped and the reopen command is invoked via sudo as the dedicated mailman service user and group. The logrotate drop-in configuration file containing the problematic script is specific to openSUSE, thus we assigned a CVE for this issue to make our users aware.

sssd

The sssd package has a very similar issue in its example logrotate configuration, where a SIGHUP signal is sent to a PID controlled by the sssd service user:

/bin/kill -HUP `cat @pidpath@/sssd.pid 2>/dev/null` 2> /dev/null || true

We created a public upstream GitHub issue to make the developers aware of the problem. There is no fix available yet for the issue.

Icinga2 (CVE-2025-61909)

In our icinga2 package there is yet another instance of sending a signal (SIGUSR1) to a PID controlled by the unprivileged icinga service user:

/bin/kill -USR1 $(cat /run/icinga2/icinga2.pid 2> /dev/null) 2>/dev/null || true

We wanted to change that into a systemctl reload icinga2.service instead, only to find out that upstream’s reload script is affected by the same issue. We reported the problem to upstream and they fixed it and assigned a CVE by now.

exim (CVE-2025-53881)

Our exim package contained a problematic prerotate shell script in its logrotate configuration which allows escalation from the mail user/group to root, when it runs. The shell script is rather complex and tries to generate a statistics report creating temporary files as root in the log directory owned by the unprivileged mail user.

To fix this, the script has been adjusted to use a private temporary directory for the report, instead. An update containing the fix will soon be available for openSUSE Tumbleweed.

This again is an openSUSE specific logrotate configuration file, thus we assigned a CVE to mark the problem.

Possible Improvements in logrotate

The issues we uncovered show also room for improvement in logrotate itself to prevent such situations in the first place. For one, the daemon could refuse to work on directories owned by non-root users, like it does for world-writable directories. Furthermore scripts could be executed using the same su <user> <group> credentials that are used for rotating the logs.

We did not reach out to upstream about these suggestions yet, but will keep you informed about any developments in this area.

4) GNOME 49: D-Bus and Polkit Changes in new Major Version Release

GNOME 49 was recently released and our GNOME maintainers asked us to look into a number of D-Bus and Polkit changes that appeared in related packages. We encountered nothing too exciting this time:

• GDM: Two changes appeared in GNOME’s display manager:
  • Some polkit actions are now tied to the gdm group instead of to the gdm user. This is related to the display manager now using dynamic user accounts.
  • The gdm group is now allowed to access smart cards managed by pcscd. This is supposed to fix a bug report where smart cards could not be accessed by GDM. Why this bug never occurred before is not completely clear, the Polkit settings are acceptable in any case.
• gnome-initial-setup: This package received the same change as GDM, Polkit actions are now tied to the gdm group, not the user.
• gnome-remote-desktop: This is the same as in gnome-initial-setup, Polkit actions are now tied to the gdm group instead of the user.
• mutter: This part of GNOME (a Wayland compositor and X11 window manager) now contains a backlight-helper. Locally logged in regular users are allowed to execute this program with root privileges to control the backlight of mobile devices. We have seen this helper program before in the gnome-settings-daemon package. It is a minimal C program consisting of 200 lines of code and we could not find any issues in it.

5) Kea DHCP: Follow-Up Review of Network Attack Surface

Earlier this year we reported a number of local security issues pertaining to the REST API in Kea DHCP. In a follow-up review we focused on the network attack surface, which usually is the more interesting part when dealing with a DHCP server suite. Alas, while looking at the network logic we stumbled over another minor local security issue regarding a temporary change to the process’s umask. Upstream addressed the problem in the meantime.

Following the actual network processing logic in Kea’s code base is no easy task. The C++ coding style uses a high level of abstraction which leads to many indirections. Untrusted data received from network peers travels far in the code without clear logical boundaries where data is verified before further processing takes place. The code base contains a lot of comments, which usually is a good thing, but in this instance it felt nearly too verbose to us, making it hard to find the relevant bits.

On the positive side of things Kea is already a matured project and there were no easy pickings to be found. Upstream also integrated AFL fuzzing into their testing infrastructure, which should allow them to find network security issues proactively. Consequently we have been unable to find any security issues in the network processing in Kea.

Kea offers advanced features like configuring custom behaviour depending on specific DHCP header fields. This naturally comes with quite some additional complexity. In this light we believe Kea is well suited for large organizations, but we would recommend a simpler DHCP server implementation for small environments where such features are not needed, to reduce attack surface.

6) chrony: Issues in chronyc Socket Creation

This finding resulted from our logrotate configuration file investigation discussed above. chrony is the default NTP time synchronization program used in openSUSE and a number of other Linux distributions. It ships a logrotate drop-in configuration file that contains this postrotate shell code:

postrotate
    /usr/bin/chronyc cyclelogs > /dev/null 2>&1 || true
endscript

chronyc is the client utility used to talk to the chronyd daemon component. The communication mechanism used for this is a UNIX domain socket placed in /run/chrony/chronyd.sock. chronyc is invoked as root in the logrotate context above. At first we believed this should not be a problem, since any privileged process should be allowed to talk to chronyd. While looking at the strace output of the command line above the following system call caught our attention, however:

chmod("/run/chrony/chronyc.6588.sock", 0666) = 0

The /run/chrony directory is owned by the chrony service user:

drwxr-x--- 3 chrony chrony 100 Sep 25 09:45 .

These are the same credentials used by the chronyd daemon. When root performs the chmod call above, then a compromised chrony service user has an opportunity to perform a symlink attack, directing the chmod() operation to arbitrary files on the system, making them world-writable, thus making possible a chrony to root privilege escalation. A couple of years ago we found a somewhat similar symlink attack in the area of the pidfile creation performed by the daemon.

We approached upstream about the issue on July 15 by creating a private issue in their GitLab project. The bugfix turned out rather complex. The problem here is that the UNIX domain socket used by chrony is datagram-oriented (SOCK_DGRAM). This means there is no connection established between client and server. For the server being able to send back data to the client, the client needs to bind its socket into the file system as well and grant the server-side access to it. On Linux an autobind feature exists for Unix domain sockets, which will automatically assign an abstract address to the client socket, which is not visible in the file system. This feature is not available on other UNIX systems, however, that chrony also intends to support.

For these reasons the upstream approach to fix this involves the creation of an unpredictably named sub-directory in /run/chrony to place the client-end socket into. The directory is only writable for the client and the unpredictable directory name is not known in advance, thus no symlinks can be placed into the path anymore.

7) pwaccessd: New Varlink Service for Reading User Account Information

A fellow SUSE engineer recently finished development on pwaccessd, a daemon providing user account information via Varlink. This novel approach to providing account information allows, for example, to grant regular users access to their own shadow entry, which would otherwise only be accessible to root.

At the end of June we have been asked to review the new daemon for its security. We had a couple of hardening recommendations and found an instance of possible log spoofing, but have otherwise been satisfied with the implementation. Bugfixes and improvements have been incorporated and the new service is now ready to be used in production.

8) sysextmgr: New Varlink Service for Managing systemd-sysext Images

sysextmgr is another new Varlink service developed by SUSE, which this time helps with the management of systemd-sysext images on openSUSE MicroOS. We noticed the addition of this service to openSUSE via our monitoring of newly added systemd services in the distribution. While looking into the Varlink API we discovered a number of issues in the service like Denial-of-Service attack surface and some minor symlink issues. The issues could be resolved quickly and we are now happy with the state of the service.

9) bash-git-prompt: Predictable Temporary File Name Offers Local Attack Surface (CVE-2025-61659)

Our team is currently undertaking an effort to have a look at all kinds of shell related drop-in code like command-specific shell completion support and files installed into /etc/profile.d to manipulate the shell environment. Any packages can install such files and they can easily lead to security problems when things are not done right.

The amount of such files in a complete Linux distribution is huge, naturally, thus this is a long-term task that will require time to produce a complete list of findings. A first finding in the bash-git-prompt package already resulted from this, however. This package installs shell code into /etc/profile.d/bash-git-prompt.sh which enables an interactive Git prompt which will be displayed as soon as the Bash shell enters a Git repository. This prompt contains information about the current repository, the number of modified files and other things that can be configured by users. The prompt feature using default settings becomes active as soon as the package is installed.

While looking into the shell code that implements all this we noticed the use of a predictable temporary file in /tmp/git-index-private$$. bash-git-prompt copies the Git index file found in the current Git repository to this location. It turns out that this copy operation happens every time the interactive shell user enters a new command while being located in a Git repository. The temporary file is soon deleted again when the Git bash prompt has been fully rendered by the program.

Since an interactive bash shell session is a long-lived process it is rather simple for other users in the system to pre-create the temporary file in question and cause all kinds of issues:

• Denial-of-Service: by blocking the path, the Git prompt setup will fail to complete and the prompt will be broken. By placing a FIFO named pipe in this location the victim’s shell will even lock up completely.
• information leak: the copy of the Git index is made using the umask of the shell. When the default umask 022 is used, then the copy of the Git index becomes world-readable in /tmp. If the victim’s Git repository contains non-public data then part of that data (e.g. file names of pending change sets) leaks to other users in the system.
• integrity violation: when a local attacker places crafted data in the location of the temporary file and denies write access, then bash-git-prompt fails to write the desired Git index data to this location, but will not stop execution despite this error. The crafted Git index data will be fed to various invocations of the git command line utility, possibly leading to a crafted bash prompt or even leading to some forms of code execution. To determine the full extent of this, a low level analysis of the handling of the binary Git index format would be necessary.

The problem was discovered independently a while ago already, which is why there exists a public GitHub issue for it. An upstream author attempted to fix the issue, but rolled back the changes due to a regression and nothing happened since. The issue was introduced via commit 38f7dbc0bb8 in bash-git-prompt version 2.6.1. We added a simple patch to our packaging of bash-git-prompt which should address all issues for users of openSUSE.

At the end of September we requested a CVE from Mitre to track this issue and they assigned CVE-2025-61659.

10) steam-powerbuttond: Insecure Operation in Home Directories

Our team’s monitoring of newly added systemd services in openSUSE led us to steam-powerbuttond. It derives from a script found on the SteamOS Linux distribution for use on Steam Deck gaming devices.

The main component of this package is a Python script which runs as a systemd service with full root privileges. This script contains various security issues. During startup the script attempts to determine who “the first user” in the system is, by parsing the output of who | head -1. This user’s home directory is then used for operations later on, when a power button press event is detected. After processing the event, the file
/home/{user}/.steam/steam.pid is read and used for accessing /proc/{pid}/cmdline.

This logic leads to various possible issues, ranging from the the wrong user being selected initially, to denial-of-service when unexpected file content is placed in the unprivileged user’s home directory. We contacted one of the original upstream authors about this and offered coordinated disclosure. It turned out that the project is not supposed to be used anymore, however, and as a result the GitHub repository has been archived by the maintainer.

The openSUSE steam-powerbuttond package is now waiting to be replaced by a new script that is supposed to be found in SteamOS.

11) Conclusion

This edition of the SUSE security team spotlight was quite packed with topics. We hope this can give you an insight into all the different kind of activities we end up in on our mission to improve the security of open source software, in the Linux ecosystem in general and openSUSE in particular. We’re looking forward to the next issue of the spotlight series in about three months from now.

Change History

Tras un parón debido al salto de Qt5/KF5 a Qt6/KF6 que realizó la Comunidad KDE hace ya más de un año decidí retomar esta sección aunque renombrándola ya que en ella solo hablaré de Plasmoides para Plasma 6. De esta forma os presento Kaffeine, un botón de bloqueo de pantalla rápido, eficaz y muy acorde con lo que en muchas ocasiones nos aleja de nuestro ordenador: un buen café. Con este serán ya 22 los widgets para plasma 6 presentado en el blog.

Botón de bloqueo de pantalla rápido, Kaffeine – Plasmoides para Plasma 6 (22)

Como he comentado en otras ocasiones, de plasmoides tenemos de todo tipo funcionales, de configuración, de comportamiento, de decoración o, como no podía ser de otra forma, de información sobre nuestro sistema como puede ser el uso de disco duro, o de memoria RAM, la temperatura o la carga de uso de nuestras CPUs.

Así que espero que le deis la bienvenida a Kaffeine, un simple botón de bloqueo de pantalla rápido que tiene por defecto el icono de un café que nos permite dejar nuestro equipo a salvo de ojos o manos indiscretas mientras tomamos ese líquido que los programadores convierten en código.

Y como siempre digo, si os gusta el plasmoide podéis «pagarlo» de muchas formas en la página de KDE Store, que estoy seguro que el desarrollador lo agradecerá: puntúale positivamente, hazle un comentario en la página o realiza una donación. Ayudar al desarrollo del Software Libre también se hace simplemente dando las gracias, ayuda mucho más de lo que os podéis imaginar, recordad la campaña I love Free Software Day de la Free Software Foundation donde se nos recordaba esta forma tan sencilla de colaborar con el gran proyecto del Software Libre y que en el blog dedicamos un artículo.

Más información: KDE Store

¿Qué son los plasmoides?

Para los no iniciados en el blog, quizás la palabra plasmoide le suene un poco rara pero no es mas que el nombre que reciben los widgets para el escritorio Plasma de KDE.

En otras palabras, los plasmoides no son más que pequeñas aplicaciones que puestas sobre el escritorio o sobre una de las barras de tareas del mismo aumentan las funcionalidades del mismo o simplemente lo decoran.

La entrada Botón de bloqueo de pantalla rápido, Kaffeine – Plasmoides para Plasma 6 (22) se publicó primero en KDE Blog.

Version 4.10 of syslog-ng introduced file size-based log rotation. Thanks to this, storage space is no longer filled with logs with the risk that you might not see older logs if the message rate is higher than expected.

Read more at https://www.syslog-ng.com/community/b/blog/posts/file-size-based-log-rotation-in-syslog-ng

Software packages updating on openSUSE Tumbleweed hit a steady rhythm in September as snapshots were released almost daily. These updates delivered new features, performance improvements, and important security fixes for rolling release users.

GnuPG 2.5.12, file archiver 7-Zip 25.01, text editor Vim 9.1.1706 and Kernel Source 6.16.5 were just a few of the packages updated in the month’s snapshots.

The desktop experience was significantly enhanced with the arrival of GNOME 49 and Plasma 6.4.5. KDE Gear 25.08.1 brought widespread fixes to core applications. Other packages to update this month were QEMU 10.1.0, libvirt 11.6.0, tuned 2.26.0, GStreamer 1.26.6, Mesa 25.2.2 and more.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

GNOME 49: Several GNOME 49 packages were updated in Tumbleweed. Some of the changes include replacing Totem with Showtime as the new default video player and Evince with Papers for modern, feature-rich document viewing. The Calendar app is now fully keyboard-accessible and lets users export events. Web gains better ad blocking, OpenSearch integration, and site-specific menus. Remote desktop now supports multitouch and virtual monitors. New HDR wallpapers enhance visual fidelity, while lock screen media controls, Do Not Disturb in Quick Settings, and reboot/shutdown options improve usability. Two new apps join GNOME Circle; Mahjongg and Wordbook, a dictionary powered by WordNet.

KDE Gear 25.08.1: Dolphin now scrolls faster and avoids crashes when switching selection modes or creating folders, while also playing the trash-empty sound only when successful. KMail, Akregator, KAddressBook, KOrganizer, and PIM tools no longer show outdated “What’s New” screens on startup. Ark and KTorrent have been fixed to stop unnecessary notifications and excessive file writing, respectively. Text editor Kate has multiple crash fixes, especially in session handling and external tool integration, and now works better in Flatpak environments. Kdenlive sees significant stability improvements, which include fixes for crashes when deleting clips, applying effects, or opening projects. Itinerary improves flight and reservation handling, Konqueror works better on Wayland with corrected sidebar menus, and Okular now uses the correct default filename when signing PDFs. Other apps like Neochat, Tokodon, and KRDc fix link handling, image copying, and connection URL preservation.

Plasma 6.4.5: The Discover software center now correctly re-enables the Delete Settings button when reopening messages. Panel customization is smoother with better handling of the Esc key during editing, and folder views on the desktop no longer misplace icons when rearranging. System settings (KCMs) see various fixes, including proper font change notifications, improved notification configuration pages, and better focus behavior in the time zone selector. The KWin window manager improves display handling with better output identification using UUIDs with more reliable color management on Wayland.

KDE Frameworks 6.18.0: This KDE update ensures smoother performance across KDE applications like Dolphin, KMail, and Ark. The Breeze Icons theme has been cleaned up, removing outdated and non-standard icon sizes and third-party app icons to improve consistency. Core libraries such as KIO and KArchive see better handling of file operations, improve thumbnail loading in background threads, and enhanced security when processing malformed archive files. Kirigami, the framework for adaptive user interfaces used in apps like Itinerary and Plasma Mobile, fixes layout issues in navigation components and improves accessibility with better focus handling. Other updates include improved code quality checks across multiple frameworks, and bug fixes in KTextEditor.

OVMF edk2-stable202508: This update upgrades dependencies to OpenSSL 3.5.1 and Oniguruma 6.9.10, introduces Standalone MM support, and adds FF-A memory management with UUID-GUID conversion. Hardware and architecture support expands with ARM GICv5, RISC-V PEI booting, and improved exception handling. Legacy UGA support has been removed, and QEMU TLS and TPM2 handling are enhanced for stability. The release also brings numerous USB, SMM, and CPU hotplug fixes, better build system integration (including mingw-w64), and enables iSCSI boot by default for x64 OVMF.

tuned 2.26.0: This update adds support for MMC devices, improves hotplug handling, and enhances core calculation, variable inheritance, and logging for unsupported plugins. Power management profiles for this Daemon for monitoring and adaptive tuning now use med_power_with_dipm instead of min_power to prevent potential data loss while retaining energy savings. Additional refinements cover network latency tuning, scheduler performance detection, and sysfs monitoring.

7-Zip 25.01: This file archiver update improves security by changing how symbolic links are handled when extracting archives. Performance has been boosted as bzip2 compression speeds up by 15–40 percent and deflate (zip/gz) compression is slightly faster by 1–3 percent. Archive compatibility is enhanced with better support for ZIP, CPIO, and FAT formats. Security issues have been addressed, including fixes for incorrect handling of malformed RAR archives and crashes with certain malformed Compound File archives.

libvirt 11.6.0: This release introduces several new features, including a flag to compute baseline CPUs independent of the host, finer control over QEMU TLS priority strings, default disabling of deprecated CPU features for s390 domains and RBD namespace support for QEMU. Defaults for arm and RISC-V now use virtio-scsi instead of lsilogic. Other improvements include discard granularity settings, better NSS debugging, and relaxed TLS certificate requirements.

udisks2 2.10.91: This release improves storage management, including LUKS header backup, the ability to set labels when creating encrypted devices, and support for extra PBKDF options. Users can now use key files with BitLocker volumes, specify metadata versions for MD RAID, and take advantage of new Btrfs methods to get and set default subvolume IDs. Mount options have been expanded with new flags for ISO9660, f2fs, and ext3/ext4 filesystems.

polkit 126: With this release, actions can now be read from /etc/, /run/, and /usr/local/share, and a new LogControl1 protocol allows dynamic log level changes. Duktape simplifies dependencies and replaces mozjs. Translations were expanded to Slovenian and Hindi.

Key Package Updates

GnuPG 2.5.12: This update adds new flexibility and fixes across GnuPG. Keys sent to LDAP servers are now refreshed beforehand unless disabled with a new option, and a new --[no-]auto-key-upload setting controls automatic uploads. Compression handling has been improved by disabling default compression for 7z input. Support for Kyber variants in --edit-key:addkey has been added, and regressions with composite PQC and ECC algorithms have been fixed.

Vim 9.1.1706: This update resolves issues with buffer overruns, null dereferences, and incorrect popup window behavior. The tutor has been expanded with new sections on text objects and special registers, while outdated translations and docs were refreshed for clarity. Completion logic, command handling, and test coverage have also been refined.

Mesa 25.2.2: This release brings key updates and cleanup across the graphics stack. Legacy components were dropped, along with related packages such as Mesa-gallium, Mesa-libd3d, Mesa-libOpenCL, and libxatracker, reflecting a shift toward modern APIs and drivers. The update includes refreshed Rust crates for NVK, improved build requirements, and fixes for crate checksum mismatches.

sudo 1.9.17p2: This update fixes a rare issue that could cause sudo to send SIGHUP to all system processes when running commands in pseudo-terminals. Another fix addresses crashes when using the intercept and intercept_verify options with very large arguments or environment variables on Linux systems supporting ptrace_readv_string(). The configure script now properly supports mdoc man pages on systems without mandoc. Additionally, permission defaults for /usr/etc/sudoers have been corrected.

Postfix 3.10.4: This release fixes long-standing issues in postscreen, including socket errors after process restarts and cache lock problems that could block new processes. TLS handling is more robust with corrected legacy parameter support and prevention of null pointer crashes in tlsproxy. The update reduces unnecessary process restarts when database files change, removes obsolete OpenSSL engine dependencies, and cleans up TLS reporting by ignoring messages explicitly marked as not requiring encryption.

GStreamer 1.26.6: This update provides a more robust closed caption processing, decodebin3 tag handling, HLS directive parsing, and fallbacksrc shutdown behavior. Hardware and format support expands with V4L2 support for WVC1/WMV3, Vulkan decoder fixes, and updated Spotify integration via [librespot[(https://docs.rs/crate/librespot/latest) 0.7. New threadshare elements improve synchronization and performance, while videorate gains efficiency in drop-only mode.

fwupd 2.0.14, 2.0.15 and 2.0.16: The 2.0.15 update now supports Foxconn SDX61 modems, Jabra Evolve2 child devices, and NVIDIA ConnectX-6/7/8 NICs. Child devices can also inherit parent naming prefixes for clearer identification. Several bugs were fixed, including firmware reporting without --force, Firehose modem erasure, Goodix device enumeration, and handling versioning for BnR MTD hardware. The 2.0.14 update introduces greater flexibility by allowing firmware updates to ignore network connectivity requirements, UEFI capsule devices to opt out of Capsule-on-Disk, and plugins to access firmware versions during updates. Numerous fixes improve reliability, including better handling of modem devices, Lexar NVMe versioning, Synaptics RMI initialization, UF2 parsing, and ThunderBolt retimer detection. Newer hardware support expands fwupd’s reach across modern systems and peripherals.

Kernel Source 6.16.5, 6.16.6, 6.16.7, 6.16.8: The 6.16.8 update delivers broad stability and security fixes across filesystems, networking, and drivers. Btrfs resolves quota statistic leaks and subvolume deletion races, while NFS and NFSv4.2 improve serialization of O_DIRECT operations and capability handling. The 6.16.7 update adds mitigation for the newly documented vulnerability (CVE-2025-40300), extending protection to older Intel CPUs, enabling conditional IBPB, and warning when STIBP is disabled with SMT. The tar-up utility has been modernized by switching to the standard tar command, ensuring consistent ownership, sorting, and compatibility with Tumbleweed. The 6.16.6 update sees multiple race condition fixes for Btrfs to improve inode logging reliability, while audio and USB support is refined with codec fixes and better handling for Focusrite devices. Networking and wireless drivers receive extensive patches for cfg80211, iwlwifi, brcmfmac, and mt76 chipsets, addressing use-after-free bugs, race conditions, and scan stability. The 6.16.5 update addresses memory leaks, race conditions, and use-after-free bugs in device trees, networking, tracing, and I/O handling. Enhancements include better SMB client reliability under concurrent access, improved audio codec controls, fixes for HID and Intel quicki2c drivers, and refined io_uring worker management. Graphics drivers for MSM and Mediatek gain stability updates, while Bluetooth handling of disconnections and packet tracking is made more robust.

SELinux Policy 20250909: This update refines SELinux rules to improve compatibility with common services and system components. GDM can now create password lock files and bind sockets in the systemd userdbd directory, while nsswitch domains are permitted to connect to XDM over Unix sockets. Additional updates enable gnome-remote-desktop communication with tabrmd, nm-dispatcher plugins to read pidfs attributes, and chronyc to use setgid/setuid.

SETools 4.6.0: The seinfo tool can now display roles allowed for a given type, and a new sechecker module ensures kernel modules remain read-only. Support for the nlmsg extended permission has also been introduced. Behind the scenes, the codebase has been modernized with improved quality checks, expanded unit testing, and removal of deprecated methods. Packaging has been updated to use pyproject.toml with refined dependency handling and automated test execution during builds.

QEMU 10.1.0: VFIO now supports passthrough for SEV-SNP and TDX guests, while migration gains multifd post-copy acceleration, optimized pre-copy, and IPv6 RDMA support. The QEMU guest agent can query Windows VM load with a new command. Architecture updates include new ARM CPU features and boards, nested virtualization and CXL on the ARM virt board, LoongArch in-kernel irqchip, RISC-V ISA extensions and Kunminghu CPU support, and endian selection for Microblaze. Numerous fixes and deprecations are included.

CUPS 2.4.14: This update for printing patches two vulnerabilities: an authentication bypass with AuthType Negotiate (CVE-2025-58060) and a null dereference leading to remote DoS (CVE-2025-58364). It also introduced a new print-as-raster attribute, allowing jobs to be forced into raster format to work around printer firmware PDF issues. Additional improvements address job cleanup after restarts, subscription handling, IPP/PPD option parsing, memory leaks, and scheduler event reporting. Version 2.4.14 follows with a hotfix ensuring proper installation of localized templates and CUPS web UI pages, improving overall reliability.

Security Updates

Kernel Source 6.16.7:

CVE-2025-40300: A vulnerability in the Linux kernel’s virtualization layer could allow data from restricted memory to leak into user processes, potentially exposing sensitive information.

Python:

CVE-2025-8194: A HIGH-severity DoS in Python’s tarfile module where crafted tar archives with negative offsets can cause infinite loops or deadlocks.

Mesa 25.2.2:

CVE-2023-45913: A flaw with graphics drivers could cause crashes when the display system sends unexpected signals while handling windows and lead to application instability or denial of service.

CUPS 2.4.14:

CVE-2025-58060: In CUPS (the printing system), when authentication is configured to something other than “Basic”, the system may ignore a “Basic” auth header and skip password validation entirely — allowing anyone to bypass authentication.

CVE-2025-58364: In CUPS,unsafe handling and validation of printer configuration data can lead to a null pointer error, crashing the printing service across the local network (denial of service).

Xen 4.20.1_04:

CVE-2025-27466: A NULL pointer dereference fllaw may occur when updating a timer reference area, potentially crashing the hypervisor or guest environment.

CVE-2025-58142: A variant of the above issue assuming a synthetic timer page is always mapped can lead to a NULL pointer dereference when delivering a timer message, causing instability.

CVE-2025-58143: A race condition could let a guest trigger freeing of memory still in use, leading to information leaks or memory corruption.

ImageMagick:

CVE-2025-57807: A flaw with the package on 64-bit systems could cause the program to write data outside safe memory areas, leading to crashes or possible code execution by attackers.

libssh 0.11.3:

CVE-2025-8114: A NULL pointer dereference allowing an attacker to crash the client or server.

CVE-2025-8277: A memory flaw not freed properly allowing gradual memory exhaustion and potential crashes.

7zip 25.01:

CVE-2025-53816: Heap buffer overflow in 7-Zip’s RAR5 handler caused by writing zeroes outside the allocated heap buffer, leading to memory corruption and DoS.

CVE-2025-53817: A related security issue in 7-Zip (same package as CVE-2025-53816), also addressed in SUSE’s 7zip update.

libqt5-qtwebengine 5.15.19:

CVE-2024-10229: Security issue in **libQt5Pdf addressed in SUSE’s updates.

CVE-2024-10827: Another vulnerability in **libQt5Pdf fixed in SUSE’s maintenance release.

CVE-2024-12694: Yet another libQt5Pdf vulnerability included in the same SUSE security update.

CVE-2025-0436: Also listed among libQt5Pdf issues in SUSE’s security advisory.

CVE-2024-11477: Included in SUSE’s security fix for libQt5Pdf.

CVE-2025-0996: A spoofing vulnerability in Chrome’s Browser UI (Omnibox) on Android allowed a crafted HTML page to manipulate the URL bar.

CVE-2025-1426: A heap buffer overflow in GPU (as per your summary) included in SUSE’s libQt5Pdf security advisory.

tiff:

CVE-2025-8961: A flaw in the tool could let a local user corrupt memory, potentially causing crashes or instability.

Expat 2.7.2:

CVE-2025-59375: A vulnerability where a small, specially crafted document can force the parser to allocate very large amounts of memory—potentially causing a crash or denial of service.

Mozilla Firefox 143.0:

CVE-2025-10527: A use-after-free bug in Firefox’s Canvas2D graphics component that could allow code inside the sandbox to break out and run malicious actions.

CVE-2025-10528: An invalid pointer/undefined behavior issue in the same graphics area (Canvas2D) that could similarly lead to sandbox escape.

CVE-2025-10529: A weakness in browser layout code letting a page violate same-origin restrictions (i.e. read or affect data from another origin) under certain conditions.

CVE-2025-10530: A spoofing issue in the WebAuthn (web authentication) component of Firefox for Android; attacker can trick UI or credentials behavior.

CVE-2025-10531: A bypass of mitigation controls in the Web Compatibility / tooling side, potentially letting some protections be skipped.

CVE-2025-10532: An error in JavaScript’s garbage collection boundaries that may lead to out-of-bounds memory access or corruption.

CVE-2025-10533: An integer overflow bug in the SVG component that under specific inputs could lead to memory corruption.

CVE-2025-10534: A spoofing issue in the site permissions UI where it might trick the UI into showing misleading permission status.

CVE-2025-10535: Information disclosure / mitigation bypass in Firefox for Android’s privacy component, possibly leaking data.

CVE-2025-10536: A flaw in caching / networking logic allowing unintended data exposure.

CVE-2025-10537: A set of memory-safety bugs (across various components) that could lead to memory corruption or arbitrary code execution.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

September 2025 was a robust month for openSUSE Tumbleweed. From major desktop improvements in GNOME 49 and KDE Gear 25.08.1 to critical under-the-hood upgrades in the Linux kernel, QEMU and others. This month’s updates underscore Tumbleweed’s commitment to delivering a reliable, well tested rolling-release. Users are encouraged to update promptly to take full advantage of these improvements.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Me alegra presentaros un nuevo episodio KDE Express, esta vez dedicado a «KDE linux calienta motores y muchas actualizaciones» donde David Marzal nos ofrece una avalancha de noticias. Es que la Comunidad KDE y las otras del Software Libre no paran.

KDE linux calienta motores y muchas actualizaciones en KDE Express 55

Comenté hace ya bastante tiempo que había nacido KDE Express, un audio con noticias y la actualidad de la Comunidad KDE y del Software Libre con un formato breve (menos de 30 minutos) que complementan los que ya generaba la Comunidad de KDE España, aunque ahora estamos tomándonos un tiempo de respiro por diversos motivos, con sus ya veteranos Vídeo-Podcast que todavía podéis encontrar en Archive.org, Youtube, Ivoox, Spotify y Apple Podcast.

De esta forma, a lo largo de estos más de 50 episodios, promovidos principalmente por David Marzal, nos han contado mucho de todo: noticias, proyectos, eventos, etc., convirtiéndose (al menos para mi) uno de los podcast más importantes para la Comunidad KDE en habla hispana.

En palabras de David el nuevo episodio de KDE Express se presenta de la siguiente manera:

Retomamos los episodios de noticias en puro audio. Muchas actualizaciones de aplicaciones y herramientas, distros y alguna noticias de FLOSS en general.

Artículo original con los enlaces en https://kdeexpress.gitlab.io/55/

¡Nos vemos en el Cañas y Podcast de Madrid el 27 de Septiembre, en JPOD o por Cartagena!

KDE Gear 25.08.1

• Novedades – Primeras correcciones
• https://www.muylinux.com/2025/08/14/kde-gear-25-08/
• https://www.kdeblog.com/novedades-de-dolphin-en-kde-gear-25-08-summertime-edition.html
• Lanzado Kdenlive 25.08
• Rediseñado el mezclador de audio
• Mejorado el soporte para gráficos vectores SVG y mapas de bits (Titulador)
• Las Guías y los Marcadores obtuvieron una gran reestructuración para mejorar la organización de los proyectos.
• Krita tendrá mejor soporte HDR en Wayland.

KDE Framkeworks 6.18.0

• Ya puedes usar la tecla de Copilot de teclados para algo más sostenible.
• Le decimos adios a los iconos de terceras aplicaciones.
• Las aplicaciones se pueden registrar para inhibir el salva pantallas o la hibernacion.

KDE Linux está listo para probar. Mientras tanto Neon sigue en mantenimiento por ahora, pero yo no haría instalaciones nuevas con esta distro, ya que le veo futuro incierto.

KDE Plasma 6 Wayland funciona bien en FreeBSD, tutorial.

Plasma 6.5 que ya ha sacado su primera beta, traerá un cambio en la página de permisos de Flatpak que pasa a permisos de aplicación que trae varias novedades y mejoras.

Nate nos da su visión de la última Akademy, pinta todo muy bien. Y aquí tenes un resumen oficial concienzudo, merece la pena.

openSUSE va a retirar su pantalla de bienvenida hecha en Qt5 con una más moderna que se coordine con la que tenemos en KDE y con la de GNOME.

Para los amantes de Nix, aquí os dejo un administrador para Home Manager, no se más.

LibreOffice 25.8.1 ya está disponible:

• Multiples opciones de interfaz con una asistente.
• Mejoras de rendimiento (30% en algunos casos).
• Mejoras de compatibilidad como siempre con el demonio.
• Posibilidad de exportar a PDF 2.0 (lo cual tiene muchas mejoras de accesibilidad).

Firefox142 permite excepciones en su modo de protección ETP

• Introduce CRLite una nuevo sistema de revocación de certificados local y que mejora la privacidad.
• Posibilidad de eliminar extensiones directamente desde la barra.
• Mejora de la búsqueda dentro del historial.

Y 143 viene con:

• En el modo privado puedes configurar que se borren los ficheros descargados al cerrar el navegador.
• en Android ahora soporta audio en xHE-AAC y DoH.

Thunderbird 143 es una versión de arreglos completamente .

Además, y como siempre, os dejo aquí el listado de los episodios. ¡Disfrutad!

Por cierto, también podéis encontrarlos en Telegram: https://t.me/KDEexpress

La entrada KDE linux calienta motores y muchas actualizaciones en KDE Express 55 se publicó primero en KDE Blog.