PostgreSQL, Xen, glibc Update in Tumbleweed

This week’s openSUSE Tumbleweed snapshots were steady and there were no large updates.

While updating openSUSE rolling release once a week could result in a larger update, daily updates throughout this week would have meant smaller updates each day.

The latest snapshot is 20230816. This snapshot fixes compiler-warnings with the ncurses 6.4.20230812 update. This package had some patches added and improved manpages for wgetnstr() and wget_wnstr(). There was also an update for a tool to read manpages with the man 2.11.2 update. This manual tool package introduces security enhancements by replacing $ characters in page names with ? when constructing less prompts, along with other improvements like handling database entries for links better and reorganizing databases for reproducibility. The visual file manager mc 4.8.30 update now supports using Perl Compatible Regular Expressions 2 library as a search engine, and it improves the extfs helpers and patchfs. The yast2-installation 4.6.7 update had a change that addresses a specific issue requiring the presence of the awk utility for use in startup scripts.

Snapshot 20230815 fixes a crash with the 389-ds update. The 2.4.0~git74.4297d88 version for the device memory project brings ongoing efforts to test and improve the multiple listening thread feature. The update gtk4 4.12.0 has some new features for list widgets and an always-ask property in the GtkFileLauncher. The inspector tool provides more information in the accessibility tab. The ndctl 78 update brings improvements in CXL (Compute Express Link) support and some patches were removed. Security vulnerabilities were addressed with the postgresql15 15.4 update, including CVE-2023-39417, which prevents the substitution of certain characters into extension scripts that could lead to security issues, and CVE-2023-39418, which ensures proper enforcement of row security policies. The package also adjusted the International Components for Unicode handling to prepare for PostgreSQL 16. The yast2-trans updated the POT files for Georgian, Slovak, Japanese, Czech and Dutch. Several Python Package Index packages were also updated.

Snapshot 20230814 had just one package update. The python-Pygments 2.16.1 update improved some documentation and provides guides on creating terminal code highlighting commands and loading TrueType fonts to the ImageFormatter for formatting highlighted code as images. The Python library also has a new syntax highlighter for various programming languages and formats.

Similarly, snapshot 20230813 also featured an update for a single package. Binding package python-pyzmq 25.1.1 had some compatibility changes with Cython 0.29.35 for building Python 3.12 wheels, which no longer requires Cython 3. The package also improved error messages, added Cython as a build-time dependency and cleaned up the Socket.poll() method used to check the status of ZeroMQ sockets in a non-blocking manner.

Snapshot 20230812 provided a major update of a web browser. Mozilla Firefox 116.0.2 was primarily targeted at enhancing performance and functionality. The major version release provided several Common Vulnerability and Exposure fixes to include those including a memory bugs, a stack buffer overflow vulnerability and a potential for permissions requests to be bypass via clickjacking has been eliminated. One new feature is the sidebar switcher, which allows users to access Bookmarks, History and Synced Tabs panels easily. The NetworkManager 1.44.0 update brings a significant enhancement by introducing a new link setting that is designed to hold properties related to the kernel link, including parameters, and it now supports sending a DHCPv6 prefix delegation hint through the ipv6.dhcp-pd-hint connection property. Catfish 4.18.0, the Xfce file searching tool, brings performance improvements that enhance user experience, making it smoother and more responsive. The package also allows for more refined and specific searches based on different categories of files. An update of glibc 2.38 introduces the strlcpy and strlcat functions and addressed a vulnerability that pertains to the use of the printf family of functions with a format specifier and a minimum width specifier. An update of systemd 253.8 enhanced security and added a minimal bounds check to the bus component of systemd. Some improvements and core components were cleaned up. Several other packages updated in the snapshot

With snapshot 20230811, nodejs20 20.5.1 was updated. The new version took care of the CVEs; CVE-2023-32002, CVE-2023-32558 and CVE-2023-32004. The update of xen 4.17.2_02 addressed a vulnerability that pertains to a speculative return stack overflow on x86 AMD systems. An update of yast2-country 4.6.3 allows users to change the date to a year later than 2032. The re2c 3.1 package introduces new options such as --leftmost-captures for capturing groups and syntax for non-capturing groups. Command line tool and utilities package xz 5.4.4 updated documentation and translation and the latest openSUSE-repos-Tumbleweed package disabled the NVIDIA package building on LeapMicro since deployments are expected to have all drivers and tools inside the containers.