Tumbleweed Slows for Open Build Service Move

The rolling release for openSUSE temporarily slowed the frequency of its snapshot release cycle to support the migration efforts and data center move of the Open Build Service from last week.

The release engineer team reported in its weekly meeting that the check in of Tumbleweed builds were intentionally paused so as not put additional stress on the OBS migration that was needed.

The first check-in build happened on Monday, passed openQA and snapshot 20230828 was released to update a half-dozen packages. An update of ImageMagick 7.1.1.15 removed a Common Vulnerability and Exposure patch after it was merged upstream. Some settings for RGBA images were corrected and some image compatibility issues were resolved. An update of clamav 0.103.9 addressed a possible denial of service vulnerability fixing CVE-2023-20197. The update also includes fixes for compiler warnings that may become errors in the Clang 16 compiler. The package for hardware identification and configuration data, hwdata, updated to version 0.373 and brings updates to Peripheral Component Interconnect, USB, and vendor IDs. An update of java-11-openjdk 11.0.20.1 brought an emergency release in response to a regression in the July 2023 update and addresses an issue of an invalid Central Directory Entry header. The wtmpdb package, which is meant to help solve the Y2038 problem, updated to 0.9.1 and includes a fix to a manual page reference and had a correction of the printf format specifier on 32-bit systems. Xfce users will be happy to see an update of xfce4-terminal 1.1.0 that introduces various changes, including allowing passing arguments to custom commands, translating strings in the unsafe paste dialog and improving window synchronization for showing tabs. The package also adds support for kinetic scrolling in VteTerminal and enhances the preferences dialog.

The 20230823 build from last week resulted in a snapshot; this happened before the weekly blog came out, but after the Review of the Week was posted. This snapshot also resulted in a half-dozen packages being updated. A key package to update in the snapshot was php8 8.2.9 that addresses CVE-2023-3824, which the insufficient length checking may lead to a stack buffer overflow, and CVE-2023-3823, which could have lead to the situation where a external XML is parsed with external entities loaded; this could have lead to disclosure of any local files accessible to PHP. The update of gpgme 1.22.0 prevents the wrong plaintext during signature verification and from returning a bad data error instead of a general error. The package also added a couple of patches, had a few new interface changes, various enhancements and fixes. The secure communications library gnutls 3.8.1 added a patch to fix a missing compatibility extension and added support for the RFC 9258 external PSK importer. Other packages to update in the snapshot were apache2-mod_php8 8.2.9, gpgmeqt 1.22.0 and libupnp 1.14.18, which included a fix for a busy loop on a socket error in a miniserver.

A few things are expected to come as new snapshots begin to arrive after slowing down builds due to the migration. According to the release engineer meeting, systemd 254.1 is in the queue, but is currently being blocked due to a performance regression, the glibc performance regression fix might be released in the next snapshot and Linux Kernel 6.5 was submitted and will make its way through passing openQA testing.