openSUSE News

Tumbleweed Monthly Update - March 2026

admin@opensuse.org (Douglas DeMaio) — Thu, 02 Apr 2026 08:00:00 +0000

There were several software package updates for openSUSE Tumbleweed during March.

Tumbleweed saw three Plasma 6.6 updates bringing progressive bugfixes to KWin, the system tray, Spectacle, and the Kicker launcher. KDE Frameworks advanced to 6.24.0 with nanosecond-precision timestamps in KIO and a new Kirigami StyleHints API. The Linux kernel moved from 6.19.5 to 6.19.9 with broad fixes across audio, display, and filesystem drivers. Both the Linux Kernel and FreeRDP fixed several Common Vulnerabilities and Exposures, and Mesa 26.0.2 resolved visual corruption on RDNA 4 hardware and a Counter-Strike 2 regression on Intel Arc.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

Plasma 6.6.1, 6.6.2 & Plasma 6.6.3: Version 6.6.3 finished the month with the third update. Application launcher Kicker receives several fixes for the sidebar, icon display, and expanded root list width calculations. The Task Manager now keeps thumbnails properly aligned in horizontal group tooltips. Spectacle resolves a crash on quick region selection and fixes a pixel-off error in the magnifier tool. The system tray sees improved popup placement on Wayland. PowerDevil restores the battery badge for 100 percent charge and syncs the manual inhibition switch with external changes. Plasma 6.6.2 has KWin resolve crashes in DRM output handling, improves mouse tracking with caret-based zoom, and fixes input region gaps in window decorations. The Kicker applet sees refinements in visual search, scrollbar behavior, and hover logic. Spectacle fixes a crash when exporting via KDE Connect, and System Settings now correctly navigates to subcategories from search results. In version 6.6.1, KWin sees the most changes with fixes for corner rounding applying to both decorations and window surfaces, zoom now works correctly on rotated outputs, and software brightness dimming on external screens on screens were enhanced. The tile editor no longer triggers on key repeat, and interactive move-resize no longer unconditionally raises windows. Clipboard and drag-and-drop teardown under XWayland is improved, and*Wine/Proton color management gains better compatibility. The Kicker application launcher for the Plasma Desktop receives multiple fixes for the icon display, layout margins, and search field behavior. The Task Manager corrects tooltip sizing. The digital clock now properly localizes digits, and the media controller fixes premature label truncation. Plasma Network Manager improves icon accuracy for Wi-Fi disabled states and now responds to external configuration changes. Discover improves Flatpak app resolution and exposes proper star count ratings. Powerdevil adds a power level check before executing critical actions that prevent premature shutdowns.

GNOME Control Center 49.5: The Display and Power panels now handle a missing UPower service instead of failing. An infinite loop when switching battery charge modes on systems with multiple batteries was fixed. Sound and Bluetooth device switching regressions are resolved through an updated libgnome-volume-control.

libxml2 2.15.2: A significant version jump that removes the built-in HTTP client and LZMA compression support, and the parser option XML_PARSE_UNZIP is now required to read compressed data. HTML serialization and character encoding handling are brought more in line with the HTML5 specification, and additional accessors for xmlParserCtxt were added for developers. Several previously patched CVEs are now resolved upstream, including fixes for attribute normalization and standalone checks. Python bindings are no longer built as they are scheduled for removal in 2.16, and Schematron support has similarly been dropped.

Xfce 4.20.2: This update covers the screensaver, session manager, and display settings. xfce4-screensaver fixes a wrong conditional in the lock plug, improves theme preview rendering, and switches from pidof to pgrep for more reliable process detection. The overlay window handling is reworked to use a single permanent window, improving device reliability. xfce4-session fixes an idle function and prevents multiple logout dialogs from being created. It also adds gnome-keyring as a Secret portal provider and improves keyboard layout detection on Wayland. xfce4-settings improves display management by checking EDID to detect output list changes, adds a missing condition for new Wayland outputs, and falls back to output name when EDID data is duplicated.

KDE Frameworks 6.24.0: This updates see KIO gain nanosecond-precision timestamps across file operations, improved paste dialogs with proper titles, and refined trash handling. KCodecs overhauls encoding with safer memory management (using unique_ptr) and Kirigami introduces a new StyleHints API to unify theme behavior. Baloo fixes database access mode issues and KTextEditor adds search history clearing and safer clipboard handling.

7-Zip 26.00: The file manager now uses the file name as a secondary sorting key for more intuitive file list ordering, and the benchmark tool supports systems with more than 64 CPU threads. A bug preventing correct extraction of TAR archives containing sparse files is fixed.

KDE Gear 25.12.3: Kdenlive addresses numerous stability and usability issues, including crashes in the curve editor, audio scrubbing with “Pause on Seek” disabled, and provides better handling of multi-stream clips and improved effect management. Itinerary and Kitinerary expand travel support with new extractors for ferry tickets. NeoChat refines room list navigation, fixes emoticon editor layout issues, prevents timeline scrolling during reactions, and resolves a crash. KMail restores proper rendering of plain-text emails and Tokodon fixes alt-text editing and account switching after login failures.

ImageMagick 7.1.2.16 - 7.1.2.18: The image editor update for version 7.1.2.18 improves the reliability of animated image handling by fixing frame delay parsing and resolves a visual artifact where the -dissolve composite operation introduced random noise. Version 7.1.2.17 focused on addressing multiple vulnerabilities and security advisories are resolved along with out-of-band data handling improvements. Version 7.1.2.16 hardens security and adds overflow checks to several image write paths including JXL, PS3, sixel, SGI, and BMP/DIB. It fixes a heap over-read in BilateralBlurImage with even-dimension kernels, a NULL pointer dereference in HEIC NCLX color profile allocation, and a double-free in SVG gradientTransform parsing.

Ruby 4.0.2: This update fixes a YJIT bug. A segfault with argument forwarding combined with splat and positional arguments is resolved, along with a GC crash in String#% and a crash on signal raise. A 20 percent performance regression in Rails related to global allocatable slots and empty pages is addressed. Several Prism parser issues were corrected including misparsing of standalone in pattern matching and the and? predicate being confused with the and keyword.

FreeRDP 3.24.1: This update sees the API comprehensively marked with [[nodiscard]] to surface unchecked function return values. Smartcard support is improved including ECC key handling in PKCS#11 enumeration, proxy support is extended to RFX and NSC graphics modes, and SDL3 multi-monitor scaling is introduced. Numerous memory leaks across connection setup, settings copying, and smartcard paths were resolved.

libavif 1.4.0: This update adds support for Sample Transform schemes from the AVIF 1.2 specification, which enables 16-bit AVIF file handling and grid-based derived image items. Data behind a document for the software handles picture files was made with avifenc, which can now read PNG or JPEG files through stdin via --stdin-format and supports converting JPEG files with Apple-style gain maps. PNG decoding now respects cICP chunks for color information as per the PNG Third Edition specification. Encoding defaults have been refined; AOM_TUNE_IQ is now used for still color samples with libaom v3.13.0+, while AOM_TUNE_PSNR is used for alpha to avoid ringing artifacts from SSIM tuning. Support for libaom versions 2.0.0 and earlier is removed.

Key Package Updates

Linux kernel 6.19.5 - 6.19.9:: The 6.19.9 update improved audio with a speaker pop fix for Star Labs StarFighter hardware and the Btrfs filesystem resolves a space info lock issue during periodic reclaim. NFS3 now correctly returns EISDIR when a create operation encounters a directory alias. The 6.19.8 kernel was dominated by a major batch of AppArmor fixes and multiple CVE-tracked fixes that were backported. The 6.19.7 release receives multiple corrections for CFS/EEVDF scheduler including fixes for zero_vruntime tracking, lag clamping, and slice protection timing. The AMD XDNA accelerator driver resolves several issues including a crash when destroying suspended hardware contexts. The 6.19.6 kernel had fixes led by extensive perf tooling corrections including reference count leaks, srcline printing with inlines, and Zen 5 vendor event definitions for AMD. Btrfs replaces a BUG() call with proper error handling for unexpected delayed ref types, adds fallback to buffered IO for data profiles with duplication, and improves user interrupt handling in btrfs_trim_fs(). The 6.19.5 releases sees Btrfs correct a block_group_tree dirty list corruption and a chunk allocation abort caused by non-consecutive gaps. GFS2 resolves quota handling and an inline data write path. The SMB client fixes a potential use-after-free and double free in smb2_open_file(). A netfilter nf_tables fix adds an abort skip removal flag for set types to address tracked security-relevant issues.

GStreamer 1.28.1: This update includes a new whisper-based speech-to-text transcription element and the speechmatics element now supports detecting audio events like applause, laughter, and music. Reverse playback and gap handling are improved across multiple components. The V4L2 subsystem gains support for AV1 stateful decoding, and CUDA/GL interop copy paths in cudaupload and cudadownload are fixed. WebRTC components gain the ability to specify custom headers for signalling servers and negotiate H.264 profile and level for encoded input. Various memory leaks, build issues, and race conditions were resolved.

curl 8.19.0: This release addresses four security vulnerabilities and provides new features like initial support for MQTTS and fractional values for --limit-rate and --max-filesize. Support for OpenSSL-QUIC was dropped. A potential NULL dereference in Curl_h1_req_parse_read() was fixed along with a potential out-of-bounds read in OpenSSL debug logging. The build now enables NTLM authentication for compatibility with certain Exchange Server endpoints.

systemd 259.3 & 259.5: The 259.5 update had a notable fix and corrected systemd-update-helper from incorrectly skipping systemctl disable during package removal. A new clean-state command is introduced and triggered automatically at the end of any transaction installing unit files. The systemd-container subpackage now requires libarchive instead of tar for archive handling. Additional systemd-update-helper fixes address do_install_units() incorrectly returning an error when no units need preset, and the clean-state command itself is corrected to remove the full state directory rather than just a subdirectory. The 259.3 was a major version upgrade. The libcap dependency was removed entirely, with its system call wrappers reimplemented directly in systemd.

GnuPG 2.5.18: This update adds support for deleting composite secret keys in gpg-agent and fixes armor parsing when no CRC is found. A recent regression in pkdecrypt with TPM RSA keys is resolved, and scdaemon adds support for D-Trust Card 6.1/6.4. The dirmngr key server search now prints all UID records for a key, which fixes a regression dating back to 2015.

Mesa 26.0.2: The release fixes visual corruption on RDNA 4 in DX11/DXVK titles like Mafia III, a GPU hang with PS epilogs and secondary command buffers, and missing L2 cache invalidation with streamout on GFX12. A Counter-Strike 2 visual glitch regression on Intel A770 is resolved. The Panfrost Bifrost compiler fixes a failure from incorrect vectorization and spill placement issues. An OpenGL VRAM memory leak when setting uniform variables is corrected. X11 shared memory attachment checks are added across drisw, EGL, GLX, and Vulkan WSI paths to prevent allocation failures.

GTK3 3.24.52: This update fixes a Firefox crash at gdk_wayland_drag_context_manage_dnd() when a toplevel Wayland surface is missing, and resolves wild strobing in multi-window mode. A refresh rate calculation overflow on 32-bit targets is corrected, and recolored icon images are no longer constantly reloaded. Accessibility events for unfocused GtkTreeView widgets are fixed, and XKB initialization failures on Wayland are now handled more gracefully.

libtpms 0.10.2: This update fixes a memory leak by freeing the KDF context and resolves incorrect IV retrieval when using OpenSSL 3.0 or later. A build fix for compatibility with newer glibc is also included. For Tumbleweed users running TPM-based virtualization with QEMU or swtpm, this is a security-relevant update.

xfsprogs 6.18.0: This update spans three releases. The mkfs.xfs tool gains several improvements including the ability to configure desired maximum atomic write sizes, AG size alignment based on atomic write capabilities, autodetection of log stripe unit for external log devices, and new default features enabled out of the box with a 2025 LTS config file. Zoned filesystem support is refined with fixes for zone capacity checks on sequential zones and improved default maximum open zones. The proto subsystem adds the ability to populate a filesystem directly from a directory. xfs_scrub removes its EXPERIMENTAL warnings and fixes a null pointer crash in scrub_render_ino_descr. Cross-architecture log CRC mismatches between i386 and other architectures are corrected, and libxfs gains support for reproducible filesystems using deterministic time and seed values. Deprecated sysctl knobs and mount options are removed. The Python dependency is also dropped from the main package since the xfs_protofile script is not essential.

Security Updates

Python 3.11.15:

CVE-2025-11468: Fixes a header injection flaw in email header folding where long comments with unfoldable characters could allow injecting headers into email messages.
CVE-2025-12084: Addresses quadratic complexity that could lead to denial of service when processing deeply nested documents.
CVE-2025-6075: Resolves a performance degradation in os.path.expandvars() when user-controlled values are passed for environment variable expansion.
CVE-2026-2297: Fixes an issue where CPython’s import hook for legacy .pyc files did not trigger sys.audit handlers and could potentially allow a security monitoring bypass.

bind 9.20.21:

CVE-2026-1519: Fixes a flaw that could potentially lead to denial of service.
CVE-2026-3104: Addresses a memory leak that could cause unbounded memory growth and an out-of-memory condition.
CVE-2026-3119: Resolves an issue where an authenticated query could cause a termination unexpectedly.
CVE-2026-3591: Fixes a use-after-return flaw that could allow an attacker to bypass ACL restrictions via crafted DNS requests.

Linux kernel 6.19.8::

CVE-2026-23230: Fixes a vulnerability in the ksmbd kernel SMB server.
CVE-2026-23220: Addresses an infinite loop caused by next_smb2_rc in ksmbd.
CVE-2026-23226: Resolves a missing lock to protect ksmbd channel list.
CVE-2026-23228: Fixes a leak of active_num_conn in the ksmbd SMB server.
CVE-2025-71231: Addresses an out-of-bounds index in the crypto IAA driver.
CVE-2026-23222: Fixes a memory allocation issue in the crypto OMAP driver.
CVE-2026-23229: Resolves a missing spinlock protection in the crypto virtio driver.
CVE-2025-71237: Fixes a potential block overflow in nilfs2 that could cause corruption.
CVE-2025-71230: Addresses an issue where HFS superblock info was not always cleaned up properly.
CVE-2025-71229: Resolves an alignment fault in the rtw88 WiFi driver.
CVE-2025-71236: Fixes missing validation before freeing resources in the qla2xxx SCSI driver.
CVE-2025-71235: Addresses a module unload race condition in the qla2xxx SCSI driver.
CVE-2025-71232: Resolves a memory leak in an error path in the qla2xxx SCSI driver.
CVE-2026-23225: Fixes an incorrect CID ownership assumption in the scheduler mmcid subsystem.
CVE-2026-23221: Addresses a use-after-free in the fsl-mc bus driver override handling.
CVE-2026-23224: Resolves a use-after-free in erofs for file-backed mounts.
CVE-2026-23223: Fixes a use-after-free in XFS btree block owner checking.
CVE-2026-23227: Addresses a missing lock protection in the Exynos VIDI DRM driver.
CVE-2025-71233: Resolves an issue with asynchronous sub-group creation in PCI endpoint.
CVE-2025-71234: Fixes a slab out-of-bounds access in the rtl8xxxu WiFi driver.
CVE-2025-71238: Addresses a double-free in the qla2xxx SCSI driver’s bsg_done handler.
CVE-2026-23236: Fixes improper ioctl memory copy in the smscufx framebuffer driver.
CVE-2026-23235: Resolves an out-of-bounds access in f2fs sysfs attribute handling.
CVE-2026-23234: Addresses a use-after-free in f2fs write end I/O handling.

libtpms 0.10.2:

CVE-2026-21444: Fixes a flaw in libtpms that weakened encryption and decryption.

LibVNCServer:

CVE-2026-32853: Fixes a vulnerability where a crafted message could lead to information disclosure or denial of service.
CVE-2026-32854: Addresses an issue where crafted requests could cause a denial of service.

freeipmi 1.6.17:

CVE-2026-33554: Resolves improper memory handling and data validation that could lead to stack buffer overflows and acceptance of malformed payloads.

nghttp2 1.68.1:

CVE-2026-27135: Addresses a vulnerability that fixes an assertion failure from missing state validation.

inkscape 7.1.2.15:

CVE-2026-24481: Fixes a heap information disclosure when processing malformed PSD files.
CVE-2026-25794: Addresses a heap buffer overflow via integer overflow when writing images with large dimensions.
CVE-2026-25796: Resolves a memory leak that could be exploited for denial of service.
CVE-2026-25637: Fixes a memory leak in the ASHLAR image writer that could lead to denial of service.
CVE-2026-25576: Addresses a heap buffer over-read in multiple raw image format handlers potentially disclosing sensitive information.
CVE-2026-26983: Fixes a NULL pointer dereference in the MSL interpreter that could cause a crash.
CVE-2026-26284: Resolves a use-after-free that could lead to denial of service or code execution.
CVE-2026-26283: Addresses an infinite loop in the JPEG encoder that could cause denial of service.
CVE-2026-25965: Fixes a path traversal that could allow reading arbitrary files on the system.
CVE-2026-25967: Addresses improper encoding or escaping of output that could allow arbitrary command execution.
CVE-2026-25989: Fixes an integer overflow in the internal SVG decoder that could cause denial of service.
CVE-2026-25968: Resolves a memory leak in coders that write raw pixel data potentially leading to denial of service.
CVE-2026-24485: Addresses an out-of-bounds read that could cause a crash.
CVE-2026-25985: Fixes unbounded resource allocation in the SVG decoder that could lead to denial of service.
CVE-2026-25987: Resolves an integer overflow in the SVG decoder potentially causing denial of service.
CVE-2026-25966: Addresses a security policy bypass via fd: pseudo-filenames allowing stdin/stdout access.
CVE-2026-25799: Fixes an out-of-bounds read that could disclose memory contents.
CVE-2026-25798: Resolves an out-of-bounds read potentially leading to information disclosure or a crash.
CVE-2026-25795: Fixes a NULL pointer dereference that could cause a denial of service.
CVE-2026-26066: Addresses resource exhaustion when writing IPTCTEXT that could lead to denial of service.
CVE-2026-25638: Resolves a memory leak that could be exploited for denial of service.
CVE-2026-25797: Fixes a code injection issue that could allow arbitrary code execution.
CVE-2026-25897: Addresses a heap buffer overflow in the sun decoder potentially causing a crash.
CVE-2026-25970: Resolves a memory leak that could lead to denial of service via image processing.
CVE-2026-25982: Fixes a use-after-free that could lead to denial of service or code execution.
CVE-2026-25983: Addresses an out-of-bounds read in the PCD coder that could disclose memory contents.
CVE-2026-25898: Resolves an out-of-bounds read that could cause a crash or information disclosure.
CVE-2026-25971: Fixes a memory leak in the text coder that could lead to denial of service.
CVE-2026-25988: Addresses a use-after-free in the meta coder potentially allowing code execution.
CVE-2026-25969: Resolves a memory leak that could lead to denial of service via image processing.
CVE-2026-25986: Fixes a vulnerability that could lead to denial of service when processing crafted images.

expat 2.7.5:

CVE-2026-32776: Fixes a NULL pointer when handling empty external parameter entity content.
CVE-2026-32777: Addresses an infinite loop that could lead to denial of service.
CVE-2026-32778: Resolves a NULL pointer after an earlier out-of-memory condition.

TigerVNC:

CVE-2026-34352: Fixes incorrect permissions that could allow other users to observe or manipulate screen contents, or cause a crash.

clamav 1.5.2:

CVE-2026-20031: Fixes an error handling bug that could crash the program and cause a denial of service.

FreeRDP 3.24.1:

CVE-2026-29774: Fixes a client-side heap buffer overflow.
CVE-2026-29775: Addresses an off-by-one boundary check in the bitmap cache subsystem that could cause out-of-bounds read/write.
CVE-2026-29776: Resolves an integer underflow that could lead to a crash.
CVE-2026-31806: Fixes a heap buffer overflow caused by unchecked bitmap dimensions from a malicious server.
CVE-2026-31883: Addresses a size_t underflow leading to a heap buffer overflow via the RDPSND channel.
CVE-2026-31884: Resolves a division-by-zero in the ADPCM decoders when nBlockAlign is 0, causing a crash.
CVE-2026-31885: Fixes an out-of-bounds read in the ADPCM decoders due to missing predictor and step_index bounds checks.

giflib:

CVE-2026-23868: Fixes a double-free vulnerability from a shallow copy that could lead to memory corruption.

curl 8.19.0:

CVE-2026-1965: Fixes bad reuse of HTTP Negotiate connections that could lead to authentication bypass with wrong credentials.
CVE-2026-3783: Addresses a token leak when following redirects with netrc credentials.
CVE-2026-3784: Resolves wrong proxy connection reuse with different credentials, potentially exposing authenticated sessions.
CVE-2026-3805: Fixes a use-after-free in SMB connection reuse that could lead to a crash or potential code execution.

QEMU 10.2.2:

CVE-2026-2243: Fixes an out-of-bounds read in QEMU’s VMDK image handling that could lead to information disclosure or denial of service.
CVE-2026-3196: Addresses an integer overflow that could allow a malicious guest to cause unbounded memory allocation and denial of service on the host.

udisks2:

CVE-2026-26104: Fixes a missing authorization check that allowed unprivileged users to back up LUKS encryption headers and potentially expose sensitive cryptographic metadata.
CVE-2026-26103: Addresses a missing authorization check that allowed unprivileged users to restore LUKS encryption headers, which could potentially render encrypted volumes inaccessible.

GVFS 1.58.2:

CVE-2026-28296: Fixes a CRLF injection flaw in the FTP backend that could allow a remote attacker to inject arbitrary FTP commands via crafted file paths.

python-tornado6

CVE-2026-31958: Fixes a denial-of-service vulnerability where requests with thousands of parts could cause excessive CPU consumption.

libjxl 0.11.2:

CVE-2026-1837: Fixes a memory corruption issue when processing crafted grayscale images with LCMS2 that could potentially lead to code execution or information disclosure.

util-linux:

CVE-2026-3184: Addresses improper hostname canonicalization that could allow bypass of host-based PAM access control rules.

sdbootutil:

CVE-2026-25701: Fixes an insecure temporary file vulnerability that could allow local users to access private information or manipulate boot configuration data.

ImageMagick 7.1.2.17:

CVE-2026-32259: Fixes a stack-based buffer overflow when a memory allocation fails that could potentially allow writes past the end of a buffer.

GraphicsMagick:

CVE-2026-25799: Provides a fix that could lead to a crash and denial of service.
CVE-2026-28690: Fixes a stack buffer overflow vulnerability that could lead to a crash or potential code execution.
CVE-2026-30883: Addresses a heap overflow when encoding a PNG image with an extremely large image profile.

libsoup2:

CVE-2026-1760: Fixes improper handling of HTTP requests combining certain headers that could lead to HTTP request smuggling and potential denial of service.
CVE-2026-1467: Addresses a lack of input sanitization that could lead to unintended or unauthorized HTTP requests.
CVE-2026-1539: Resolves proxy authentication credentials being leaked via the Proxy-Authorization header when handling HTTP redirects.
CVE-2026-0716: Fixes a flaw in WebSocket frame processing that could cause out-of-bounds memory reads, potentially leading to memory exposure or a crash.

freetype2 2.14.2:

CVE-2026-23865: Fixes an integer overflow in the FreeType library that could allow an out-of-bounds read when parsing OpenType variable fonts.

exiv2 0.28.8:

CVE-2026-25884: Fixes an out-of-bounds read in the CRW image parser when processing crafted image files.
CVE-2026-27631: Addresses an integer overflow causing an uncaught exception that could lead to a crash and denial of service.
CVE-2026-27596: Resolves an out-of-bounds read in preview handling that could cause a crash when processing crafted image files.
CVE-2025-54080: Fixes an out-of-bounds read triggered when writing metadata into a crafted image file, potentially causing a crash.
CVE-2025-55304: Addresses quadratic performance in ICC profile parsing that could lead to denial of service.
CVE-2025-26623: Resolves a heap buffer overflow when writing metadata into a crafted image file, potentially allowing code execution.

Salt:

CVE-2026-31958: Fixes a denial-of-service vulnerability where requests could cause excessive CPU consumption.

openexr 3.4.6:

CVE-2026-27622: Fixes an out-of-bounds write that could potentially lead to code execution when processing crafted EXR files.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

March 2026 was a month defined by refinement and security hardening across the openSUSE Tumbleweed stack. The three Plasma 6.6 point releases demonstrated KDE’s steady cadence of desktop polish, while the kernel’s progression from 6.19.5 to 6.19.9 kept hardware support and filesystem reliability moving forward. Security was a clear theme throughout the month, with FreeRDP, curl, libsoup2, and the kernel itself all receiving significant CVE attention alongside a broad sweep of image processing fixes across GraphicsMagick, ImageMagick, and exiv2. Under the hood, the jump to libxml2 2.15.2 marked a meaningful step forward in web standards alignment, and GStreamer 1.28.1 pushed multimedia capabilities forward with speech-to-text transcription and AV1 decoding support.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Closing Out a Roughly 8-Year Era

admin@opensuse.org (Douglas DeMaio) — Wed, 01 Apr 2026 12:00:00 +0000

The series for openSUSE Leap 15 is coming to an end after nearly eight years of providing a consistent community distribution that’s upgradable to SUSE’s enterprise product. Leap 15.6 will reach End of Life (EOL) at the close of this month closing out an end of an era as it will no longer receive maintenance or security updates going forward.

The Leap 15 journey began it journey on May 25, 2018, when 15.0 was released as a fresh community build on top of SUSE Linux Enterprise 15. It brought a huge variety of new software along with a easy migration to SLE, transactional updates, server roles, scalable cloud images, and more.

What followed was an impressively long run of incremental releases from Leap 15.1 to 15.6 as each stable release aligned with its twin, which is source and binary compatible, and delivered maintenance and security updates to users over several years.

The series far exceeded promises and ultimately spanned nearly eight years of active support. With Leap 15.6 going EOL, users who wish to continue receiving maintenance and security updates should upgrade to Leap 16. Leap 16 is expected to go to 16.6 in Fall 2031 and will have 24 months of support for a point release.

Running an unsupported release means your system will no longer receive patches for vulnerabilities, which poses a real security risk over time. The upgrade path to Leap 16 is the recommended way to stay protected and supported.

You can download openSUSE Leap 16 and use the migration tool to upgrade.

Leap 15.6 itself received nearly 24 months of support, which extended the traditional support period of 18 months by about six months. With Leap 16, users can expect a full 24 months of community support per point release, which is a commitment that reflects the significant effort from maintainers to keep users protected.

Thank you to all the contributors, packagers, and users who made the Leap 15 series such a long-lasting and reliable platform. Here’s to the next chapter with Leap 16!

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 27 Mar 2026 08:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from March 13 to March 19.

Blogs this week highlight Agama 19’s major architectural overhaul and new installation modes, the simultaneous release of Krita 5.3 and Krita 6.0, and Hyprland arriving on Tumbleweed with an official installation pattern. Blogs also cover Peter Czánik’s first steps running hardware-accelerated AI on Linux, animation smoothness improvements coming in Plasma 6.7, Mozilla’s new official RPM repository for Firefox Beta on openSUSE, the Himmelblau Workshop for Linux and Entra ID integration in Germany, an offline AI-powered child protection system for Linux using PAM, and more.

Here is a summary and links for each post:

My New Toy: OpenWebUI First Steps

Peter Czánik’s Blog continues his AI mini workstation series by documenting his first steps with Open WebUI on Fedora. He settled on running Ollama directly from the Fedora package repository after upgrading to Fedora 44 beta.

Install Firefox Beta on openSUSE

Victorhck explains how to add Mozilla’s new official RPM repository to install Firefox Beta on openSUSE alongside the stable and Nightly versions. Installing from the official Mozilla repository offers advantages including advanced compiler optimizations, faster updates, and hardened security binaries. The post provides the exact zypper commands needed to import the GPG key and install the package.

The New Features of Plasma 6.6

The KDE Blog takes a detailed look at the new features introduced in the Plasma 6.6 desktop release. The blog highlights a new global theme that automatically switches between light and dark mode by time of day, easier emoji skin tone selection via Meta+., and quick Wi-Fi connection by scanning a QR code with the device’s camera.

Trying Hyprland for the First Time on openSUSE Tumbleweed

Victorhck shares his first hands-on experience with the Hyprland tiling window manager on openSUSE Tumbleweed, which was made much easier by a new official installation pattern contributed by Lubos Kocman. The pattern bundles a minimal but functional setup including waybar, greetd, hyprpaper with an openSUSE wallpaper, and sensible keyboard defaults.

Compiling syslog-ng on an Old Mac

Peter Czánik’s Blog addresses the problem of Homebrew dropping full support for older Intel-based Macs and explains how to compile the latest syslog-ng release on these aging but still functional machines.

My New Toy: First Steps with AI on Linux

Peter Czánik’s Blog documents his first attempts at running hardware-accelerated AI workloads on his HP Z2 Mini under Linux, covering both Ubuntu 25.10 and Fedora 43. While Ubuntu proved difficult due to ROCm packaging limitations, Fedora’s Heterogeneous Computing SIG wiki provided a clear path to getting AMD ROCm working, with both llama-cpp and PyTorch successfully detecting and using the GPU.

Krita 5.3 and Krita 6.0 Released

The KDE Blog announces the simultaneous stable releases of Krita 5.3 and Krita 6.0. Krita 5.3 introduces a fully rewritten text tool with direct canvas editing and advanced OpenType support. Krita 6.0 builds on all of 5.3’s additions while completing the migration to Qt6.

Animation Improvements Coming in Plasma 6.7

The KDE Blog reports on work by KWin developer Vlad Zahorodnii to smooth out animation in the upcoming Plasma 6.7. The fix addresses the “jump” effect that occurs when a brief system stall causes an animation to skip several frames to catch up. The change affects compositor-managed animations such as window open/close effects and desktop transitions.

Himmelblau Workshop – Hands-On Integration on April 21 in Germany

Just Another Tech Blog announces the first official Himmelblau Workshop taking place on April 22 in Göttingen, Germany, which is the day after sambaXP 2026. The hands-on session targets Linux system administrators and IT professionals managing hybrid environments, covering Entra ID authentication, multi-factor authentication, Intune-based device management, and policy enforcement using the current stable Himmelblau release.

Agama 19 – A New Start for the SUSE and openSUSE Installer

Victorhck provides a thorough Spanish-language overview of the Agama 19 release and its significance for SUSE and openSUSE users. The post walks through the architectural renovation, the redesigned web interface with dynamic network configuration, the rewritten user and software management subsystems, and newly added features such as LVM volume group installation and SSH key authentication.

3 Top Features of Plasma 6.6

The KDE Blog spotlights three standout features from the Plasma 6.6 release. The completely redesigned “Plasma Keyboard” on-screen keyboard offers instant appearance, automatic window repositioning, and a mobile-style layout with emoji support and cursor control via the spacebar.

3 Sports Games for Linux

The KDE Blog continues its native Linux games series with three free and open-source sports titles. Freetennis is a realistic tennis simulator featuring advanced AI and LAN/internet multiplayer; Tux Football is a fast-paced 2D arcade football game inspired by Sensible Soccer; and Foobillard++ is a 3D OpenGL billiards simulator supporting 8-ball, 9-ball, snooker, and carom modes. All three games are natively available on Linux at no cost.

VLM + CNN + Agents: Solving Digital Child Protection on Linux Without the Cloud

Alessandro’s Blog presents a technical proposal for implementing Brazil’s “Digital Statute for Children and Adolescents” (ECA Digital) on Linux using a fully offline AI pipeline. The system combines Vision-Language Models, convolutional neural networks for facial age estimation, and intelligent agents integrated directly into Linux’s PAM authentication layer to block privilege escalation by minors.

Linux Saloon 192 – Storm OS Distribution Exploration

The CubicleNate Blog recaps a Linux Saloon podcast episode focused on Storm OS, a new Arch-based Linux distribution created by contributor Ben. Participants discussed what productivity applications the distro would need to attract intermediate users and shared their own experiences testing distributions including openSUSE Tumbleweed.

Time Zone Offsets and Type-Ahead on the Desktop – This Week in Plasma

The KDE Blog translates and covers the latest “This Week in Plasma” development report. Plasma 6.7 gains time zone offset display in the Digital Clock widget, type-ahead file selection on the desktop when KRunner is disabled, and the ability to reverse the system tray item order. Performance improvements include reduced OpenGL context creation per application (saving 10–15 MB RAM each) and optimized direct scanout on fullscreen windows.

I Installed Linux on an Apple Silicon MacBook – No Going Back!

The KDE Blog highlights a video by content creator Guillem Cortés documenting his experience running Fedora Asahi Remix natively on a MacBook Pro with an M1 Pro chip. Battery life, audio, and display brightness perform comparably to macOS, though the screen is currently limited to 60 Hz instead of the original 120 Hz.

openSUSE Tumbleweed Weekly Review – Week 12 of 2026

Victorhck and dimstar report on a very active week for Tumbleweed with seven consecutive snapshots (0312 through 0318) delivered without any issues reaching users. Major updates include Mesa 26.0.2, cURL 8.19.0, Linux kernel 6.19.7 and 6.19.8, KDE Frameworks 6.24.0, GIMP 3.2.0, systemd 259.5, Ruby 4.0.2, and pipewire 1.6.2. Upcoming changes include switching the default UEFI bootloader to systemd-boot, GCC 16 as the default compiler, GNOME 50, glibc 2.43, and LLVM 22.

Agama 19 Released – A New Beginning

The Agama Installer Blog announces Agama 19. The release features a major architectural overhaul that establishes a clean, stable API as the foundation for the web UI, command-line tools, and unattended installs alike. Internal components for user and software management have been rewritten from scratch to replace aging YaST modules, and the web UI has been reorganized around a new overview page.

Passing of bear454

The openSUSE project mourns the passing of long-time community member James Mason. James, who is also known amongst the community as bear454, has a long connection with the project that stretches back to its beginnings. He was a member since 2009, an openSUSE Ambassador and dedicated much of his life’s work to open-source. He was often at LinuxFest Northwest helping several in attendance. He will be deeply missed.

James pictured at LinuxFest Northwest in 2014. left to right: Peter Linnell, Bryan Lunduke, Jon Hall (with the SUSE Chameleon), James Mason, and Michael Miller at LinuxFest Northwest 2014

View more blogs or learn to publish your own on planet.opensuse.org.

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 20 Mar 2026 08:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from March 13 to March 19.

Blogs this week highlight OBS request workflow improvements with better comment visibility and RPMLint integration, and a new cockpit-client-launcher package simplifying Cockpit setup on Tumbleweed and Leap. Blogs also cover KDE Plasma 6.6’s third bugfix update, Marknote 1.5’s new raw Markdown editing mode, Kontainer as a KDE-native Distrobox manager, openSUSE’s new Cavil-Qwen3.5-4B legal classification model and more.

Blogs also cover KDE Plasma 6.6’s third bugfix update, Marknote 1.5’s new raw Markdown editing mode, Kontainer as a KDE-native Distrobox manager, openSUSE’s new Cavil-Qwen3.5-4B legal classification model, a LogAI tool for querying system logs in plain English, Victorhck handing off his unofficial openSUSE guide, the GNOME 50 wallpaper design story, and more.

Here is a summary and links for each post:

My New Toy: FreeBSD on the HP Z2 Mini Revisited

Peter Czánik’s Blog continues the series on his HP Z2 Mini AI workstation. This time he revisits FreeBSD after resolving a graphics driver issue by switching from the AMD to the ATI kernel module. The GNOME desktop is now stable and functional. A switch to KDE’s Plasma resolves a remaining screen-locking issue.

The KDE Blog announces an upcoming event organized by the nonprofit association GNU/Linux València on March 27 in Valencia, Spain. The evening begins with a Linux install party at 17:00, followed at 18:30 by an open debate on new social media regulations, their implications for privacy, and how federated alternatives like the Fediverse compare. Admission is free.

Latest Improvements to the Request Page

The Open Build Service Blog hightlights improvements to the OBS request workflow. Changes include visual highlighting of comments, an enhanced Accept dropdown with improved accessibility, and integrated contextual descriptions for RPMLint results directly into the UI.

Friday Sketches (Part 2)

Jakub Steiner’s Blog shares a large collection of app icon sketches produced during GNOME Design Team Friday sessions over the past two years. Scroll through all the sketches.

New Launcher Aims to Simplify Cockpit Installations

The openSUSE News team introduces cockpit-client-launcher, which is a new package that gives openSUSE users a straightforward desktop entry point for the Cockpit web-based system administration interface. The launcher, which features a YaST-inspired icon, automates systemd service activation and firewall configuration on first launch. It is available as an official package on both Tumbleweed and Leap.

Central Log Collection – More Than Just Compliance

Peter Czánik’s Blog makes the case that a centralized log collection benefits more than just regulatory compliance; it improves operational ease, log availability during outages, and security against log tampering. The post walks through practical scenarios at different scales, from a handful of machines to networks of hundreds.

Displaying System Info with Native KDE Plasma 6 Plasmoids

Victorhck walks through how to use the built-in System Monitor Sensor plasmoide in KDE Plasma 6 to display system information such as uptime directly on the desktop. The guide covers configuring the widget’s appearance, selecting sensors, and customizing displayed labels.

Third Update of KDE Plasma 6.6

The KDE Blog announces the third bugfix update for Plasma 6.6. The update is part of KDE’s regular maintenance cadence and follows the full Plasma 6.6 feature release. The update is strongly recommended for all users.

Brazilian Digital Children’s Law and Linux: Debunking the Panic

Alessandro’s Blog takes a detailed look at Brazil’s Lei 15.211/2025 (the “Digital Statute for Children and Adolescents”), which sparked widespread but unfounded claims that Linux would be banned in Brazil. The post argues that the episode was driven more by misinformation and social media panic than by the actual legal text.

GNOME 50 Wallpapers

Jakub Steiner’s Blog celebrates the GNOME 50 release by walking through the design history behind the new default wallpaper. The post also covers updates to the Symbolics and glass chip wallpapers, and previews the new Tubes design aimed at dark-theme users.

My New Toy: AI First Steps with the HP Z2 Mini

Peter Czánik’s Blog recounts first experiments with AI features on Windows using the AMD Ryzen 395’s NPU on the HP Z2 Mini workstation. The Windows Recall feature could not be tested since it requires Secure Boot, which was disabled for Linux dual-boot compatibility.

My Unofficial openSUSE Guide Changes Hands

Victorhck announces that the Spanish-language unofficial openSUSE guide, which he has maintained since 2016, is being handed off to community member Diablo Rojo for continued maintenance and modernization. The guide, aimed at newcomers to openSUSE Leap, has been updated to reflect a decade of changes in the project including the rise of Tumbleweed, the transition away from YaST, and the arrival of Myrlyn.

Code Mode in Marknote, S3 Support in Dolphin, and Glaxnimate Release – This Month in KDE Apps

The KDE Blog summarizes a month’s worth of KDE application progress. Marknote gained a plain-text code mode, a note-linking dialog, search-and-replace, and animated UI transitions; Dolphin added S3 support of custom endpoints and is no longer limited to AWS-compatible services.

Kontainer – Distrobox Container Manager Built for KDE Plasma

The CubicleNate Blog reviews Kontainer, a KDE-native graphical interface for managing Distrobox containers. The app integrates well with the Plasma desktop and simplifies installing and running software from other Linux distributions inside containers.

openSUSE Releases Updated Legal Classification Model

The openSUSE News team announces Cavil-Qwen3.5-4B, which is a new fine-tuned language model on the project’s HuggingFace page. It is designed to automate detection of license declarations and copyright notices in code repositories. GGUF quantized versions contributed by a community member are also available for local use with tools like llama.cpp.

Marknote 1.5 Arrives in KDE

Victorhck covers the Marknote 1.5 release. It highlights the new source mode that lets users edit raw Markdown without the WYSIWYG renderer. Other additions include wiki-style internal note linking with cross-notebook search, drag-and-drop note management, a KRunner plugin for instant note access, and more.

This Month in KDE Linux – February Progress

The KDE Blog summarizes Nate Graham’s February update on KDE. Highlights include more accurate download size reporting in Discover, the introduction of Kapsule as a new container-based software installer, improved Flatpak localization, and better AMD GPU crash protection.

LogAI - Asking The System Logs in Plain English

Zoltán Balogh’s Blog introduces LogAI; It is a locally-run RAG (Retrieval-Augmented Generation) system for querying the Linux journalctl system log. RAG is a technique that enables large language models to retrieve and incorporate new information from external data sources. The post describes the motivation: replacing grep-heavy log triage with natural language questions like “What went wrong last night?”

Press and Hold for Alternative Characters – This Week in Plasma

The KDE Blog covers the latest Plasma development highlights like a new press-and-hold feature for the plasma-keyboard virtual keyboard that surfaces alternative and diacritic characters. Other changes include custom sound theme installation from downloaded files, a Global Menu widget fix for multi-monitor setups, and more.

Linux Saloon 192 – Open Mic Night

The CubicleNate Blog recaps episode 192 of the Linux Saloon podcast. Topics ranged from protecting personal data while browsing the internet to early streaming memories with RealPlayer and the history of IRC.

Personal Digital Sovereignty

Cornelius Schumacher’s Blog reflects on what personal digital sovereignty means in practice. The post emphasizes the importance of one having control over their digital life along with choosing to leave it one desires. He uses examples of his own stack built around Linux, KDE, self-hosted Nextcloud, and GitJournal to get his points across.

24th Update of KDE Frameworks 6

The KDE Blog hightlights KDE Frameworks 6.24.0, the 24th monthly maintenance update for version 6. The blog starts with Attica and then focuses on several Qt-based projects.

openSUSE Tumbleweed Weekly Review – Week 11 of 2026

Victorhck and dimstar report on a full week of snapshots delivered in week 11. A total of seven snapshots were submitted and six were. Snapshot 0309 was held back due to a SELinux policy sync issue with systemd 259.3 that was resolved in the next snapshot. Delivered updates include the Linux kernel 6.19.6 (and kernel longterm 6.18.16), KDE Gear 25.12.3, systemd 259.3, Pipewire 1.6.1, and more.

Released Glaxnimate 0.6, the 2D vector graphics editor for animation creation

The KDE Blog announces the release of 2D vector graphics editor Glaxnimate 0.6.0. The integration brings improved cross-platform support (including Microsoft Store and macOS), KDE theming support, and increases translated languages from 8 to 26. New features include better SVG import/export, undo/redo for layer visibility and more.

View more blogs or learn to publish your own on planet.opensuse.org.

New Launcher Aims to Simplify Cockpit Installations

admin@opensuse.org (Douglas DeMaio) — Wed, 18 Mar 2026 19:00:00 +0000

Members of the openSUSE community are tackling the complex undertaking of transitioning from YaST by developing a streamlined system management interface.

After some adjustments and community feedback in the openSUSE bar, members took an existing tool to roll out a launcher for openSUSE users that provides a web-based system administration interface, more accessible to users switching from the traditional YaST setup utility.

The cockpit-client launcher, addresses a barrier that has frustrated some users attempting to adopt Cockpit as a replacement for YaST. According to feedback on the openSUSE forums, the process has been neither simple nor straightforward, until now.

The launcher icon, which includes legacy YaST colors for the adjusted logo, is specific to openSUSE and was created in response to user concerns. After some testing and minor refinements, the package was pushed and is available on Tumbleweed and Leap as an Official package.

“Since Cockpit-client has both Flatpak and RPM launchers available, we need to give them different icons so users can actually tell them apart,” said Lubos Kocman. “The different colored icon instantly shows users which launcher they’re opening to eliminate any confusion.”

The Installation Process

The launcher reduces a multi-step process that is now a straight-forward workflow. Previously, users faced complications accessing Cockpit through localhost:9090, which the community identified as a pain point.

sudo zypper install cockpit-client-launcher

Users are also recommended to install patterns-cockpit to ensure all Cockpit modules are available:

sudo zypper install -t pattern cockpit

Finally, users launch the application from their desktop environment’s application menu and follow initial setup dialogs. The launcher automatically activates necessary systemd services and firewall settings.

To align with security requirements, user will be asked whether to enable cockpit.socket and for preferred firewalld configuration in case cockpit wasn’t previously enabled and running.

It was tested on both Tumbleweed and Leap 16 installations and testing confirms the package successfully integrates across different openSUSE flavors, versions and installation scenarios.

A demonstration video created by Low Tech Linux showcases the installation and setup process on both Tumbleweed and Leap 16.

The Cockpit web interface provides graphical access to system administration functions that are traditionally handled through command-line tools or YaST, which include package management, user administration, service control, and more.

openSUSE Releases Updated Legal Classification Model

admin@opensuse.org (Douglas DeMaio) — Mon, 16 Mar 2026 14:00:00 +0000

The openSUSE Project has a new version of a language model designed to automate legal compliance checks for open-source software on the project’s HuggingFace .

The Cavil-Qwen3.5-4B model represents the latest iteration of Cavil, which leverages curated datasets designed to enhance automated legal text classification. The update underscores the growing role of community-driven open-source Artificial Intelligence.

The model is a specialized adaptation of Alibaba’s Qwen3.5-4B foundation model and is configured specifically to identify legally significant text such as license declarations, copyright notices, and similar legal markers within code repositories and documentation. By combining the base model with a Low-Rank Adaptation (LoRA) layer, efforts are efficiently fine-tuned and require minimal computational overhead. The smaller footprint allows Cavil-Qwen3.5-4B to run on modest hardware.

A key feature of this release is the availability of GGUF-format quantizations, contributed by a community member and hosted on HuggingFace. GGUF (GPT-Generated Unified Format) is a model file format optimized for running large language models locally using tools like llama.cpp. Quantization reduces a model’s precision; typically from 16-bit floating point down to 4-bit or even 2-bit integers, which dramatically lowers memory requirements for use on laptops, single GPUs or even CPUs.

The Cavil-Qwen3.5-4B release also highlights ongoing collaboration between openSUSE and the broader open-source AI community. Unlike proprietary models, Cavil’s training data and fine-tuning methods are transparent and allow users to audit, replicate or extend the work.

Local open-source AI continues to mature with projects like Cavil, which demonstrates how focused fine-tuning and community optimization can deliver value without relying on massive scale or closed ecosystems. The model, training datasets, and validation tools are available on Hugging Face under licensing that reflects their distinct components. Users interested in contributing or suggesting improvements are invited to engage with the openSUSE community on HuggingFace.

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 13 Mar 2026 07:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from March 6 to March 12.

Blogs this week highlight digiKam 9.0’s new Survey tool for rapid photo comparison, IBM’s compact speech AI for edge deployment, FreeBSD installation on the HP Z2 Mini, Plasma 6.5’s sixth bugfix update, and FDE improvements dropping legacy pcr-oracle support. Blogs also cover reasons for using Tumbleweed’s Thunderbird release, Rocky Linux joining KDE as a sponsor, the Lenovo ThinkBook Modular AI PC concept, OBS’ post-mortem analysis on a stuck jobs queue, syslog-ng 4.11.0 release notes, and more.

Here is a summary and links for each post:

Thunderbird Always Updated from openSUSE Tumbleweed Repositories

Victorhck explains how openSUSE Tumbleweed users benefit from receiving official Mozilla Thunderbird releases directly through the distribution’s rolling update channel without relying on Flatpak or third-party repositories. The post details how Tumbleweed’s rapid packaging pipeline ensures users get security patches and new features within hours of upstream releases.

Launched digiKam 9.0, introducing the new Survey tool

The KDE Blog announces the release of image organizer and tag editor digiKam 9.0. The new major version has a migration to Qt 6.10.1 for higher speed and stability for Wayland Linux users. The blog points out RAW support updates for Canon EOS R1, Nikon Z6-III, Sony A9-III and more. There is also support for batch coordinate editing and a new home screen design.

Granite 4.0 1B Speech: Compact voice AI for the edge

Alessandro’s Blog provides information about IBM’s new Granite 4.0 1B. The model, under the Apache 2.0 license, explains the capabilities of automatic speech recognition (ASR) and automatic speech translation (AST) across six languages. The ASR covers English, French, German, Spanish, Portuguese, and Japanese while the two-way AST pairs these languages and English. It also has additional pairs such as English–Italian and English–Mandarin in speech-to-text-to-text scenarios. Granite 4.0 1B Speech is available on Hugging Face.

The syslog-ng Insider 2026-03: 4.11.0 release; OpenSearch; ElasticSearch

Peter Czánik’s Blog links the March syslog-ng community newsletter covering version 4.11.0 availability. The newsletter covers OpenSearch data streams and changes to the Elasticsearch destination. The full newsletter is available at the syslog-ng community blog.

Dropping pcr-oracle in user space Full Disk Encryption

The openSUSE News site informs users of the deprecation of pcr-oracle in user space Full Disk Encryption (FDE) for those openSUSE systems using Trusted Platform Module 2 (TPM2). The shift moves from signed policy with JSON files stored in the EFI System Partition to systemd-pcrlock, which stores policy in TPM2 non-volatile RAM under a password (recovery PIN). The change resolves rollback attack vulnerabilities inherent to signed policies and simplifies maintenance across multiple boot loaders.

Sixth Plasma 6.5 update

The KDE Blog announces the sixth bugfix update for Plasma 6.5. The update continues KDE’s regular maintenance cycle and highlights novelties like automatic light/dark theme switching, new initial setup wizard (KISS), global WiFi password storage, KWin performance improvements and more.

Lenovo Thinkbook Modular Dual Screen Laptop | Blathering

The CubicleNate Blog examines Lenovo’s ThinkBook Modular AI PC concept unveiled at Mobile World Congress 2026. The machine is a 14-inch ultra-thin laptop with a detachable secondary display. Nate covers the pros and cons while expressing concern over the proprietary components.

New toy: Installing FreeBSD on the HP Z2 Mini

Peter Czánik’s Blog continues to update readers on his new toy and the installation of FreeBSD 15.0 installation on the AMD Ryzen AI Max+ PRO 395-powered workstation. The installation proceeded smoothly, and the system runs at exceptional speeds even when compiling software from FreeBSD ports with minimal noise. FreeBSD boots only via EFI menu boot from file option since standard boot managers don’t recognize it.

The KDE Blog announces Rocky Linux as a new KDE patron organization. Congratulations to both. Rocky Linux joins recent sponsors Kubuntu Focus, g10 Code, and Techpaladin alongside longer-standing backers like The Qt Company, SUSE, Google, Blue Systems, Slimbook, Pine64 and more.

Post-mortem: Stuck Critical Jobs Queue

The Open Build Service Blog publishes a post-mortem analysis of service degradation between March 4–5. Users experienced inability to retrieve diff changes for submit requests. Multiple code change factors contributed to the stuck critical jobs queue.

OWASP SP offers ModSecurity (CRS) for openSUSE.

Alessandro’s Blog reports that OWASP São Paulo chapter released ModSecurity Core Rule Set (CRS) version 4.24.1. CRS is a ruleset for Web Application Firewalls that provides generic detection rules to protect web applications against common attacks. This incremental update focuses on stability improvements, enhanced attack detection, and reduced false positives, and makes it essential for systems using ModSecurity or compatible WAF engines to stay protected against emerging threats.

Much Progress in Marknote and Drawy – This Week in KDE Apps

The KDE Blog highlights significant developments across KDE applications, with Marknote reaching version 1.4.0 featuring undo/redo for sketches, drag-and-drop notes between notebooks and more. Drawy received a major overhaul with a new interface, improved zoom controls, and a plugin system for tools.

Updating perltidy (and other dependencies) in os-autoinst

The openQA bites post short blurb explains that when updating dependencies in the dependencies.yaml file in os-autoinst that it will update cpanfile for the user.

Linux Saloon 191 – Application Managers

The CubicleNate Blog covers a lively discussion from the Linux Saloon podcast. Participants shared their impressions about topics like Android sideloading and the evolution of software distribution methods in the Linux ecosystem.

3 Native Racing Games for Linux

The KDE Blog showcases three demanding native Linux racing games. Speed Dreams offers a realistic racing simulator with diverse vehicles and multiple game modes. Trigger Rally provides arcade-focused fun with more than 100 maps across varied terrain. Stunt Rally rounds out the selection with the most complex and creative experience and features more than 200 tracks across 37 scenarios..

openSUSE Tumbleweed Weekly Review – Week 10 of 2026

Victorhck and dimstar report on the snapshots delivered in week 10. The review covers a minor selinux-policy update that inadvertently exposed code relying on incorrect previous behavior, causing boot failures detected by openQA before reaching users. Other updates include Python 3.14, KDE Plasma 6.6.1 and 6.6.2, Linux kernel 6.19.5, and more. Upcoming changes include the GNOME 50 release candidate, glibc 2.43, and a switch to systemd-boot as the default UEFI bootloader, which will align Tumbleweed to MicroOS standards.

Third Update of KDE Gear 25.12

The KDE Blog highlights the third maintenance release of KDE Gear 25.12. The update has corrections to KDE Connect plugin toggling, NeoChat message behavior, an Umbrello crash and more.

Seeing people through the walls with Wi-Fi – π RuView: WiFi DensePose

Watch on Vimeo

Alessandro’s Blog looks at RuView, which is an open-source privacy-first system that analyzes Wi-Fi signal disturbances (CSI data) to reconstruct human pose, detect respiration and heart rates, and sense presence through walls without any cameras. Applications range from elderly fall detection and perimeter security to industrial monitoring, and more.

View more blogs or learn to publish your own on planet.opensuse.org.

Dropping pcr-oracle in user space Full Disk Encryption

admin@opensuse.org (Alberto Planas) — Wed, 11 Mar 2026 11:00:00 +0000

Introduction

In user space Full Disk Encryption (FDE), as opposed to the boot loader based FDE, developers for openSUSE supported signed policy and NVIndex policy from the beginning when Trusted Platform Module 2 (TPM2) is used.

With this signed policy, we deliver a JSON file in the EFI System Partition (ESP) that is being read during the initrd stage by systemd-cryptsetup. This file contains the hash policy, which basically describes the expected values of the PCR registers of the TPM2 (measured boot). Together with the policy, we will find a signature that will be validated by the TPM2, and if the PCR values and the signatures are valid, then the TPM2 will unseal the password for the encrypted hard disk, and the boot process can continue.

This method is simple and very flexible. We can update the policy to generate new predictions (for example if a new kernel was installed). Using a private key, that can be stored in the encrypted side of the system, we can sign it and install in the ESP. Another advantage is that we can generate multiple files that support multiple valid configurations, which can represent different snapshots, kernels, or initrd installed in the system.

But one limitation of this method is that we are not protected against a rollback attack. Some one can copy the JSON file (the ESP is not encrypted), together with the kernel and the initrd and wait until some CVE is published for this configuration. After that, the assets can be copied back to the ESP and the signature of the policy will be still valid as far as the TPM2 is concerned. Technically, this can be resolved generating a new private key and enrolling again the devices, but this is not ideal.

systemd-pcrlock provides a new alternative, known as NVIndex policy, which store the policy in the TPM2 non-volatile RAM under a password (recovery PIN). This approach is a bit better for our case, as it resolves the rollback attack. This method is used by default if the TPM2 support it, but because policyAuthorizeNV was introduced in TPM2 Revision 1.38 ten years ago (2016), not all devices can do that. sdbootutil fallbacks to pcr-oracle (signed policy) if NVIndex policy cannot be used.

The next version of sdbootutil will drop pcr-oracle.

Motivation

Basically it is time to do that. The rollback attack is a good argument to avoid signed policies, but we need to factor the maintenance of pcr-oracle for multiple boot loaders (GRUB2 and systemd-boot).

The way that pcr-oracle works means that any change in the event log order or structure needs to be addressed in the source code, but with systemd-pcrlock it is a matter of generating some JSON files stored in /var/lib/pcrlock.d and updating the TPM2 policy in the right moment.

This difference makes pcr-oracle stay behind in the current support, making in effectively broken for any metric.

Migration

The good news is that if you have a TPM2 produced after 2016, you can migrate to systemd-pcrlock very easily. sdbootutil still recognize systems registered with pcr-oracle and can unenroll them. The migration process is as easy as:

  # sdbootutil unenroll --method=tpm2
  #  sdbootutil enroll --ask-pin --method=tpm2

If sadly your TPM2 revision is older, the password enrollment is always available:

  # sdbootutil unenroll --method=tpm2
  #  sdbootutil enroll --method=password

Further Documentation

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 06 Mar 2026 08:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from Feb. 27 to March 5.

Blogs this week highlight the openSUSE Board Election 2025 and Tumbleweed’s February monthly review to sound-reactive LED projects and whether data has weight. Blogs also highlight installing Fedora on the HP Z2 Mini, syslog-ng 4.11.0 packaging status, Obsidian for note-taking, the second Plasma 6.6 bugfix update, KDE Express podcast episodes, Linux Saloon discussions, and open-source playable world generation.

Here is a summary and links for each post:

Episode 70 of KDE Express: Plasma 6.6.1 and the United Nations

The KDE Blog highlights episode 70 of KDE Express with coverage Plasma 6.6.1 updates including Spectacle’s OCR capabilities, accessibility enhancements like grayscale filters and pointer tracking, KDE Connect modernization proposals, and new options for saving global themes and configuring WiFi via QR codes.

New Version Tracking through API and Automatic Labeling

The OBS Blog announces enhancements for a Foster Collaboration beta program as well as new features for package version management along with new status labels. These enhancements add a notification filter for version alerts and display last-synced timestamps to help developers monitor packages at a glance.

KDE Express Episode 69: Trinity Reloaded with Full Plasma

The KDE Blog presents episode 69 of KDE Express, covering the SonicDE fork of KDE Plasma for legacy X11 support, CachyOS adopting Plasma Login Manager, KDE Connect fixes for Bluetooth logging and more.

Data Has Weight But Only on SSDs | Blathering

The CubicleNate Blog explores a lighthearted science exploration rather than practical finding as he dives into the curious concept that data has mass on solid-state drives. Since SSDs store data by trapping electrons in floating gates via quantum tunneling, writing data adds electrons with measurable (though femtogram-scale) mass; this is in contrast with HDDs which merely rearrange existing magnetic polarity without gaining weight. A lighthearted science exploration rather than a practical finding.

New toy: Installing Fedora Linux on the HP Z2 Mini

Peter Czánik’s Blog continues the HP Z2 Mini series with a smooth Fedora installation on the AMD Ryzen AI Max+ PRO 395-powered workstation. Despite Fedora not being listed on the HP data sheet, the graphical installer worked without issue and GNOME’s consistent cross-distro interface made the system immediately familiar. Steam and Need for Speed ran flawlessly, and initial AI acceleration configuration via Copr packages successfully detected the RyzenAI NPU5.

Sound-reactive Sideboard

Sebas’ Blog documents a living room IKEA sideboard turned into a sound-reactive LED centerpiece using an ESP32-based controller running the open-source WLED firmware. The setup uses WS2812B LED strips behind frosted plexi glass doors, processes audio via FFT on one core while rendering up to 200 FPS of LED effects on the other, all under 10W. The project also solved amplifier overheating with HomeAssistant-automated fan control and features a walnut wood finish.

Syslog-ng 4.11.0 Packaging Status

Peter Czánik’s Blog provides an overview of the packaging status for syslog-ng 4.11.0 across various operating systems and tracks which distributions have already made the release available as easy-to-install packages for users who prefer not to compile from source.

Second Plasma 6.6 update

The KDE Blog reports the second bugfix update for Plasma 6.6, delivered two weeks after the initial release. The post recaps Plasma 6.6’s flagship features including the new Plasma Keyboard for touch devices, OCR text extraction in Spectacle, the Plasma Setup wizard, per-application volume control via hover, emoji skin tone selection, QR code Wi-Fi scanning and more.

Victorhck compiles and translates the March 2026 FSF newsletter into Spanish as it highlights the FSF’s 40th anniversary. Highlights include the FSF’s opposition to Google’s mandatory developer verification proposal that threatens F-Droid, coverage of Americans destroying Flock surveillance cameras, and a report on Microsoft confirming it will provide BitLocker recovery keys to authorities under valid legal orders.

Episode 68 of KDE Express: esLibre2026 dixit editor. Editorial design with free software

The KDE Blog presents episode 68 of the KDE Express podcast, covering editorial design with free software and previewing the esLibre2026 event.

Tumbleweed Monthly Update - February 2026

The openSUSE News site publishes the February monthly review covering 17 snapshots. Major highlights include the arrival of Plasma 6.6 with its new on-screen keyboard and Spectacle OCR, KDE Frameworks 6.23.0 with LeakSanitizer memory safety fixes, Linux kernel 6.19.3 with a new listns() system call, GRUB2 2.14 strengthening boot workflows for immutable systems like MicroOS, Mesa 26.0.1 fixing gaming regressions and more.

Obsidian | The Quest for the Perfect Note-Taking Application

The CubicleNate Blog reviews Obsidian as a replacement for TiddlyWiki, praising its markdown-based local-first approach, extensive plugin ecosystem, cross-platform availability via Flatpak and AppImage, and seamless synchronization through Syncthing. While not an open source project, Obsidian is free to use and offers the combination of OneNote’s ease, TiddlyWiki’s power, and standard markdown formatting that the author had been seeking.

Voting Is Now Open for the openSUSE Board Election 2025

The openSUSE News site announces voting has opened for two Board seats for the openSUSE Board Election. Four candidates are on the ballot. Voting runs until March 8 with results announced March 9. All openSUSE Members received ballot links by email.

KDE Express Episode 67: Plasma in Virtual Reality Mode

The KDE Blog presents episode 67 of the KDE Express podcast and covers what’s new with KDE Plasma 6.6 (beta at the time) and highlights a winner of the “car of the year” uses KWin under the engine.

LingBot-World: Open-source “playable” world generation.

Alessandro’s Blog covers LingBot-World, the first high-capacity fully open-source interactive world model. Unlike passive video generation tools, LingBot-World lets users control a camera through AI-generated scenes in real time using W, A, S, and D keys. It achieves 16 FPS with emergent spatial memory that maintains object consistency even after 60 seconds off-screen. The project releases both source code and full model weights.

Linux Saloon 190 | News Flight Night

The CubicleNate Blog highlights episode 190 of Linux Saloon. The news flight night covered Bazzite tripling its user base in 8 months as gamers seek Windows alternatives, F-Droid’s open letter opposing Google’s mandatory developer verification, and broader discussions about changes to the Android ecosystem.

Linux Saloon 189 | Early Edition

The CubicleNate Blog highlights the return of Linux Saloon’s Early Edition monthly format. Discussion topics included the EU OS proposal for a standardized Linux desktop with Windows migration focus using KDE Plasma, Wayland and desktop environments for modern gaming featuring Bazzite and Nobara, and participants’ recent tech activities including seeking VMware alternatives.

The power of saying “No”

Victorhck reflects on the power of saying “No” in the context of free software and community participation. You may find wisdom in No.

Vietnamese lunar calendar and more rounded highlights – This week in Plasma

Your browser does not support the video tag.

The KDE Blog covers the weekly “This Week in Plasma” update, which highlights Vietnamese lunar calendar support and more rounded highlight styles. The blog also covers performance improvements.

openSUSE Tumbleweed Weekly Review – Week 9 of 2026

Victorhck and dimstar report on the snapshots delivered in week 9. The review highlights updates including Linux kernel 6.19.3, PipeWire 1.6.0, Mozilla Firefox 148.0, Mesa 26.0.1, Poppler 26.02.0, QEMU 10.2.1, and DNF 5.4.0. It also covers the progress on the switch to systemd-boot as the default bootloader on UEFI systems to align with Tumbleweed to MicroOS.

My desk Plasma February 2026

The KDE Blog shares thoughts on the Plasma desktop setup, running on a Slimbook Kymera with KDE Neon.. The setup includes functional elements like a moon phase widget, system tray, virtual desktop selector, and a Valencian-language clock, all designed to create a dark yet highly organized workspace.

View more blogs or learn to publish your own on planet.opensuse.org.

Tumbleweed Monthly Update - February 2026

admin@opensuse.org (Douglas DeMaio) — Mon, 02 Mar 2026 10:00:00 +0000

Software package updates during the second month of 2026 for openSUSE Tumbleweed have been consistent totalling 17 snapshots in the 28 days of the month.

Tumbleweed saw the arrival of Plasma 6.6 with a new on-screen keyboard, text recognition in Spectacle, and a Setup wizard for cleaner device handovers, while KDE Frameworks 6.23.0 focused heavily on memory safety with LeakSanitizer fixes across multiple libraries. The Linux kernel moved to 6.19.3 and brought a new listns() system call, expanded hardware support, and made numerous filesystem and driver fixes. GRUB2 2.14 landed to strengthen the boot workflows for immutable systems like MicroOS. Mesa 26.0.1 fixed regressions in popular games, btrfsprogs now enables block-group-tree by default for faster mount times, and systemd resolved a logind session-tracking regression.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

Plasma 6.6: This release is dedicated to Björn Balazs who was a passionate contributor and will be missed. The release has a new on-screen Plasma Keyboard, designed for touch and accessibility, and Spectacle now includes text recognition. The new Plasma Setup wizard decouples user account creation from OS installation and enables cleaner device handovers for vendors, refurbishers, or personal use. Workflow improvements were made for the hover-to-open in the Windows List widget, the Alt+double-click to open file properties directly from the desktop and more. Other highlights include virtual desktops limited to the primary screen, optional auto brightness with ambient light sensors, a new connect to Wi-Fi by scanning a QR code with your camera and more.

KDE Frameworks 6.23.0: A major focus for this release was memory safety as with LeakSanitizer (LSAN) as it addressed numerous memory leaks fixes in libraries like KTextEditor, KIO, KWindowSystem, and others. KIO gains a “Run Executable” action, better drop handling from Places View, and refined preview and metadata logic. The KImageFormats adds support for legacy formats like CD-i IFF images and Atari ST VDAT. Kirigami refines UI behavior and holiday data for Japan, Slovenia, Nepal, and the Philippines were updated in **KHolidays.

freerdp 3.22.0: This version overhauls the SDL client and introduces a WINPR_ATTR_NODISCARD macro to catch misuse of API calls. It addresses several critical vulnerabilities and hardens error handling across channels like Smartcard, RDP Sound, and video redirection. Server-side Kerberos authentication is more robust, and several NULL pointer checks prevent crashes during logon or gateway negotiation.

cryptsetup 2.8.4: This update fixes critical issues in disk encryption management that affect usability and correctness. It corrects device size reporting for drives using sector sizes larger than 512 bytes to ensure accurate status output, and fixes integrity device resizing in bitmap mode, which previously failed due to incorrect journal settings. These fixes are essential for users relying on LUKS or integrity protection.

Qt 6.10.2: This update resolves numerous issues affecting desktop, mobile, and embedded platforms. It fixes crashes in WebEngine, touch input problems on Android and WebAssembly, and rendering glitches in Qt Quick Controls and SVG. The core libraries were, which improves internationalization and image handling. Developers also benefit from better CMake support, SBOM generation for supply chain transparency, and fixes for QML tooling, accessibility, and deployment.

dnsmasq 2.92: Updates for this software package now correctly validates or safely bypasses validation for “overlay” domains without a global DNS chain of trust, while also fixing critical edge cases with DNAME records and RFC-1918 reverse lookups. DHCP functionality is enhanced with new leasequery support (sponsored by JAXPORT), better REBIND behavior matching DHCPv4, and a new --dhcp-split-relay option for non-routable networks. TFTP gains windowsize and timeout options per RFC standards, and several race conditions and caching bugs—including MAC address tagging in TCP mode—are resolved.

python-packaging 26.0: The update for core utilities for Python packages adds support for PEP 751 (pylock files) and PEP 794 (import name metadata) to enable better tooling for modern Python workflows. Version and specifier handling has more correct prerelease logic, safer comparisons, and support for pattern matching and __replace__. Performance is enhanced with canonicalize_name and the release also improves correctness in license expression parsing, marker evaluation, and subclassing, while adding full type annotations and Python 3.14 compatibility.

KDE Gear 25.12.2: This update provides fixes for plasma users. Dolphin resolves crashes in header dragging and ensures context menu plugins reload on config changes, while Kdenlive stabilizes audio thumbnails, fixes monitor display glitches, and improves clip dragging and effect handling. KDE Connect enhances security with packet size limits and restores MDNS discovery. NeoChat addresses timeline rendering and crash issues around long reactions and pinned messages. Kitinerary adds support for SNCF TER barcodes and adapts to Poppler 26.02 and ZXing 3.0 API changes. KAlarm fixes hangs related to time zone recurrence calculations.

AppStream 1.1.2: This cross-distribution software package adds basic bash completion for the appstreamcli tool, improves validation by catching more cases of empty but present component properties, and updates internal build practices for better symbol visibility and translation handling. The CLI now prefers pkgcli over the legacy pkcon when available, aligning with modern package management trends. A test compatibility fix ensures stability with newer versions of libfyaml, while a temporary patch maintains support for older distributions.

Totem 43.2+git402.b8d8108e0: GNOME’s default video player reverts the app name back to Totem, updates metadata to reflect current capabilities, and switches from deprecated appdata to the standard metainfo format. The build system is overhauled; it now uses AppStream instead of appstream-glib, adopts Libpeas 2, and migrates to libsoup 3 in Flatpak builds. Legacy features like easy codec installation are removed as they’re no longer supported upstream, and outdated YouTube API keys were purged.

Poppler 26.01.0 and 26.02.0: The 26.02.0 update refines the Signature checking and increases its reliability when validating signed documents. Rendering of PDFs using the CalGray color space is improved and crash fixes for malformed documents were made. With the 26.01.0 update, uers benefit from better digital signature compatibility, improved handling of annotation icons, and additional blending modes that enhance rendering accuracy—especially in edge cases. Tools like pdfinfo now expose alternative text in structured output, and Qt applications gain improved reading order control for extracted text.

Key Package Updates

Linux kernel 6.18.9 to 6.19.3:: The Linux kernel 6.19 brings enhanced hardware support and introduces a new listns() system call for namespace enumeration and more. The 6.19.3 update patches the QLA2xxx SCSI driver to prevent a double-free crash. The f2fs filesystem receives significant attention, with fixes for use-after-free conditions, out-of-bounds sysfs access, swapfile block mapping errors, checkpoint flag inconsistencies, and improved support for non-4KB block sizes. USB serial support is expanded, and on the graphics side, Intel i915 ALPM display fixes are included. Architecture-specific improvements include a KASAN rework for LoongArch systems and a display graph correction for ARM64 MediaTek MT8183 devices. The 6.19.2 update resolves multiple use-after-free vulnerabilities in XFS, EROFS, and HFS, prevents crashes in SMB client/server due to credit management bugs, and hardens Bluetooth and Wi-Fi drivers with new device IDs and memory safety fixes. Prior to the 6.19.3 fix, QLA2xxx SCSI driver gained better error recovery for tape devices and avoided crashes during module unload. The crypto subsystems (IAA, Octeon, Virtio) are patched for out-of-bounds access and race conditions. A reverted change in the driver core restores expected device-matching behavior.

iproute2 6.19: This update brings new networking capabilities relevant to Tumbleweed users. The devlink subsystem gains support for burst period configuration on health reporters and 64-bit parameters, improving network device diagnostics and flexibility. The generic netlink utility (genl) now supports JSON output to make it easier to script and parse network configuration data. MPTCP introduces laminar endpoint support, refining multipath TCP connection handling. Finally, iplink_can adds initial support CAN XL (Controller Area Network Extended Length) for high-speed automotive and industrial networks.

GRUB2 2.14: This update adds Boot Loader Specification (BLS) and Unified Kernel Image support, which enables a more standardized Linux boot workflows especially for immutable systems like MicroOS. Security is strengthened with TPM2 key protector support, Argon2 KDF, NX protection on EFI, and Appended Signature Secure Boot for PowerPC. New filesystem capabilities include EROFS, LVM integrity/cache volumes, and the ability to store GRUB’s environment block inside Btrfs headers. The release also fixes a sporadic boot failure in BLS setups and extends date handling beyond the year 2038.

systemd 258.3: This update resolves a logind regression that broke session tracking, improves isolation behavior by correctly preserving triggered units only when their dependencies are active, and enhances Btrfs support with nodatacow subvolume handling. The release removes outdated workarounds, drops legacy System V init compatibility, and refines PAM integration to avoid conflicts with network user directories like SSSD. Security-related Polkit actions are now properly validated, and soft-reboot reliability is improved with explicit TTY switching.

btrfsprogs 6.19: This update brings a notable default change where mkfs.btrfs now enables the block-group-tree feature by default, which speeds up mount times on large filesystems. Users needing backward compatibility with older kernels can disable it with -O ^bgt. Filesystem creation is also faster thanks to optimized initial device discard ordering. The btrfs check tool gains new repair capabilities and has a fix for DUP profile on mixed zoned devices to ensure correct write pointer tracking. On the experimental side, initial support for a remap tree (a new logical-to-logical mapping layer expected when Linux kernel 7.0 is introduced.

Mesa 26.0.1: This first minor release resolves regressions in popular games like Genshin Impact, Tekken 8, Civilization VII, and Killer7. Vulkan drivers see improvements with RADV fixes and GPU hangs. Compiler and NIR infrastructure fixes prevent crashes and miscompilations while Asahi, PanVK, and Turnip receive stability patches.

GVFS 1.58.1: This update improves reliability and resource usage in GNOME’s virtual filesystem layer. It fixes the track duration for the last audio CD track on certain media, resolves build failures when Google integration is disabled, and patches some memory leaks that could affect long-running file operations.

Python 3.13.12: This release patches multiple critical vulnerabilities that could lead to header injection, cookie smuggling, or arbitrary code execution. The update blocks control characters in http.cookies, wsgiref.headers, and data:. It hardens email header serialization against unsafe folding. Beyond security, it fixes crashes in ctypes, tkinter, pickle, and multiprocessing, which includes a forkserver regression that broke sys.argv.

UPower 1.91.1: This update improves the prevention of crashes from NULL GError handling, and correcting invalid ACPI-reported battery capacity values. It enhances battery calibration logic by skipping critical power actions during recalibration. The capacity_level and luminosity properties are now deprecated. Additionally, battery history tracking now includes voltage data that enables better diagnostics and power analytics.

libsoup 3.6.6: This update resolves numerous CVEs, addresses issues across WebSocket handling, header parsing, and multipart processing. Key fixes include an out-of-bounds read in WebSocket frame processing, a heap-use-after-free from double-finishing queue items, and a crash in digest authentication. The release also sanitizes Content-Disposition filenames, validates URIs more strictly, and ensures headers from untrusted sources are always checked—closing avenues for smuggling or injection attacks. Numerous memory leaks and a potential deadlock during initialization are resolved and improve stability for applications like GNOME Software, WebKitGTK, and REST clients.

Security Updates

freerdp 3.22.0:

CVE-2026-24682: A fix for a heap-buffer-overflow could let a remote RDP server crash the client or corrupt memory.
CVE-2026-24683: This fixes input event handling that may allow a malicious RDP server to crash the client or execute code.
CVE-2026-24676: A fix that could let a malicious server crash or compromise the client.
CVE-2026-24677: This fixes a heap buffer overflow path that could allow a malicious server to crash or corrupt a client.
CVE-2026-24678: This fixes a CVE that could allow a malicious server to crash or exploit the client.
CVE-2026-24684: Fixes an exploit that could lead to a hostile RDP server crash or compromise the client.
CVE-2026-24679: Fixes a heap buffer overflow that could lead to a server potentially crashing or exploiting the client.
CVE-2026-24681: Fixes a USB bulk transfer code that may crash the server or compromise the client.
CVE-2026-24675: Fixes an exploit that could lead to a hostile RDP server crash or compromise the client.
CVE-2026-24491: Fixes an exploit that could lead to a hostile RDP server crash or compromise the client.
CVE-2026-24680: Fixes a pointer update function, enabling a malicious server to crash or corrupt the client.

python-pip 26.0.1:

CVE-2025-14576: A vulnerability may incorrectly treat keychain credentials as valid even when they should not be accepted, which could risk disclosure or misuse of stored credentials.

openssl-3:

CVE-2026-22795: Fixes a NULL pointer dereference that could potentially leading to a denial of service.
CVE-2025-69420: Fixes a type confusion vulnerability that causes a NULL pointer dereference and potentially leads to denial of service.
CVE-2025-69421: Fixes a function when processing a malformed PKCS#12 file that could potentially lead to a crash.
CVE-2025-69419: An out-of-bounds write is fixed that could potentially compromise data integrity or cause a crash.
CVE-2025-66199: A resource exhaustion vulnerability that may have allowed for excessive memory allocation and potentially led to denial of service.
CVE-2025-68160: Fixes an out-of-bounds write potentially causing memory corruption or a crash.
CVE-2025-69418: A flaw was fixed for inputs that could leave trailing bytes unencrypted and unauthenticated on hardware-accelerated platforms.
CVE-2025-15469: Fixes a flaw that could have left trailing data unauthenticated.
CVE-2025-15467: A critical stack buffer overflow was fixed in which parsing could enable pre-authentication remote code execution.
CVE-2025-11187: Fixes a stack buffer overflow or crash.
CVE-2025-15468: Fixes a NULL pointer that could potentially cause a denial of service.
CVE-2025-9230: A patch was added fixing an out-of-bounds read and write that could compromise encryption and potentially lead to denial of service or code execution.
CVE-2025-9231: Fixes a timing side-channel that could potentially allow remote recovery of the private key.
CVE-2025-9232: Fixes an out-of-bounds read for IPv6 address potentially causing a crash.

Python 3.13.12:

CVE-2025-11468: This fixes a header-injection flaw in Python’s email header folding logic.
CVE-2026-0672: This fixes a header injection vulnerability.
CVE-2026-0865: A Python HTTP header injection flaw was fixed that could lead to inappropriately HTTP responses.
CVE-2025-15366: This fixes a command-injection issue where newline-containing user commands can inject additional commands into an IMAP session.
CVE-2025-15282: An HTTP response splitting vulnerability was fixed that could allow injecting headers into responses.
CVE-2025-15367: Fixes a POP3 command injection flaw that can be interpreted as extra commands by the server.
CVE-2025-12781: Fixes a base64 decoding anomaly where the b64decode() functions may accept certain characters regardless of expected alphabet settings and this could potentially cause data integrity issues.

busybox:

CVE-2026-26158: Fixes a vulnerability that can be triggered by a malicious guest and potentially allows memory corruption or a crash in the host process.

libsoup 3.0:

CVE-2025-32049: Fixes a flaw with WebSocket handling where accepting very large WebSocket messages can trigger excessive memory allocation and lead to a denial-of-service crash.
CVE-2026-2443: Fixes an out-of-bounds read vulnerability that could have potentially exposed portions of server memory beyond the intended response.
CVE-2026-2369: Fixes a memory-handling issue that could have caused an application-level denial of service.
CVE-2026-1536: Fixes a header injection flaw that can lead to HTTP header injection or response splitting.
CVE-2026-1761: This fixes a stack-based buffer overflow that may lead to memory corruption or crashes when parsing crafted responses.

expat 2.7.4:

CVE-2025-68615: This fixes a buffer overflow causing the daemon to crash.
CVE-2024-47191: This fixes a flaw that could allow for enabling a privileged file overwrite and potential escalation if improperly configured.

qemu:

CVE-2026-0665: A fix that could have lead to a malicious guest causing out-of-bounds memory access in the host.

net‑snmp 5.9.5.2:

CVE-2025-68615: Fixes a buffer overflow from crafted SNMP packets that can crash the service.

oath‑toolkit 2.6.14:

CVE-2024-47191: This fixes a flaw that may have allowed for the enabling of a privileged file overwrite and lead to a potential escalation if improperly configured.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

This was a security-heavy month for Tumbleweed as major fixes landed across OpenSSL, FreeRDP, libsoup, and Python. Beyond security, the KDE stack received meaningful change with Plasma 6.6 and Frameworks 6.23.0, the kernel jumped to 6.19 expanded hardware and filesystem capabilities, and GRUB2 2.14 modernized the boot process. Tumbleweed users are well-served by keeping their systems up to date this month.