openSUSE News

TSP Open for Asia Summit

admin@opensuse.org (Douglas DeMaio) — Wed, 03 Jun 2026 11:00:00 +0000

The Travel Support Program (TSP), which is aided through donations to the Geeko Foundation, is now accepting applications for the openSUSE.Asia Summit 2026.

Funds are allocated by the foundation specifically for travel assistance for speakers attending the event.

Applications for the TSP are open now and will run until July 31, which will follow an announcement related the Call for Papers.

People whose talks are accepted can submit a request at tsp.opensuse.org.

The TSP exists to ensure financial constraints don’t prevent passionate contributors and community members from participating.

The openSUSE.Asia Summit 2026 organizers of the summit encourage you to apply early.

For questions about the TSP process, visit the wiki for more information and read the Geeko Foundation’s travel policy.

Further details will be shared later about the event planning, so please pay attention to announcements for the summit.

We look forward to seeing you there!

For more details on openSUSE.Asia Summit 2026, visit events.opensuse.org.

Tumbleweed Monthly Update - May 2026

admin@opensuse.org (Douglas DeMaio) — Mon, 01 Jun 2026 11:00:00 +0000

May delivered a steady cadence of openSUSE Tumbleweed snapshots across the major desktop stacks with KDE Gear 26.04.1, KDE Frameworks 6.26.0, Plasma 6.6.5 and GNOME 50 minor releases. Mesa made a couple leaps with the 26.1 series with the new Vulkan 1.4 Application Programming Interfaces, and the Linux kernel progressed from 7.0.5 through 7.0.9 with significant security and driver fixes. Sysadmins received a major AppArmor 5.0 release and a fresh Apache HTTP Server 2.4.67 carrying many Common Vulnerability and Exposure fixes.

Other notable bumps include libusb 1.0.30, GnuPG 2.5.20, LibreOffice 26.2.3.2, PostgreSQL 18.4, rsync 3.4.3, poppler 26.05.0, and Expat 2.8.1.

Security received heavy attention with Apache HTTP Server, PostgreSQL, rsync, dnsmasq, jq, PHP, OpenEXR, and the Linux kernel all receiving multiple CVE fixes.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

KDE Gear 26.04.1: Akonadi fixes a crash in EntityTreeView when selecting multiple items, and KOrganizer resolves black squares in the todo view and re-enables icons in monthview. Dolphin refines the selection panel and search popup behavior. Kate restores middle-click closing of tabs when the close button is disabled, Konsole prevents QTabBar from closing tabs on stray middle clicks, and Okular hardens fax handling against malformed .g3 inputs. Umbrello gets six bug fixes including diagram-load and Qt6 configuration crashes, and Itinerary adds new Condor PKPass and monbus.es ticket extractors.

KDE Frameworks 6.26.0: KIO adds the Startpage search provider, expands KFilePlacesModel with kdeconnect device support, gains MIME-type detection from text content in the paste flow, and exposes the current folder in the file widget placeholder. KCoreAddons introduces KAboutRelease for listing application release notes, parses AppStream release notes, and switches to libmount for filesystem-type detection where available. KImageFormats corrects EXR loading from Photoshop 2026 saves, plugs JXR memory leaks, and improves EXIF handling. KHolidays introduces HolidayCategories and fixes Philippines Easter holidays.

Plasma 6.6.5: KWin gains numerous DRM backend fixes including correctly updating outputs only on changed GPUs, preserving custom output modes across reboots, setting full color range for RGB planes on NVIDIA, and avoiding multi-GPU copies with unsupported formats. Input handling is hardened by mapping devices to device outputs (not logical ones), processing key repeat before the accessibility monitor, and cleaning up keyboard grabs on shutdown. KScreen hides the DDC/CI option when HDR is enabled and prevents off-by-one gaps when creating replicas. Discover corrects text color inversion in ProgressView, and Plasma Workspace fixes klipper clipboard updates, lockscreen timezone init races on multi-screen, and broken text legibility with the Air and Breeze Light themes. Spectacle keeps the application alive briefly after copying screenshots and fixes magnifier activation during hover events. PowerDevil addresses screen brightness getting stuck at 30 percent after a restart.

GNOME 50.1 and 50.2: These point releases bring stability and usability fixes across the GNOME desktop. GDM 50.1 fixes a failure to properly terminate conflicting graphical sessions started outside of GDM (such as ThinLinc or TigerVNC) by querying logind directly, and resolves Plymouth hanging indefinitely on headless systems or those without monitors. A bug incorrectly setting XDG_SESSION_TYPE=wayland on X11 sessions was corrected, along with XDG_DATA_DIRS construction that could prevent GNOME Shell from finding its files. GNOME Shell 50.2 fixes extending screenshot area selection to monitor edges, adds rate control to VA-API H.264 screencast pipelines, and restores the “Install Updates” checkbox in the power-off/restart dialog. Autorun notifications for USB drives, spinner resets during overview search, and wiggle feedback on non-password auth failures are all corrected, and the audio input icon now only appears when actually recording. GNOME Control Center 50.2 fixes the “Show Content” notification setting, relaxes app-id validation for Global Shortcuts, and improves mobile-width label fitting in Device Security and Wellbeing panels. GNOME Session 50.1 fixes a double-free bug. For Tumbleweed users, these updates improve login reliability, screencast quality, and overall GNOME desktop polish.

KDE Network File Sharing 26.04.0: This update refactors the file properties plugin initialization and now automatically enables and starts the Samba service if needed when sharing folders. Service aliases are handled correctly, the user list in combo boxes is clipped with scrolling disabled for better usability, and a regression in smbd path lookup was fixed.

AppArmor 5.0.0: This major version bump from the 4.1 series is a significant milestone for the mandatory access control framework. The release modernizes the parser and userspace utilities, adopts a new ABI abi/5.0, and introduces broader profile updates. Profiles for samba, dovecot, postfix, wpa_supplicant, and syslog-ng are refined to better handle modern filesystem layouts. The full upstream changelog is available at the AppArmor 5.0 release notes wiki.

GnuPG 2.5.20: This update implements GCM encryption in gpgsm (decryption was already supported in earlier versions), adds the --attribute option and SETATTR server command for including arbitrary signed or unsigned attributes in signatures, and introduces a new system attribute _signingCertificateV2. A possible double free in the CMS parser is fixed, along with a buffer overflow in scdaemon when handling SC-HSM cards with RSA keys larger than 2 kilobits. Several agent and keyboxd fixes correct loopback pinentry caching and PUT_SECRET input handling.

libusb 1.0.30: This update introduces new APIs libusb_get_device_string() and libusb_get_session_data() for accessing device strings without opening the device and retrieving OS-specific handles. Device removal races on non-hotplug builds are fixed and descriptor parsing memory safety is improved.

poppler 26.05.0: This jump from 26.02.0 rolls up three upstream releases. The release improves reconstruction of damaged files, fixes crashes in malformed documents, and removes the PSOutputDev “pipe as filename” feature for security reasons. pdftotext gains a -remove-hyphens option and no longer aborts on empty strings. The qt5/qt6 search APIs receive a fix for inverted continuation rectangles, and the GPG signature backend correctly marks qualified keys.

gpg2 and libksba 1.8.0: The S/MIME-related X.509 and CMS support library jumps from 1.6.8 to 1.8.0. New functions include ksba_cms_add_attribute and ksba_cms_get_attribute, support for building AuthEnvelopedData, and corrections to silent truncation of 64-bit length fields and overflow guard conditions in _ksba_ber_read_tl.

open-vm-tools 13.1.0: This major version bump introduces support for GTK4 alongside continued GTK3 compatibility. The configure script accepts options to restrict the build to either toolkit; otherwise it picks the latest available. Several upstream GitHub issues are resolved as documented in the 13.1.0 Release Notes.

fwupd 2.1.3: This update for the firmware update daemon continues to add features and hardware coverage. New capabilities include Redfish bearer token authentication, support for several XMC SPI chips, parsing of JCat files without libjcat, native CBOR parsing (dropping libcbor2 as a dependency), and an HSI check for AMD SB-7033 (a.k.a. EntrySign). The earlier 2.1.2 release also added native EFI authenticated variable loading with ContentInfo headers and decompression-ratio limits to prevent ZIP-bomb-style emulation parsing. New hardware support spans the SHIFT6mq, SHIFTphone 8, Google Moonstone, Lenovo USB-4 dock, HP 400/405 Mouse, Parade USB hubs with GPIO control, Pixart PLP239 devices, Raydium TP devices, Sunplus cameras, and the LX Semicon SW42101 touch controller.

python-cryptography 48.0.0: A major version bump that drops Python 3.8 support and changes X.509 CRL parsing so that a mismatched inner TBSCertList.signature and outer signatureAlgorithm raises a ValueError. ML-KEM and ML-DSA are now supported when building against OpenSSL 3.5.0 or later (in addition to AWS-LC and BoringSSL), bringing post-quantum algorithms to upstream wheel users.

Key Package Updates

Linux Kernel 7.0.9: The kernel progressed through 7.0.5, 7.0.6, 7.0.7 and 7.0.9 during the month, accumulating a substantial pile of security and stability fixes. The 7.0.5 release fixed a buffer overflow in vrealloc_node_align() along with a deadlock in mmap_prepare error handling when holding rmap. The crypto subsystem received extensive fixes including memory leaks in atmel-aes, ccree, and nx842, a use-after-free in atmel-sha204a removal, and short digest rejection in authencesn. netfilter rejects zero shifts in nft_bitwise, and IPsec (xfrm) avoids in-place decryption on shared skb fragments. NTFS3 receives integer overflow and buffer boundary checks in run_unpack(), and EROFS fixes an unsigned underflow in LZ4 overlap handling. The 7.0.6 follow-up added an rxrpc fix for DATA/RESPONSE packets when paged frags are present and an ALSA fasync state-check serialization. The 7.0.7 release brought multiple CVE fixes detailed below, scsi target configfs bounds tightening in snprintf(), ipmi event/receive message limits, KVM x86 shadow-paging use-after-free protection, smbdirect MR registration fixes for coalesced SG lists, and many wifi mt76 fixes for mt7921/mt7925. The 7.0.9 jump adds HID fixes (PlayStation num_touch_reports clamp, appletb-kbd UAF on inactivity-timer cleanup, pidff integer overflow), drm/gpusvm correctness fixes, and many spi controller deregistration fixes.

curl 8.20.0: This release addresses half a dozen security vulnerabilities. RTMP support is dropped entirely and SMB support is now opt-in. A new thread pool and queue system was added for async resolution, and HTTPS DNS record resolution is made more reliable. Credential handling is hardened across redirects, with digest nonces cleared on cross-origin redirects and proxy credentials cleared on port or scheme changes. The alt-svc and HSTS lists are now capped (at 5,000 entries) and expired entries are skipped when reading from file. HTTP/2 now prevents secure schemes being pushed over insecure connections, and MIME processing limits nesting to 40 levels.

GnuTLS 3.8.13: This major security release addresses more than a dozen vulnerabilities. Three high-severity DTLS reassembly issues are fixed. Medium-severity fixes address a use-after-free in gnutls_pkcs11_token_set_pin(), an overread in RSA key exchange with PKCS#11 keys, CN fallback suppression issues with URI/SRV SANs, and intersecting empty name constraints. Lower-severity fixes cover a multi-entry OCSP response revocation bypass, a timing side-channel in PKCS#7 padding removal, and an off-by-one in PKCS#12 bag bounds checking. HPKE (Hybrid Public Key Encryption, RFC 9180) is available as a technology preview, ML-DSA public key derivation from expanded private keys (RFC 9881) is supported, and building with Nettle 4.0 is now possible. TLS 1.3 client certificate selection is fixed for servers advertising only rsa_pss_rsae_* algorithms, and kTLS ChaCha20-Poly1305 IV handling is corrected for TLS 1.2.

GLib 2.88.1: This update fixes a miscompilation with GCC 16 caused by incorrect function attribute usage. A flag confusion security issue in GRegex when using G_REGEX_RAW is resolved, which could result in unbounded out-of-bounds heap reads off the start of a regex input string. Various minor security issues are also addressed, typically involving small out-of-bounds reads or scenarios relying on discouraged P2P D-Bus configurations.

SQLite 3.53.1: The recovery extension is hardened against SQL injections from the sqlite_schema table of databases being recovered. A crash in sqlite3_deserialize() when overwriting a database with an open transaction is fixed (a bug dating back to version 3.23.0). A single-byte out-of-bounds read in the session module when concatenating patchsets is corrected. The EXISTS-to-JOIN optimization receives fixes for OR-optimization early-exit logic and OFFSET clause handling. A printf() optimization regression causing sqlite3_snprintf() to incorrectly truncate floating-point conversions is resolved, and sqlite3_str_free() no longer crashes when called on objects returned after an out-of-memory condition.

Mesa 26.1.0 to 26.1.1: Version 26.1.1 fixes RADV sample shading with required sample-shaded inputs, VRS with mipmaps on GFX10.3, acceleration structure copies with DAC, and enables a VM map update workaround for Forza Horizon 6. ANV (Intel) adds a SIMD32 requirement heuristic for Dragon Dogma 2, fixes usage flags not propagated to ISL for explicit layouts, bumps the max compute workgroup count, and corrects timebase scale precision loss across 2^32 ticks. The Vulkan 1.4 API is now implemented, with support varying by driver with version 26.1.0. Experimental support for Intel Nova Lake P hardware is introduced. Zink now supports OpenGL ES 2.0 on PowerVR GPUs, expanding its reach to embedded hardware. New Vulkan and OpenGL extensions are supported across drivers including VK_EXT_present_timing, GL_NV_timeline_semaphore (RadeonSI), VK_QCOM_image_processing (Turnip), VK_KHR_present_id, and VK_KHR_present_wait. Rusticl (OpenCL) now requires a static C++ standard library. The update delivers broader Vulkan support, improved virtualization performance, and expanded hardware compatibility.

GStreamer 1.28.3: A bugfix release with security fixes across the framework. Highlights include applemedia vtdec stability, MoltenVK integration and planar video format handling fixes, an audioresample regression fix on armv7hf, bpmdetect corrections for stereo and multi-channel modes, and webrtcsink support for the imx8mp vpuenc_hevc H.265 encoder. Codec parsers receive multiple hardening fixes including a stack buffer overflow in the H.265 buffering period SEI parser, bounds checks in MPEG-TS PES header parsing, and a heap buffer overflow in MXF AES3 audio descriptor write_tags. The mxf and mpegtsdemux plugins receive numerous additional bounds and overflow fixes, and pngparse gets a use-after-free fix. Several memory leaks across decodebin2, subparse, samiparse, baseparse, and others are also addressed.

expat 2.8.1: This update jumps from 2.7.5 and addresses two security issues. A quadratic-runtime attack via attribute name collision checks is corrected, and the SipHash-based hash flooding protection now uses the full 16 bytes of salt instead of 4 to 8. The existing XML_SetHashSalt API is deprecated and a new XML_SetHashSalt16Bytes is introduced for callers that want to provide their own high-quality entropy.

rsync 3.4.3: A security-focused release fixing six CVEs in the file-synchronization tool. Three of the six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default daemon configurations, two (CVE-2026-43618, CVE-2026-43620) are reachable from normal pulls or normal authenticated daemon connections, and the sixth (CVE-2026-45232) requires RSYNC_PROXY to be set with a pathological proxy response. Detailed CVE notes appear in the security section below. The release also adds defence-in-depth hardening on adjacent paths and fixes a regression introduced by the 3.4.0 secure_relative_open().

PostgreSQL 18.4: This point release of the database addresses 10 CVEs covering schema privilege checks, integer overflows in memory allocation calculations, time-zone name handling, path traversal in pg_basebackup and pg_rewind, subscription-name quoting in pg_createsubscriber, marking PQfn() as unsafe, timing-safe string comparisons in authentication, recursion limits in startup packet processing, MCV statistics validation, SQL injection protection in contrib/spi, and quoting of object names in logical replication origin checks. See the official 18.4 release announcement for full notes.

dnsmasq 2.92rel2: A security-focused point release fixing six CVEs in the DNS and DHCP server. Vulnerabilities include cache poisoning that could enable DoS or attacker redirection, DNSSEC validation flaws, a heap out-of-bounds read in DNSSEC validation, a heap out-of-bounds write in DHCPv6 handling, an information disclosure flaw allowing source-check bypass, and a buffer overflow in extract_addresses().

ImageMagick 7.1.2.23 and 7.1.2.24: The 7.1.2.24 version strengthens input validation by rejecting MTV, TGA, Cineon, and Farbfeld image files with zero columns or rows, preventing potential crashes or undefined behavior from malformed files. A new profile fuzzer is added for raw EXIF, XMP, IPTC, and ICC parsing to improve robustness. The 7.1.2.23 version rolls up many GitHub security advisories from upstream and applies an integer overflow fix tracked as CVE-2026-31853.

OpenEXR 3.4.11: A double update from 3.4.9 through 3.4.10 to 3.4.11 closes several additional CVEs in the EXR image format library. Fixes address a shift exponent overflow in readVariableLengthInteger(), an out-of-bounds read in IDManifest::init() during prefix expansion, an integer overflow in ImageChannel::resize, a signed integer overflow in ht_undo_impl() in the HTJ2K decoder, and two missed variants of the earlier DWA-decoder pointer arithmetic overflow.

ncurses 6.6.20260516: Two snapshot patches bring loop limit corrections in lib_twait.c, magic-cookie initialization deferral, terminal database refinements for kitty, contour, screen4/screen5, xterm-utf8, and warp, and a recur_wgetnstr() buffer limit correction.

hplip 3.26.4: A new release of the HP Linux Imaging and Printing project adds support for a broad range of new printers including the HP LaserJet Pro MFP 3106sdw/3105sdw, OfficeJet Pro 9730/9720/8130/8120 series, Envy 6500 series, and several DeskJet Ink Advantage models.

Vulkan SDK 1.4.350: Both vulkan-loader and vulkan-tools jump from 1.4.341 to 1.4.350. vulkaninfo now enables the device groups extension and checks extensions before querying properties, and a wrong extension being used for GGP is corrected.

Security Updates

net-tools 3.14~alpha:

CVE-2024-58251: Fixes a flaw in netstat where a local user could launch a network application and cause a denial of service by locking up the terminal of a victim viewing netstat output.

curl 8.20.0:

CVE-2026-4873: Addresses a flaw where a connection requiring TLS could incorrectly reuse an existing unencrypted IMAP, POP3, or SMTP connection from the pool and cause the subsequent data to be transmitted in clear-text.
CVE-2026-5545: Resolves a vulnerability where HTTP Negotiate connections could be wrongly reused and potentially lead to authentication bypass.
CVE-2026-5773: Fixes a flaw where SMB connections could be reused for transfers to a different share on the same server and potentially lead to the wrong file being downloaded or uploaded.
CVE-2026-6253: Addresses a credential leak where proxy credentials could be exposed across a redirect to a different proxy.
CVE-2026-6276: Resolves a cookie leak caused by stale custom cookie host handling on subsequent requests.
CVE-2026-6429: Fixes a .netrc credential leak when a proxy connection was reused across requests.

update-alternatives 1.22.22:

CVE-2026-2219: Addresses a flaw that could result in denial of service via an infinite CPU-spinning loop.

GnuTLS 3.8.13:

CVE-2026-33845: Resolves an integer underflow that could lead to an out-of-bounds read and potential denial of service or information disclosure.
CVE-2026-42009: Fixes a flaw potentially triggering undefined behavior.
CVE-2026-33846: Addresses a heap buffer overflow that may allow remote denial of service or memory corruption.
CVE-2026-42010: Resolves an authentication bypass in servers configured with RSA-PSK where usernames containing NUL characters wrongly matched ones truncated at the NUL.
CVE-2026-3833: Fixes a name-constraint bypass that could cause certificates that should be rejected to be accepted.

mariadb 11.8.6:

CVE-2026-32710: Addresses a heap-based buffer overflow that allows an authenticated user to crash the server and potentially achieve remote code execution.

krb5:

CVE-2026-40355: Resolves a NULL pointer dereference that allowed an unauthenticated remote attacker to terminate the process when a NegoEx mechanism was registered.
CVE-2026-40356: Fixes an integer underflow that could allow an unauthenticated remote attacker to trigger an out-of-bounds read of up to 52 bytes and potentially terminate the process.

libsndfile:

CVE-2026-37555: Addresses an integer overflow that could lead to a heap buffer overflow or denial of service.
CVE-2025-52194: Resolves a buffer overflow that could potentially lead to memory corruption or code execution.

qt6-svg:

CVE-2026-6210: Fixes a type confusion and heap buffer overflow that results in an application crash.

tar:

CVE-2025-45582: Addresses a directory traversal flaw that allows file overwrite bypassing the standard ../ protection.

Apache HTTP Server 2.4.67:

CVE-2026-34059: Fixes a heap over-read and memory disclosure in mod_proxy_ajp in ajp_parse_data().
CVE-2026-34032: Addresses a heap buffer over-read in ajp_msg_get_string() due to a missing null-termination check.
CVE-2026-33857: Resolves an off-by-one out-of-bounds read in AJP getter functions.
CVE-2026-33523: Patches an HTTP response splitting vulnerability across multiple modules when forwarding malicious status lines.
CVE-2026-33007: Corrects a NULL pointer dereference in mod_authn_socache allowing an unauthenticated remote user to crash a child process in a caching forward proxy configuration.
CVE-2026-33006: Resolves a timing attack against mod_auth_digest that allows a Digest authentication bypass.
CVE-2026-29169: Fixes a NULL pointer dereference in mod_dav_lock allowing a server crash via a malicious request.
CVE-2026-29168: Addresses unrestricted OCSP response handling in mod_md.
CVE-2026-28780: Resolves a heap buffer overflow in mod_proxy_ajp via ajp_msg_check_header() where a malicious AJP server could write 4 attacker-controlled bytes past a heap buffer.
CVE-2026-24072: Fixes an ap_expr privilege escalation in mod_rewrite allowing local .htaccess authors to read files with the privileges of the httpd user.
CVE-2026-23918: Addresses a double free and possible RCE in HTTP/2 on early reset.

PHP 8.5.6:

CVE-2026-7263: Fixes duplicate xmlns declarations from Dom\XMLDocument::C14N() after setAttributeNS().
CVE-2026-6735: Resolves a XSS within the FPM status endpoint.
CVE-2026-7259: Addresses a NULL pointer dereference in php_mb_check_encoding() via mb_ereg_search_init().
CVE-2026-6104: Patches an out-of-bounds access in mbfl_name2encoding_ex().
CVE-2025-14179: Fixes a SQL injection via NUL bytes in PDO_Firebird quoted strings.
CVE-2026-6722: Addresses a stale SOAP_GLOBAL(ref_map) pointer with Apache Map.
CVE-2026-7261: Resolves a use-after-free after SOAP header parsing failure with SOAP_PERSISTENCE_SESSION.
CVE-2026-7262: Fixes a broken Apache map value NULL check.
CVE-2026-7568: Addresses a signed integer overflow of a char array offset.
CVE-2026-7258: Patches inconsistent passing of unsigned char to ctype.h functions.
CVE-2026-42371: Fixes a numeric truncation in URI parsing carried by uriparser.

OpenEXR 3.4.11:

CVE-2026-42217: Fixes a shift exponent overflow in readVariableLengthInteger().
CVE-2026-42216: Addresses an out-of-bounds read in IDManifest::init() during prefix expansion.
CVE-2026-41142: Resolves an integer overflow in ImageChannel::resize that leads to a heap out-of-bounds write via the OpenEXRUtil public API.
CVE-2026-39886: Fixes an HTJ2K signed integer overflow in ht_undo_impl().
CVE-2026-40244: Addresses an integer overflow in DWA setupChannelData planarUncRle pointer arithmetic.
CVE-2026-40250: Resolves an integer overflow in the DWA decoder outBufferEnd pointer arithmetic.

rsync 3.4.3:

CVE-2026-29518: Fixes a TOCTOU symlink race in daemon mode (use chroot = no) allowing local privilege escalation.
CVE-2026-43617: Addresses an authorization bypass via hostname resolution when the daemon chroot tree lacks DNS resolution support, causing the connecting hostname to be set to UNKNOWN.
CVE-2026-43618: Resolves an integer overflow in the compressed-token decoder enabling remote memory disclosure.
CVE-2026-43619: Fixes symlink races on path-based system calls (chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, lstat) in use chroot = no daemon mode.
CVE-2026-43620: Patches an out-of-bounds read in the receiver’s recv_files() allowing remote DoS of any client pulling from a malicious server.
CVE-2026-45232: Addresses an off-by-one stack out-of-bounds write in establish_proxy_connection() HTTP CONNECT proxy response parsing.

PostgreSQL 18.4:

CVE-2026-6472: Ensures the user has CREATE privilege on the schema specified.
CVE-2026-6473: Fixes integer overflows in memory-allocation calculations.
CVE-2026-6474: Guards against malicious time zone names.
CVE-2026-6475: Prevents path traversal in pg_basebackup and pg_rewind.
CVE-2026-6476: Properly quotes subscription names in pg_createsubscriber.
CVE-2026-6477: Marks PQfn() as unsafe and avoids using it within libpq.
CVE-2026-6478: Uses timing-safe string comparisons in authentication code.
CVE-2026-6479: Prevents unbounded recursion while processing startup packets.
CVE-2026-6575: Detects faulty input when restoring attribute MCV statistics.
CVE-2026-6637: Prevents SQL injection and buffer overruns in contrib/spi.
CVE-2026-6638: Properly quotes object names in logical replication origin checks.

dnsmasq 2.92rel2:

CVE-2026-2291: Fixes cache poisoning that could enable DoS or attacker redirection.
CVE-2026-4890: Addresses a DoS vulnerability in DNSSEC validation.
CVE-2026-4891: Resolves a heap-based out-of-bounds read in DNSSEC validation.
CVE-2026-4892: Patches a heap-based out-of-bounds write in the DHCPv6 implementation.
CVE-2026-4893: Fixes an information disclosure flaw allowing source-check bypass.
CVE-2026-5172: Addresses a buffer overflow in extract_addresses().

expat 2.8.1:

CVE-2026-45186: Fixes a quadratic runtime from attribute name collision checks enabling DoS through moderately sized crafted XML input.
CVE-2026-41080: Resolves limited hash flooding entropy by raising the hash salt size from 4-8 bytes to a full 16 bytes.

GraphicsMagick:

CVE-2026-42050: Fixes a stack buffer overflow in XTileImage.

ImageMagick 7.1.2.23:

CVE-2026-31853: Addresses an overflow check flaw.

Linux Kernel 7.0.7:

CVE-2026-43349: Resolves a use-after-uninitialized-value access in f2fs.
CVE-2026-43350: Addresses an SMB client flaw requiring a full NFS-mode SID before continuing.
CVE-2026-43348: Fixes a vmemmap_shift exceeding MAX_FOLIO_* in mshv_vtl.
CVE-2026-43490: Validates inherited ACE SID length in ksmbd.

glibc:

CVE-2026-5928: Fixes ungetwc operating on a byte stream.
CVE-2026-5450: Addresses a buffer overflow in scanf %mc.

libzypp 17.38.9:

CVE-2026-44933: Prevents configured scripts from escaping the sigcheck directory.

python-Twisted 26.4.0:

CVE-2026-42304: Prevents a DoS attack via resource exhaustion during DNS name decompression.

bind 9.20.23:

CVE-2026-3592: Fixes an amplification vulnerability that could be made to consume disproportionate resources.
CVE-2026-3039: Addresses excessive memory consumption when processing maliciously-constructed packets.
CVE-2026-5950: Resolves a flaw exhausting CPU and memory.
CVE-2026-5947: Fixes a race condition that could allow an unauthenticated remote attacker to crash the server.
CVE-2026-5946: Addresses multiple flaws that could cause assertion failures via recursion, UPDATE, or NOTIFY paths.

python-idna 3.15:

CVE-2026-45409: Closes a bypass of the CVE-2024-3651 mitigation by rejecting oversize inputs up-front.

python-urllib3 2.7.0:

CVE-2026-44432: Closes a decompression-bomb safeguard bypass in the streaming API.
CVE-2026-44431: Fixes HTTP pools created via ProxyManager.connection_from_url not stripping sensitive headers when redirecting to a different host.

perl-libwww-perl 6.83:

CVE-2026-8368: Strips Authorization and Proxy-Authorization headers on cross-origin redirects to prevent credential leakage.

perl-CryptX 0.89:

CVE-2026-41564: Patches a security flaw in the Perl interface to LibTomCrypt.

perl-Net-CIDR-Lite 0.24:

CVE-2026-45190: Rejects Unicode digits and trailing newlines in parser inputs.
CVE-2026-45191: Rejects zero-padded CIDR masks.
CVE-2026-40199: Fixes an IPv4-mapped IPv6 packed length flaw.
CVE-2026-40198: Rejects invalid uncompressed IPv6 addresses.

perl-XML-LibXML 2.0212:

CVE-2026-8177: Prevents an out-of-bounds UTF-8 read in domParseChar by replacing it with libxml2’s xmlValidateName.

hplip 3.26.4:

CVE-2026-8631: Fixes a flaw in the HP Linux Imaging and Printing stack.
CVE-2026-8632: Addresses a second related flaw.

xen 4.21.1_06:

CVE-2025-54518: Mitigates AMD-SN-7052 CPU Op Cache Corruption.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

May 2026 was a steady month for openSUSE Tumbleweed with point releases landing across all three major KDE stacks (KDE Gear 26.04.1, Frameworks 6.26.0, and Plasma 6.6.5). Mesa made the leap to 26.1 with the Vulkan 1.4 API, and AppArmor shipped its first 5.0 release. Sysadmins received headline updates across Apache HTTP Server 2.4.67, PostgreSQL 18.4, rsync 3.4.3, dnsmasq 2.92rel2, GnuPG 2.5.20, and expat 2.8.1 — almost all driven by CVE fixes. The Linux kernel progressed from 7.0.5 to 7.0.9 with broad subsystem hardening, and security was the dominant theme across PHP, OpenEXR, jq, ImageMagick, python-cryptography, python-urllib3, and a long tail of Perl networking modules.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 29 May 2026 07:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog aggregates a list of the featured highlights below from May 22 to 27.

Blogs this week cover security vulnerabilities discovered and patched in qSnapper’s privileged D-Bus service, a new GSoC 2026 contributor joining the openSUSE Project, nightly syslog-ng container images now available based on Alma Linux, a new plasmoid Scrolling Clock for KDE Plasma 6, a tip for previewing Markdown in the Kate editor, the April 2026 Krita report, the Mobile Linux Hackday in České Budějovice, Agama 21 and more.

Here is a summary and links for each post:

Whaleshark Opens Knopje

Sébas announces that on June 19 he will open the next edition of Knopje with a 1.5-hour melodic techno set.

Krita April 2026 Report

The KDE Blog covers the April 2026 Krita monthly report, which announces the release of Krita 5.3.2 and 6.0.2 with two months’ worth of bug fixes and improvements including text tool enhancements, performance fixes, and an Android crash fix. The post also highlights upcoming features in development and improves wide-gamut color conversion.

Introducing Shared Canned Responses

The Open Build Service Blog introduces shared canned responses in OBS, expanding a feature that previously only allowed users to create personal canned responses under their own profiles. The update allows canned responses to now be shared across projects and packages, streamlining collaboration and communication in request workflows.

How to Install exeLearning 4.0 on Your Computer

The KDE Blog explains how to install exeLearning 4.0, a free and open-source tool for creating interactive digital educational resources. The post outlines the three available editions.

The KDE Blog presents Scrolling Clock, the 29th widget in their Plasma 6 plasmoid series, which displays an animated clock cycling through all digits for a unique and eye-catching desktop look. Users who enjoy the widget are encouraged to support the developer through ratings, comments, or donations on the KDE Store.

Previewing Markdown Files in the Kate Editor

Victorhck shares a quick tip for enabling live Markdown preview inside the KDE Kate editor by activating the “Document Preview” plugin. The author notes that HTML preview does not work the same way and recommends using a browser for that format instead.

Nightly syslog-ng Containers Based on Alma Linux

Peter Czanik announces that nightly syslog-ng container images based on Alma Linux are now available on Docker Hub. Previously only Debian-based images were provided, but this new Alma Linux offering is built from the latest syslog-ng git snapshot packages.

Accepted into Google Summer of Code 2026 with openSUSE!

Mario Marín announces on his GSoC 2026 blog that he has been accepted into Google Summer of Code 2026 to contribute to the openSUSE project under two mentors. Over 12 weeks, he will work on improving the obs-status-service, including better SVG visualizations, a Gitea bot for Pull Request build information, and an AI-assisted stretch goal using Log Detective to analyze failed builds. He will be posting weekly progress updates on his blog.

qSnapper: Various Security Issues in Privileged D-Bus Service (CVE-2026-41045 through CVE-2026-41049)

The SUSE Security Team blog discloses five CVEs found during a security review of qSnapper, a GUI frontend for the Btrfs snapshot manager snapper. All issues were addressed through coordinated disclosure with the upstream author and fixes were shipped in the qSnapper 1.3.3 released on May 26.

MobileLinux Hackday #1 in České Budějovice

The SUSE Community Blog reports that the first Mobile Linux Hackday held in České Budějovice had a bigger turnout than the well-established Prague series with regard to attendance and synergy. The Prague series had already built a strong following over seven monthly events and the new venue signals growing momentum and geographic expansion for the Mobile Linux hackday movement in Czechia.

How to Use Desktop Icons NG (DING) on openSUSE 16 GNOME

The Geeko Blog provides a fix for the Desktop Icons NG (DING) GNOME extension failing to work on openSUSE 16. The post includes the relevant error message from /var/log/messages to help users identify the problem.

Long-Term Support Doesn’t Mean What You Think

The KDE Blog summarizes a post by KDE developer Nate Graham clarifying that LTS releases promise extended maintenance and security patches, not bug-free software or guaranteed personal support. The post draws a clear distinction between free community LTS distributions and commercially supported products and suggests that Flatpak apps can help bridge the software freshness gap on stable systems.

Haruna 1.8 Released – New Version of This KDE Media Player

The KDE Blog announces the release of Haruna 1.8, an open-source video player built on libmpv with YouTube integration. Haruna continues to be a solid alternative to Dragon Player and Kaffeine within the KDE ecosystem.

Linux Saloon 202 | Early Edition

CubicleNate recaps episode 202 of the Linux Saloon podcast, covering Colin’s use of his Surface Go running Cosmic Desktop, the release of Ubuntu 26.04 LTS, and updates on the Framework Computer Laptop 13 Pro.

Linux Saloon 203 | News Flight Night

CubicleNate recaps episode 203 of the Linux Saloon podcast, during which attendees discuss Collin’s experience with stillOS, the value of operating system rollback features, and notable news including HP sponsoring the Linux Vendor Firmware Service and KDE receiving a significant investment.

Xe Driver Support and Discover Improvements – This Week in Plasma

The KDE Blog translates Nate Graham’s weekly Plasma development summary. A standout community contribution added support for monitoring modern Intel Xe GPUs in System Monitor and its widgets. Discover also received several improvements including safer Flatpak data deletion sending files to the trash, a reorganized front page with the Editor’s Choice section moved higher, and case-insensitive search on the Updates page.

Agama 21 Released

Victorhck summarizes the release of Agama 21. The network configuration interface was redesigned with a new form supporting bond and bridge connections in addition to Ethernet and Wi-Fi. A new boot option inst.remote=0 allows disabling remote installer access for improved security in sensitive environments.

Tumbleweed – Review of the Weeks 2026/21

Victorhck and Dominique Leuenberger’s blog recap week 21 with six snapshots. The releases shipped notable updates including AppArmor 5.0.0, KDE Plasma 6.6.5, Linux kernel 7.0.6 through 7.0.9, GStreamer 1.28.3, Ruby 4.0.4, and PostgreSQL 18.4. Upcoming pipeline changes include Agama 21, GCC 16 as the default system compiler, and a rework of Python 3 packaging.

Workshop: Agentic AI and Total Automation at Linux Center València

The KDE Blog announces a hands-on workshop on agentic AI and automation taking place on June 6 at Slimbook’s Linux Center in Paterna, Valencia. The event features sessions on building intelligent agent systems using OpenClaw, privacy-respecting automation with Hermes, and a practical pair-programming workshop on Slimbook One mini PCs.

View more blogs or learn to publish your own on planet.opensuse.org.

Managing System Extensions with sysextmgrcli

admin@opensuse.org (Stefan Schubert) — Thu, 21 May 2026 08:00:00 +0000

Managing System Extensions on openSUSE MicroOS with `sysextmgrcli`

If you are running openSUSE MicroOS, you already know the drill: the root filesystem is read-only, and transactional updates are the law of the land.

But what happens when you need to add software or system extensions without rebooting or messing with your base OS layers?

E.g. You need strace or gdb to debug a running application, but a reboot to install this tools would change the situation.

Enter System Extensions (sysext images) and the utility designed to make them manageable: sysextmgrcli.

What is `sysextmgrcli`?

At its core, sysextmgrcli is a command-line client for managing systemd-sysext images and has been written by Thorsten Kukuk. It is designed specifically to play nice with the atomic nature of MicroOS.

Instead of forcing you to use sudo for every query, it talks to a background daemon (sysextmgrd) via Varlink. This architecture allows unprivileged users to list existing system extension images without needing root permissions, while the daemon handles the heavy lifting of downloads and verification via systemd-pull. For security reasons, root provileges are still required for installing or updating sysext images.

The Architecture: Smart Snapshots

One of the cleverest things about sysextmgrcli is how it handles storage to be efficient and “rollback-safe”:

/var/lib/sysext-store: This is where the actual image files live. Since /var is a separate subvolume shared across all Btrfs snapshots, you only store the image once, saving disk space. If you have no network available, that’s the location for storing offline or even own build sysext images via e.g. an USB device.
/etc/extensions: This directory contains symlinks to the images in the store. Because /etc is part of your root snapshot, the extensions are tied to your current system state.

Why does this matter? If you perform a system rollback, your symlinks roll back too. This ensures the active sysext images always match the OS version you are currently booted into.

Essential Commands

Getting started is straightforward. Here are the primary commands you’ll use to manage your extensions:

1. Listing and Checking Images

Want to see what’s available or if your images are compatible with your current OS version?

# List all images and report compatibility
sysextmgrcli list

# Check for updates and verify compatibility
sysextmgrcli check

2. Installing New Extensions

You can install by providing a name and a source URL. The tool automatically handles SHA256 verification and checks if it fits your OS.

# --url is optional (default: https://download.opensuse.org/tumbleweed/appliances/ )
sysextmgrcli install [NAME] --url [https://your-image-repo.com](https://your-image-repo.com)

3. Maintenance and Updates

Updates are handled by comparing local files against remote manifests. If a newer version matches your current snapshot, it gets pulled down and symlinked.

# Update existing images to the latest compatible versions
sysextmgrcli update

# Clean up: Remove images in the store that are no longer referenced by any snapshot
sysextmgrcli cleanup

The “Activation” Catch

It is important to note that sysextmgrcli is a manager, not an activator. It handles the logistics: downloading, version checking, and symlinking. To actually “plug in” the extensions to your running system, you still use standard systemd-sysext commands:

Manual activation: systemd-sysext merge
Manual deactivation: systemd-sysext unmerge
Enable at boot: systemctl enable systemd-sysext.service

Available default system extention (sysext) images:

debug (babeltrace, gdb, ltrace, strace, traceroute)
gcc (cpp, gcc, make, patch)
git (git, git-core)

Summary

You need `git` on your openSUSE MicroOS ?

Just call sysextmgrcli install git ; systemd-sysext merge and use it…

You do not need ‘git’ anymore on your system ?

Just call systemd-sysext unmerge and it is not available anymore…

sysextmgrcli bridges the gap between static immutable infrastructure and the need for flexible system additions. By leveraging the Btrfs directory structure of MicroOS, it ensures your system remains clean, version-synced, and easy to manage.

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 15 May 2026 09:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from May 8 to 14.

Blogs this week cover the Plasma 6.7 beta launch, sovereign Tech funds major investment in KDE, a leadership change on the openSUSE Board, two helpful Firefox tips, a Tumbleweed review, a new Plasmoid for displaying song lyrics, a KDE Frameworks update, and an openSUSE Leap 15.6 reaches end-of-life.

Here is a summary and links for each post:

openSUSE Leap 15.6 Reaches End of Life – Time to Upgrade

Victorhck reports that openSUSE Leap 15.6 reached its official end of life on April 30, which means it will no longer receive security patches or official support. Users are advised to migrate to openSUSE Leap 16.0 to keep their systems up to date and secure.

Plasma 6.7 Beta Released

The KDE Blog announces the launch of the Plasma 6.7 beta and invites testers to try the new release and report any bugs at bugs.kde.org ahead of the final release. Key new features include a quick light/dark mode toggle in the Brightness and Color widget and a modern new print queue application with active job badges in the Printers widget.

The syslog-ng Insider 2026-05: OTEL; Central Log Collection; Old Mac

Peter Czanik’s Blog presents the 140th issue of the syslog-ng Insider monthly newsletter and covers three topics: how Databricks customers can stream logs to a data lakehouse using syslog-ng with OAuth2 authentication and the OpenTelemetry protocol; a reminder that central log collection is valuable far beyond mere compliance, benefiting operations, security, and development teams alike; and a guide to compiling the latest syslog-ng release on older Intel-based Macs where Homebrew no longer provides full support.

Sovereign Tech Fund Invests Over €1 Million in KDE

Victorhck covers the announcement that the Sovereign Tech Fund will invest €1,285,200 in the KDE community across 2026 and 2027. The funding is aimed at strengthening the structural reliability and security of KDE’s core infrastructure, including Plasma and the frameworks supporting KDE’s communication services. The author translates the official KDE announcement into Spanish and shares his thoughts on the significance of the investment for the free software ecosystem.

The KDE Blog presents Plasma Lyrics, a new widget for KDE Plasma 6 that displays the lyrics of the currently playing songs directly on the desktop. This is the 28th entry in the blog’s ongoing series showcasing Plasmoids for Plasma 6, which is aimed at users who want richer desktop integration with their music player.

Fifth Update of Plasma 6.6

The KDE Blog announces the fifth bugfix update to KDE Plasma 6.6, which was released on May 12. The update brings improved animation fluidity on high-refresh-rate displays along with the usual bug fixes and stability improvements.

How to Change the Annoying Firefox “Not Found” Sound

Victorhck shares a practical tip for Firefox users annoyed by the jarring sound the browser plays when a text search via Ctrl+F finds no match on the page. The post walks through how to replace that default sound with a system sound of the user’s own choosing.

IA MED: Public Health, Privacy and Brazilian Technological Sovereignty

Alessandro’s Blog introduces IA MED, which is a an AI solution developed by MultiCortex to bring advanced language models to the public health sector with a focus on precision, privacy, and data sovereignty. The system is already operational in the city of Bebedouro, São Paulo. The post argues that vertically specialized, locally hosted AI running on cost-effective hardware represents a viable and responsible alternative to generic cloud-based AI for public health systems across Brazil.

SOTAQUE: When AI Learns to Speak like a Brazilian

Alessandro’s Blog introduces SOTAQUE (Speech-Oriented Training Audio for Quality Understanding and Expression), which is a community-driven initiative to build an open dataset of Brazilian Portuguese voices that captures the country’s regional diversity of accents. The project, which is published under the CDLA-Permissive-2.0 license, aims to collect up to 10,000 hours of audio so that AI speech tools better represent all Brazilians rather than defaulting to a narrow Southeastern urban standard. Anyone over 18 in Brazil can contribute by recording just a few minutes of their own voice at sotaque.ia.br.

Firefox Not Displaying Japanese (or Chinese or Korean) Characters in Plasma

Victorhck explains how to fix the issue of Firefox displaying small empty squares instead of Japanese kanji characters when browsing the web on KDE Plasma. The solution involves installing the appropriate font packages to give the browser the rendering support it needs.

Framework Becomes a KDE Patron

The KDE Blog announces that Framework, the company behind the modular Framework Laptop, has become an official patron of KDE e.V., and joins existing supporters such as The Qt Company, SUSE, Google, Canonical, Slimbook, and Rocky Linux. Framework founder Nirav Patel noted that KDE is extremely popular within the Framework community, while KDE e.V. President Aleix Pol highlighted that Framework’s commitment to repairability strongly aligns with KDE’s own values of sustainability and open hardware.

malcontent: Disk Space Exhaustion via Globally Accessible D-Bus API (CVE-2026-44931)

The SUSE Security Team Blog discloses CVE-2026-44931, a local denial-of-service vulnerability in malcontent, the GNOME parental control system, introduced in version 0.14.0 as part of the GNOME 50 update packaged for openSUSE. The flaw allows any unprivileged local user to slowly exhaust disk space in /var/lib/malcontent-timerd by repeatedly calling the RecordUsage D-Bus method with arbitrary app identifiers, with no upstream fix currently available. The SUSE team reported the issue privately in February 2026 and, after receiving no follow-up from upstream despite repeated contact, proceeded with public disclosure to avoid further delay.

26th Update of KDE Frameworks 6 and the KArchive Library

The KDE Blog covers the 26th update to KDE Frameworks 6, highlighting improvements to the KArchive library among other fixes across the KDE software stack. The post follows the blog’s regular cadence of documenting each KDE Frameworks release for Spanish-speaking KDE users.

Linux Saloon 200 | Open Mic Night

CubicleNate’s Blog celebrates the 200th episode of the Linux Saloon podcast with an Open Mic Night format, where participants shared tech topics that were top of mind. Highlights included a hands-on look at the new Framework Laptop 13 Pro and its hardware improvements, a discussion about Brave’s new Origin browser on Linux, and a nostalgic trip back to the old internet covering GeoCities, webrings, and Homestar Runner.

openSUSE Board Leadership Change

Victorhck reports on the change at the top of the openSUSE Board. The post translates and expands on the official announcement of Gerald Pfeifer stepping down as chair on May 7 after nearly seven years in the role. He is succeeded by Jeff Mahoney, who was elected to the board in 2024.

ICC Profiles in HDR ❤️ – This Week in Plasma

The KDE Blog summarizes “This Week in Plasma” with headlines featuring new support for ICC color profiles in HDR mode. This addition is a significant step forward for color-accurate workflows on Linux, particularly for photographers and designers using HDR-capable displays.

USS/FMS Carrier

Jakub Steiner’s Blog dives into FMS Carrier, a tiny 2-operator FM synthesizer and sequencer for the Nintendo Game Boy Advance created by Ess Mattisson, the original designer of the Elektron Digitone. Jakub shares his enthusiasm for the sequencing workflow, which mirrors the building-block composition approach he loves on his Dirtywave M8 tracker.

Tumbleweed – Review of the Weeks 2026/18 & 19

Victorhck and Dominique Leuenberger cover nine Tumbleweed snapshots published across weeks 18 and 19. Major package arrivals include GNOME 50.1, Linux kernel 7.0.1 through 7.0.3, glibc 2.43, systemd 260.1, Boost 1.91.0, and Mozilla Firefox 150.0.

LliureX Turns 21 – Happy Birthday!

The KDE Blog celebrates the 21st anniversary of LliureX, a GNU/Linux distribution based on Ubuntu and KDE Plasma developed by the Valencian Community’s regional education authority in Spain. The project has been delivering a free software desktop tailored to educational environments in the Valencian Community for over two decades.

View more blogs or learn to publish your own on planet.opensuse.org.

Planet News Roundup

admin@opensuse.org (Douglas DeMaio) — Fri, 08 May 2026 07:00:00 +0000

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from May 1 to 7.

Blogs this week cover a Tumbleweed review, syslog-ng with Fedora 44, the openSUSE Summit in the Americas, SUSE response to the Copy Fail kernel vulnerability, KDE’s participation in Google Summer of Code 2026 and and much more.

Here is a summary and links for each post:

Playing .wma Files with Amarok in openSUSE

Victorhck shares a practical tip for openSUSE Tumbleweed users who find that the Amarok music player won’t play .wma audio files. The root cause is that Amarok relies on GStreamer and lacks certain codec packages by default, unlike VLC which bundles its own. The fix is straightforward: add the Packman repository and install gstreamer-plugins-bad, gstreamer-plugins-ugly, and gstreamer-plugins-libav via zypper.

Mix of KDE Gear 26.04 Highlights – “KDE at 30” Edition

The KDE Blog wraps up its series on KDE Gear 26.04 with a roundup of smaller improvements across many applications in what is dubbed the “KDE at 30” edition, which celebrates three decades of KDE. Highlights include bug fixes for Akregator and Alligator, Angelfish defaulting to the AI-free version of DuckDuckGo, RAR extraction support in Ark’s Flatpak version, and NeoChat gaining a rich text editor with thread support.

Fedora 44, CentOS 7 and Amazon Linux syslog-ng Questions

Peter Czanik’s blog reports that Fedora 44 has shipped with syslog-ng 4.11 and that a quick test confirms everything works as expected. The post raises two open questions for the community: whether anyone is still using syslog-ng packages on the end-of-life RHEL 7 / CentOS 7, and whether the Amazon Linux 2023 Copr package should be updated to a newer release.

Victorhck presents a Spanish-language summary and translation of the May 2026 Free Software Foundation newsletter. Among the stories covered are Amazon’s upcoming May 20 Kindle shutdown affecting older devices and the FSF’s critique of DRM restrictions, as well as France’s announced plan to migrate some government computers from Windows to Linux.

What’s New in Kdenlive in KDE Gear 26.04 – “KDE at 30” Edition

The KDE Blog covers improvements coming to the Kdenlive video editor as part of the KDE Gear 26.04 release. The post highlights new features and refinements aimed at both new and experienced video editors on Linux.

Summit Draws Landmark Regional Gathering

openSUSE News reports that 321 developers, students, and technology professionals gathered at Universidad Libre in Barranquilla, Colombia, for the first-ever openSUSE Summit in the Americas. The event marked a landmark moment for the community’s reach in the region and brought together contributors from across many nations.

Tumbleweed Monthly Update – April 2026

openSUSE News recaps a busy April for Tumbleweed, which highlighted the arrival of GNOME 50 and KDE Gear 26.04, and critical fixes for “Copy Fail”, which has now been patched for both Tumbleweed and Slowroll users who ran zypper dup. The Linux kernel advanced to 7.0.2 and Mesa to 26.0.5 with raytracing fixes. Security received heavy attention with WebKitGTK, CUPS, Python, Flatpak, sudo, and OpenEXR all receiving multiple CVE fixes.

Accessing openSUSE Cockpit from a Remote Machine

Victorhck continues his series on the Cockpit tool being developed as a replacement for YaST in openSUSE. The tutorial walks through enabling port 9090 in the firewall to make remote access possible. This follows his earlier posts on installing Cockpit and managing software and repositories through its interface.

Neon Multicolor Icons for Your PC: BeatyBeam

The KDE Blog presents BeatyBeam, a neon multicolor icon pack for KDE Plasma that is well-suited for dark themes. The pack brings vibrant, colorful icons to the desktop for users looking to personalize their visual environment.

Managing Software and Repositories in openSUSE via Cockpit

Victorhck explains how to use Cockpit that is being developed to succeed YaST in openSUSE to manage software repositories and install or remove packages directly from the browser. The post covers the relevant Cockpit modules needed for these tasks and how they compare to equivalent YaST functionality.

Tux Manager – The Linux Clone of Windows Task Manager

CubicleNate’s Blog takes a look at Tux Manager, a task manager application for Linux that closely mirrors the look and feel of the Windows Task Manager. The app is aimed at users coming from Windows who want a familiar interface for monitoring processes and system resources on KDE Plasma.

AutoRound: State of the Art in Quantization for CPU/XPU/NVIDIA GPU

Alessandro introduces AutoRound, an Intel-developed quantization toolkit for LLMs and VLMs that reduces model weights to 2, 3, 4, or 8 bits while maintaining high accuracy using signed gradient descent. Unlike naive rounding, AutoRound learns the optimal way to round weights and adjust clipping limits to minimize output error.

Invest in Your Identity

Cornelius Schumacher’s Blog offers a thoughtful reflection on the importance of building a genuine personal digital identity in the age of AI agents. The author argues that decades of authentic writing, publishing, and presentations create a personal corpus that can anchor AI tools to who you actually are.

exeLearning 4.0 Released

The KDE Blog announces the release of eXeLearning 4.0, which is an open-source tool for creating interactive educational content. The new major version demonstrates that the project remains active and evolving with new features for educators building digital learning materials.

Linux Saloon 199 | Ubuntu 26.04

CubicleNate’s Blog recaps episode 199 of the Linux Saloon podcast, which focused on Ubuntu 26.04 LTS and its various flavors, including user experiences and installation challenges. Participants shared their impressions of the new LTS release and discussed differences across the Ubuntu ecosystem.

Background Apps and Zoom Scaling – This Week in Plasma

The KDE Blog translates and summarizes the latest “This Week in Plasma” development report and covers work on background application handling. The post highlights ongoing refinements across several Plasma components aimed at improving usability and visual consistency.

Free Software from North to South, East to West: 6 LibreLocal Meetups

Victorhck highlights May 2026 as “LibreLocal month,” promoted by the Free Software Foundation as an occasion for free software supporters to organize local meetups to share ideas, learn from each other, and celebrate free software. The post spotlights six upcoming LibreLocal meetups taking place across Spain.

KDE Participates in Google Summer of Code 2026

The KDE Blog announces that KDE is once again participating in Google Summer of Code (GSoC) 2026, welcoming student developers to contribute to KDE projects over the summer. The post outlines how the program works and encourages interested learners to apply and get involved with the KDE community.

SUSE Responds to the copy.fail Vulnerability

SUSE Communities details the company’s response to Copy Fail, a critical Linux kernel vulnerability in the algif_aead module that allows a local non-root user to gain full root access. The post, written by Marcus Meissner, outlines which SUSE and openSUSE products are affected and confirms that patches have been issued. Users are strongly advised to apply the available updates immediately.

View more blogs or learn to publish your own on planet.opensuse.org.

Summit Draws Landmark Regional Gathering

admin@opensuse.org (Douglas DeMaio) — Tue, 05 May 2026 11:00:00 +0000

Three hundred twenty-one developers, students and technology professionals converged on Universidad Libre in Barranquilla, Colombia, for the first-ever openSUSE America Summit.

It was a two-day event held at Universidad Libre’s campuses that wrapped up on May 1 with calls to expand open-source culture and contribution across the region.

A capture the flag competition added a hands-on cybersecurity dimension to the summit, challenging participants to test their offensive and defensive skills in a live environment. The exercise drew significant interest from students and IT professionals alike.

The conference drew presenters from across the globe, which reflects the international reach of the open-source community. Speakers representing Colombia, Argentina, Brazil, Mexico, the Dominican Republic, India, the United Kingdom, Germany and the United States addressed topics ranging from cybersecurity and cloud infrastructure to machine learning and community development.

Luis Delascar of Colombia opened Day 2 with a presentation on Kuná Red, an offline-first, open-source mesh networking solution designed to enable communication in rural and underserved regions lacking reliable internet or cellular infrastructure. Diego Córdoba of Argentina delivered a deep dive into Netfilter and firewall architecture in openSUSE using nftables, while compatriot Andrea Navarro, also from Argentina, addressed the use of Jupyter notebooks in educational settings as an alternative to commercial cloud platforms.

Patrick Fitzgerald made the case for Linux migration in an update talk titled about migrating from Windows to Linux citing growing concerns around data sovereignty, tariffs, and unreliable international partnerships as compelling reasons for individuals and organizations to move to Linux.

Ram Mohan Rao Chukka and Shibi Ramachandran, both from India, presented two sessions; one on improving end-to-end testing using Kuttl to reduce broken builds, and another on intelligent drift detection and auto-remediation in ArgoCD for enterprise Kubernetes environments.

Walddys Dorrejo of the Dominican Republic, an openSUSE moderator, presented on unified observability and security using Wazuh. Gabriel Bazzotti of Brazil introduced Git-based packaging for openSUSE and Anuar Harb of Mexico spoke about open-source infrastructure as the foundation for connected digital ecosystems in emerging regions.

Colombian speakers were featured prominently throughout the program. Jorge Lambrano presented a full machine learning workflow. Jorge Aguilar addressed building modern, robust open-source data platforms for demanding analytics workloads. Jesuse Bossa explored the historical and philosophical purpose of engineering and Deiner Bello showcased VisitChocó, an interactive tourism platform built with React, TypeScript and geospatial data promoting the Colombian department of Chocó. Integration of Weblate to enable community-driven translations and expand the platform’s reach to broader audiences across Latin America and beyond is being considered.

Johannes Segitz delivered two sessions. His talk about the current AI landscape and how LLMs are reshaping how people code, patch and package software was a crowd pleaser.

Organized by sponsorship lead Astian Inc., which the company behind the Midori light-weight Web Browser along with a network of local support from LinuxBQ and Red Team Barranquilla, Barranquilla’s community of free and open-source software enthusiasts organized and ran the summit April 29 through May 1.

Having the event at two campuses, Universidad Libre’s Central Campus on April 29 and North Campus on April 30, was a natural fit for the open-source event. Attendees included speakers, IT professionals and students from university had hours of discussions about openSUSE and the broader open-source ecosystem.

The event was made possible with support from SUSE and the Geeko Foundation, both of which help to champion growth of the openSUSE Project and the global open-source community.

The choice of Barranquilla as host city may prove to be more than symbolic. Organizers and attendees have begun discussing the possibility of transforming the openSUSE America Summit into a recurring, traveling event modeled after the openSUSE.Asia Summit, which rotates among countries throughout Asia. Each host nation contributes its own cultural identity and local community to the gathering.

Colombia, with its growing technology sector, strong university ecosystem and passionate open-source community, makes a compelling case as a starting point and center of gravity for future events. The LinuxBQ community’s enthusiasm and the active participation of Universidad Libre students signal that the conditions for a sustainable, grassroots open-source movement in the region are already in place. If the model takes hold, future editions of the summit could travel to other nations across the Americas and the Caribbean, amplifying the voices of tech leaders throughout the region and building a collective, traveling community of experts much as the Asia Summit has done across that continent.

A community barbecue on May 1 brought speakers and volunteers together to close out the event. Sessions were livestreamed and are available for viewing on the LinuxBQ YouTube channel.

Tumbleweed Monthly Update - April 2026

admin@opensuse.org (Douglas DeMaio) — Mon, 04 May 2026 11:00:00 +0000

There were several software package updates for openSUSE Tumbleweed during April and the later half of the month brought some urgency with Copy Fail, which is now safe for users of the rolling release and Slowroll for those who have done a zypper dup at the end of the month.

The information about affected flavors of openSUSE was covered in a blog by the security team.

April brought a major desktop release of GNOME 50 and there was a fourth Plasma 6.6 point release. PHP, GTK4 with the new native GtkSvg renderer, SQLite, iproute2, and nano were among some of the develop packages updated this month. The Linux kernel advances to 7.0.2, and Mesa progressed through 26.0.4 and 26.0.5 with raytracing fixes ahead of upcoming game releases. Security received heavy attention with WebKitGTK, Python, CUPS, Flatpak, sudo, and OpenEXR all receiving multiple Common Vulnerabilities and Exposures fixes.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

KDE Gear 26.04.0: This major release updates 129 packages from the 25.12.3 series across the core PIM suite (Akonadi, KMail, Kontact, KOrganizer), graphics tools (Gwenview, Okular), development tools (Kate, Kompare, Umbrello), and system utilities (Dolphin, Konsole, Kleopatra). Dolphin prevents re-entrant signal activation across multiple view states, and Ark prevents silent replacement of existing files by directory entries during extraction. Okular avoids processing HTML with QDomDocument and improves certificate selection, and kdegraphics-thumbnailers addresses multiple crashes for malformed files. Infrastructure-wide changes include CMake modernization, a port to QDoc documentation, and migration toward modern C++ patterns such as std::shared_ptr over QSharedPointer. The companion ktextaddons library jumps from 1.8.0 to 2.0.1.

KDE Frameworks 6.25.0: This release emphasizes code quality, memory safety, and developer experience. KIO reverts a problematic permissions-based readability check, restores proper FTP UTF-8 negotiation, fixes WebDAV copy/move headers, and resolves multiple memory leaks across file operations and preview jobs. KCodecs streamlines encoding detection with safer initialization, improved codec lookup performance, and removes obsolete code since Qt 6.8+ is required.Kirigami enhances component reliability by preventing dialog layer leaks and adds a configurable textFormat property to TitleSubtitle, while Breeze Icons expands the icon set with new status icons. KTextEditor improves document handling by using the first line as a fallback title and adding relevant MIME types to save dialogs.

GNOME 50 for developers: This release brings significant improvements to the development stack. Builder gains a new save delegate system for better draft handling, refined dark theme colors matching the Adwaita palette, and more integrated help documentation. Flatpak support now moves deleted files to the trash, the LSP client better handles delete notifications, and the build pipeline supports more flexible post-install commands. Mutter Devkit receives a major feature expansion including HiDPI and fractional scaling simulation, multi-monitor support within a single session, clipboard integration between host and Devkit, and resizable virtual displays with emulated monitor modes — reducing the need for physical multi-monitor test setups. GTK 4.22 introduces GtkSvg, a new native in-process SVG renderer integrated with the GTK Scene Graph that supports SVG animations, passes over 1,250 tests in the resvg test suite, and maintains 60fps+ performance for trusted system icons and application resources (untrusted SVGs should still use the sandboxed Glycin library). Libadwaita 1.9 introduces new sidebar widgets including AdwSidebar and AdwViewSwitcherSidebar (replacing GtkStackSidebar), automatic support for the system-wide reduced motion preference across most widgets, context menus on AdwAboutDialog link rows, and GTK_DEBUG=builder diagnostics for all standard widgets. Autoloaded style resources are deprecated in favor of standard CSS media queries.

GDM 50.0: The most significant change for this in the GNOME 50 release is the complete removal of X11 support for GDM’s own sessions, which now always run on Wayland. Features like XDMCP and the system-wide Xserver are gone, though launching other desktops’ X11 sessions via per-user X servers is still possible. Compiling GDM without Wayland support is no longer possible. With systemd v260+, remote desktop sessions and local background sessions are now granted GPU access, enabling accelerated graphics for remote sessions on distributions that restrict GPU device node permissions. service simplifies starting headless graphical sessions for RDP purposes. The gdm/gdm3` user is no longer needed since GDM now fully relies on dynamically allocated users. Wtmp/utmp/btmp records now contain more useful values, especially for Wayland and headless RDP sessions.

Plasma 6.6.4: KWin fixes blur flickering after wobbly windows, improves startup feedback icon clarity, resolves crashes with accessibility keyboards, and enhances pointer scaling and key repeat handling on Wayland. The Oxygen theme addresses pixelated buttons under fractional scaling, restores missing menu shadows, and adds a missing switch SVG. Usability improvements include better RTL support in Kicker, proper drag initiation only after pointer movement, and refined shortcut conflict prevention in keyboard settings. Plasma Keyboard hardens virtual input handling with UTF-8 length fixes and disables predictive text during capture. Other fixes improve Discover by correcting how it tracks the number of active transactions, Dr Konqi with more reliable crash debugging, and Spectacle with a workaround for an overlay issue introduced in Qt 6.11. Several system tray and menu rendering glitches across multiple applets are also resolved, resulting in a smoother and more resilient desktop experience.

w3m 0.5.6: This is a major update for the terminal web browser. New features include commands to scroll the current line to top/bottom, a change directory (CD) command, a vim-like smartcase search option, recognition of aria-label for buttons, gopher protocol support, and experimental session store and restore. The image display in the kitty terminal is fixed, and slow backward search in long lines is improved.

LibreOffice 26.2.2.2: This is a major version upgrade with completely new features, improvements, and bug fixes across Writer, Calc, Impress, Draw, Math, and Base. Detailed release notes are available at The Document Foundation wiki. Bundled components are refreshed including PDFium updated from 7012 to 7471 and 2D Graphics Library Skia updated from milestone 136 to 142.

SDL3 3.4.2: This update adds SDL_HINT_OPENGL_FORCE_SRGB_FRAMEBUFFER to control sRGB behavior for OpenGL and OpenGL ES contexts. A long startup time on Windows caused by non-compliant input devices was fixed, along with a divide-by-zero when using Nintendo Switch 2 controllers and improved GameCube adapter handling in PC mode. Support for the Razer Raiju V5 Pro is added.

cryptsetup 2.8.6: This update has several disk encryption fixes. The resumed device UUID is now verified against the UUID stored in metadata, and the LUKS2 reencryption lock name was corrected. FileVault (fvault2) metadata parsing is fixed, including reading from the correct image offset. The OpenSSL crypto backend works again when built with LibreSSL and allows up to 64 concurrent threads.

Mozilla Firefox 149.0.2: This update addresses multiple security vulnerabilities, including integer overflow and memory safety bugs in Graphics: Text and Graphics: WebGPU components. The update also includes enterprise-related features such as AI-feature management, prevention of built-in VPN and IP protection, and correct application of browser homepage and start page policies. Other fixes include resolution of layout issues with graphics (SVG), crash prevention for security keys and WebAuthn features, and improved handling of web page printing and website error pages. Additionally, the build process is updated to be compatible with clang-based building on Leap, with the necessary libraries specified. [Linux]

PHP 8.5.5: This minor version bump from the 8.4 series brings numerous bug fixes across the core, DOM, Opcache, and OpenSSL modules. Notable fixes address JIT compiler arithmetic errors, memory leaks, and use-after-free vulnerabilities. The package now requires libcapstone as a dependency.

nano 9.0: This is a major version bump for the popular terminal text editor. The release improves horizontal scrolling, changes how macro recording is handled, and brings other usability refinements that build on the 8.x series.

iproute2 7.0: A major version bump for the Linux network configuration toolkit. New features include CAN XL support and DPLL mode setting, both of which extend networking and timing capabilities for newer hardware platforms.

iw 6.17: This wireless configuration tool sees a significant jump from 6.9. It adds support for WPA3 SAE association, EHT rate and bitrate handling for Wi-Fi 7, multi-radio RTS configuration, and endianness fixes across the wireless stack.

GIMP 3.2.4: This minor update to the GNU Image Manipulation Program continues the 3.2 series with bug fixes and incremental improvements following the 3.2.2 release.

xterm 407: New private modes for UTF-8 and character width reporting are introduced, and Unicode handling and window resizing functionality are improved.

gnome-remote-desktop 50.1: This minor update to the GNOME 50 release fixes a black-screen issue when using NVIDIA GPUs.

Key Package Updates

Linux kernel 6.19.11 - 7.0.2: The 7.0.2 update fixes an SMB client out-of-bounds read in smb2_ioctl_query_info, DACL validation in cifsacl, and directory separator handling in SMB1 UNIX mounts. F2FS receives multiple fixes including a use-after-free in f2fs_compress_write_end_io() and f2fs_write_end_io(), a memory leak in f2fs_rename(), and improved sanity checks. FUSE fixes several issues including rejection of oversized dirents in page cache, aborting on fatal signals during sync init, and ensuring device file initialization before cloning. A TOCTOU race in net/packet on mmap’d vnet_hdr in tpacket_snd() is corrected, and crypto fixes address async decrypt skipping hash verification in krb5enc and failed PSP command handling in the CCP driver. The 7.0.1 version sees KVM SEV receive several hardening fixes including locking all vCPUs when synchronizing VMSAs for SNP launch finish, disallowing LAUNCH_FINISH if vCPUs are actively being created, and protecting sev_mem_enc_register_region() with proper locking. Multiple use-after-free bugs are resolved across subsystems including bcache (crash in cached_dev.sb_bio), ocfs2 (fault handling with VM_FAULT_RETRY), the em28xx media driver, blk-cgroup writeback, and ALSA 6fire on USB disconnect. The 6.19.11 update brings several BPF fixes including reset of register ID for BPF_END value tracking, constant blinding for PROBE_MEM32 stores, undefined behavior in interpreter sdiv/smod for INT_MIN, and unsound scalar forking in maybe_fork_scalars(). CXL receives multiple corrections including a use-after-free of parent_port in cxl_detach_ep() and a leak in region construction. NVMe-PCI now caps queue creation to used queues, and platform support is expanded with several HP Omen and Victus laptops, OneXPlayer handheld variants, and Dell 14 Plus 2-in-1 keyboard support.

Mesa 26.0.4 & 26.0.5: The 26.0.4 out-of-schedule release combines bugfix updates and important raytracing fixes for an upcoming game. RADV corrects an invalid hitAttributeEXT value when using function-call RT pipelines, fixes a memory leak in radv_rt_nir_to_asm, and emits BOP events after every draw to work around a VRS bug on GFX12. RadeonSI fixes a missing ground texture and ANV (Intel) addresses flashing effects in Horizon Forbidden West. Nouveau fixes a segmentation fault in gm200_validate_sample_locations triggered by Firefox on GTX 1070 Ti, and NVK corrects barrier cache invalidation and viewport handling on Turing with FSR. The 26.0.5 follow-up is another bugfix release that refreshes the GL headers from libglvnd and disables Vulkan and Panfrost on armv6. Full release notes are available at the Mesa documentation site.

SQLite 3.53.0: A new Query Result Formatter library is introduced in this release for the popular embedded database, and ALTER TABLE is enhanced with additional capabilities. The jump from 3.51.3 also brings query planner refinements and incremental improvements that benefit any application linking against the system SQLite.

libxml2 2.15.3: A point release follow-up to the major 2.15 update. Multiple security fixes are included for type confusion, double-free, and use-after-free issues in the XML parser.

libpng16 1.6.57: A small but security-relevant point release that fixes a use-after-free in chunk setters tracked as CVE-2026-34757.

libjpeg-turbo 3.1.4.1: This update to the widely used JPEG codec includes multiple API hardening fixes and improved buffer handling, providing a more robust foundation for image-processing software across the system.

libarchive 3.8.7: A heap buffer overflow in CAB archive handling is fixed, along with a buffer overflow in the ISO9660 reader. As libarchive is used by package managers and archive tools across the distribution, this update is broadly relevant.

mozilla-nss 3.122.1: This release of the Network Security Services library brings 30+ bug fixes, including patches for multiple heap use-after-free, integer overflow, and ASN.1 parsing vulnerabilities that affect TLS handling in Firefox, Thunderbird, and other consumers.

pipewire 1.6.4: This audio and video pipeline server resolves segmentation faults, improves JACK compatibility, and corrects regressions in the RAOP (AirPlay) module.

SSSD 2.13.0: The pam_sss_gss module can now read SIDs from the Kerberos ticket PAC and apply authentication indicators via the new pam_gssapi_indicators_apply option, supporting Active Directory’s Authentication Mechanism Assurance (AMA). Active Directory Foreign Security Principals (FSP) are now properly detected and ignored when reading nested group members. Support for the KDE Plasma Login Manager is added. New options include avoid_by_id_lookups for preferring name-based lookups, and interactive/interactive_prompt for customizing OAuth2 prompting behavior. Cache performance is optimized for large deployments.

mpc 1.4.1: This complex-number arithmetic library steps from 1.3.1 to 1.4.1 and adds new functions including mpc_exp10, mpc_exp2, and mpc_log2. Sign handling for imaginary parts is improved and pkg-config generation is included.

leancrypto 1.7.2: This cryptographic library jumps from 1.6.0 and adds post-quantum primitives ML-DSA, SLH-DSA, and ML-KEM along with an X.509 fix tracked as CVE-2026-34610.

SELinux Policy 20260410: This update contains a wide range of policy refinements. Missing Nextcloud file contexts are added, the openSUSE /var/lib/php8 path and /srv/www/htdocs Apache DocumentRoot are properly labeled. Cloud-init is now allowed to domtrans into ssh-keygen, and accountsd gains proper D-Bus communication with systemd-homed along with corrected file context labeling for /usr/share/accountsservice. OpenSSH receives a policy adjustment allowing sshd-session to send a generic signal to sshd-auth. Polkit support is updated for its agent helper. Additional permissions are granted for staff and sysadm users, including reading PID1 process state, connecting to systemd-logind and lvm over Unix stream sockets, mounting /proc, and gaining sandboxing features. Virtualization policies gain several adjustments for virtqemud and virtnetworkd, and a new local_login_allow_accountutils_fallback_mode boolean is introduced. The snapper sdbootutil plugin is allowed to read kernel modules. The embedded container-selinux is updated to v2.247.0.

texinfo 7.3: The documentation format package adds new title-page commands, flexible node headings, and cross-reference features. texi2any gains major HTML speedups, optional C implementation, improved diagnostics, and defaults updates. HTML, Info, LaTeX, XML, and info tool receive enhancements and cleanups. The updated deprecated @clickstyle and removed old patches.

XZ Utils 5.8.3: This update fixes a buffer overflow in lzma_index_append() and an invalid memory access in xz when using --files and --files0 options. Arabic man page translations are added.

GTK4 4.22.2: The headline change is native SVG rendering via the new GtkSvg renderer, which drops the librsvg dependency entirely for icon and image rendering. The new renderer supports animations, state names, and SVG filters, with filters now operating in linear RGB by default. The GStreamer media backend now supports gapless looping with GStreamer 1.28, and gtk4-rendernode-tool gains a new filter command for node manipulation. Several drag-and-drop fixes are included, notably restoring the DropTarget::leave signal emission when a drop finishes. Vulkan handling is improved with fixes for SWAPCHAIN_MAINTENANCE checks, pending offset resets on Wayland, and invalid reads. Symbolic icon fallback rendering is corrected, dmabuf support now handles fewer fds than planes, and drop shadow rendering no longer darkens transparent textures. For Tumbleweed users, this brings major rendering architecture improvements and broad stability fixes to GTK4 applications.

webkitgtk3 and webkitgtk4 2.52.1: Numerous security vulnerabilities are patched across both releases. Touch scrolling for small movements is smoother, and scrollend events are now correctly emitted after scroll animations. Async scrolling is improved when the main thread is busy by rendering scrollbars from the scrolling thread. The GPU process is disabled by default in this cycle. A build option to disable USE_GSTREAMER is added for configurations without multimedia support.

Security Updates

Python:

CVE-2026-25645: Addresses an issue in Python allowing a local attacker to pre-create malicious files that could be reused and loaded without validation.
CVE-2026-4519: Fixes a command-line option injection in Python’s webbrowser.open() where leading dashes in URLs could be interpreted as browser command-line arguments.
CVE-2025-13462: Addresses an issue where Python’s tarfile module can cause crafted archives to be misinterpreted.
CVE-2026-4224: Resolves a stack overflow that could lead to a crash.

python-cryptography 46.0.7:

CVE-2026-39892: Fixes a buffer overflow that can occurr when a non-contiguous buffer was passed to APIs accepting Python buffers.

w3m 0.5.6:

CVE-2023-38252: Fixes an out-of-bounds read that could allow a crafted HTML file to cause a denial of service.
CVE-2023-38253: Fixes an out-of-bounds read that could allow a crafted HTML file to cause a denial of service.

webkitgtk3 and webkitgtk4 2.52.1:

CVE-2025-43213: Fixes an issue where processing maliciously crafted web content could lead to an unexpected crash.
CVE-2025-43214: Addresses a flaw where processing maliciously crafted web content could cause an unexpected crash.
CVE-2025-43457: Resolves a vulnerability where processing maliciously crafted web content could lead to an unexpected crash.
CVE-2025-43511: Fixes an issue where processing maliciously crafted web content could lead to memory corruption.
CVE-2025-46299: Addresses a flaw in WebKit where processing maliciously crafted web content could lead to unexpected behavior.
CVE-2026-20608: Resolves a vulnerability where processing maliciously crafted web content could lead to memory corruption.
CVE-2026-20635: Fixes a WebKit flaw where processing maliciously crafted web content could cause an unexpected crash.
CVE-2026-20636: Addresses an issue where processing maliciously crafted web content could lead to memory corruption.
CVE-2026-20644: Resolves a WebKit vulnerability where processing maliciously crafted web content could lead to an unexpected crash.
CVE-2026-20652: Fixes an issue where processing maliciously crafted web content could cause memory corruption.
CVE-2026-20676: Addresses a WebKit flaw where processing maliciously crafted web content could lead to unexpected behavior or a crash.
CVE-2026-20643: Resolves a cross-origin issue in the Navigation API where processing maliciously crafted web content could bypass the Same Origin Policy.
CVE-2026-20664: Fixes a WebKit memory handling flaw where processing maliciously crafted web content could cause an unexpected process crash.
CVE-2026-20665: Addresses an issue where processing maliciously crafted web content could prevent Content Security Policy from being enforced.
CVE-2026-20691: Resolves an authorization flaw where a maliciously crafted webpage could be used to fingerprint the user.
CVE-2026-28857: Fixes a WebKit memory handling issue where processing maliciously crafted web content could cause an unexpected process crash.
CVE-2026-28859: Addresses a flaw where a malicious website could process restricted web content outside the sandbox.
CVE-2026-28861: Resolves a logic issue where a malicious website could access script message handlers intended for other origins.
CVE-2026-28871: Fixes a logic flaw where visiting a maliciously crafted website could lead to a cross-site scripting attack.

libcap 2.78:

CVE-2026-4878: Addresses a race condition that could lead to local privilege escalation.

OpenJDK 25 25.0.3:

CVE-2026-22007: Fixes an information disclosure vulnerability in the Security component of Java SE that could allow a local attacker to read a subset of accessible data.
CVE-2026-22008: Addresses a flaw in the Libraries component of Java SE that could allow an unauthenticated network attacker to modify some accessible data.
CVE-2026-22013: Resolves an information disclosure vulnerability in the JGSS component of Java SE that could expose critical data to an unauthenticated network attacker.
CVE-2026-22016: Fixes an information disclosure flaw in the JAXP component of Java SE that could allow an unauthenticated attacker to access critical data via network protocols.
CVE-2026-22018: Addresses a denial-of-service vulnerability in the Libraries component of Java SE that could be triggered by an unauthenticated network attacker.
CVE-2026-22021: Resolves a denial-of-service flaw in the JSSE component of Java SE exploitable via HTTPS by an unauthenticated attacker.
CVE-2026-23865: Fixes a vulnerability in the bundled FreeType library that could allow memory corruption when processing crafted font data.
CVE-2026-34268: A patch was added for an information disclosure issue in the Security component of Java SE that could allow a local attacker to read a subset of accessible data.
CVE-2026-34282: Addresses a denial-of-service vulnerability in the Networking component of Java SE that could allow an unauthenticated attacker to cause a complete crash or hang.

Flatpak 1.16.6:

CVE-2026-34078: Fixes a sandbox escape where the portal accepted app-controlled symlinks in sandbox-expose paths, allowing arbitrary host file access and code execution in the host context.
CVE-2026-34079: Addresses a path traversal flaw that could allow an app to delete arbitrary files on the host.

libinput 1.31.1:

CVE-2026-35093: Fixes a code injection flaw where a local attacker could place a crafted Lua bytecode file in system or user configuration directories to bypass security restrictions and execute code with the privileges of the affected program.
CVE-2026-35094: Addresses a dangling pointer that could leak memory contents to system logs.

opensc 0.27.1:

CVE-2025-49010: Fixes a stack buffer overflow that could cause memory corruption.
CVE-2025-66215: Fixes a stack buffer overflow that could cause memory corruption. .
CVE-2025-66038: Addresses an out-of-bounds read that could lead to memory corruption during smart card processing.
CVE-2025-66037: Addresses an out-of-bounds heap read that could lead to denial of service.
CVE-2025-13763: Fixes several uses of potentially uninitialized memory in OpenSC detected by fuzzers.

XZ Utils 5.8.3:

CVE-2026-34743: Fixes a heap buffer overflow in XZ Utils where decoding an empty Index left lzma_index in a state that caused undersized allocation in a subsequent lzma_index_append() call.

389ds 3.1.4+e2562f589:

CVE-2025-14905: Fixes a heap buffer overflow caused by incorrect buffer size calculation that could potentially lead to denial of service or remote code execution.

openexr 3.4.9:

CVE-2026-34589: Fixes a heap out-of-bounds write that could lead to memory corruption.
CVE-2026-34588: Addresses a signed 32-bit overflow leading to out-of-bounds read/write.
CVE-2026-34380: Resolves a signed integer overflow that could allow bounds-check bypass during PXR24 decompression.
CVE-2026-34379: Fixes a misaligned write leading to undefined behavior.
CVE-2026-34378: Addresses a signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x values.
CVE-2026-34543: Resolves a heap information disclosure that could cause uninitialized heap memory to leak into output pixel data.
CVE-2026-34544: Fixes a signed integer overflow that could lead to an out-of-bounds write and memory corruption.

evolution-data-server 3.60.0:

CVE-2026-2604: The advisory for this vulnerability indicates it involves an insecure local cache file removal.

SSSD 2.13.0:

CVE-2026-6245: Fixes an out-of-bounds read in the PAM passkey responder.

glib2 2.88.0:

CVE-2026-23868: Fixes a vulnerability caused by a shallow copy that may lead to memory corruption.
CVE-2026-32776: Fixes a NULL pointer dereference when processing empty external parameter entity content.
CVE-2026-32777: Addresses an issue that could result in an infinite loop while parsing DTD content, potentially leading to a denial of service.
CVE-2026-32778: Resolves a NULL pointer dereference following an earlier out-of-memory condition.

sudo:

CVE-2026-35535: Fixes a privilege escalation in sudo where a failed setuid, setgid, or setgroups call during the privilege drop was not treated as a fatal error.

CUPS 2.4.17:

CVE-2026-27447: Fixes a case-sensitivity vulnerability in user/group handling that could allow access bypass.
CVE-2026-34978: Addresses a directory traversal flaw in the RSS notifier.
CVE-2026-34979: Resolves insufficient memory allocation for job options that could lead to buffer issues.
CVE-2026-34980: Fixes incomplete control character filtering in option values.
CVE-2026-34990: Addresses missing certificate validation over loopback connections.
CVE-2026-39314: Resolves a job password range check flaw.
CVE-2026-39316: Fixes a scheduler subscription bug that could be abused to disrupt printing.

mozilla-nss 3.122.1:

This release rolls up more than 30 fixes across the Network Security Services library, including patches for multiple heap use-after-free, integer overflow, and ASN.1 parsing vulnerabilities affecting TLS handling.

ruby4.0 4.0.3:

CVE-2026-41316: Fixes a vulnerability in the ERB component affecting Marshal.load operations with untrusted data.

python-lxml 6.1.0:

CVE-2026-41066: Fixes an external entity injection (XXE) vulnerability in iterparse() that could allow disclosure of local files or server-side request forgery.

libXpm:

CVE-2026-4367: Addresses an out-of-bounds read when parsing crafted XPM image files that could lead to information disclosure or a crash.

dnsmasq:

CVE-2026-6507: Fixes an out-of-bounds write in DHCP BOOTREPLY processing that could be triggered by a malicious DHCP server response.

libpng16 1.6.57:

CVE-2026-34757: Fixes a use-after-free in chunk setters that could lead to memory corruption.

libarchive 3.8.7:

Fixes a heap buffer overflow in CAB archive handling and a buffer overflow in the ISO9660 reader. Both flaws could be triggered by crafted archive files and are relevant given libarchive’s broad use across packaging and extraction tools.

libxml2 2.15.3:

This release rolls up multiple security fixes including a type confusion issue, a double-free, and a use-after-free in the XML parser.

ImageMagick 7.1.2.19:

CVE-2026-33905: Fixes a flaw that could be triggered by crafted images and lead to a crash or memory corruption.

GraphicsMagick:

CVE-2026-33535: Addresses an out-of-bounds write in X11 display interaction that could lead to a crash or potential code execution.
CVE-2026-26284: Fixes a heap overflow that could be triggered while processing crafted images.

leancrypto 1.7.2:

CVE-2026-34610: Fixes an X.509 parsing flaw that could lead to certificate validation bypass.

openldap2 2.6.13:

Addresses a heap buffer overflow in parse_whsp and a potential NULL pointer dereference, both of which could be triggered by malformed input to the LDAP server.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

April 2026 was a busy month for openSUSE Tumbleweed with two of the largest desktop releases of the year landing back to back: GNOME 50 and KDE Gear 26.04.0. GTK4 4.22 introduced the new native GtkSvg renderer and dropped the librsvg dependency for icon rendering, while LibreOffice 26.2 brought a fresh major office suite. Developers received major version bumps across PHP 8.5, SQLite 3.53, iproute2 7.0, nano 9.0, and the iw wireless tool. Security continued to be a heavy theme with WebKitGTK, CUPS, Python, Flatpak, sudo, and OpenEXR all receiving multiple CVE fixes alongside a steady cadence of cryptographic library hardening from mozilla-nss, libgcrypt, and leancrypto.

Slowroll Arrivals

Contributing to openSUSE Tumbleweed

openSUSE Asia Summit 2026 Call for Speakers

admin@opensuse.org (openSUSE Asia Summit Team) — Wed, 29 Apr 2026 17:30:00 +0000

We are excited to announce that the Call for Speakers for openSUSE.Asia Summit 2026 is now open! This year, the Summit will take place on October 3–4, 2026, at the Teaching Industry Learning Center (TILC), Vocational School, Universitas Gadjah Mada (UGM), Yogyakarta, Indonesia. For more details, stay tuned to our official channels and news portal.

The openSUSE.Asia committee invites speakers from all backgrounds to share their knowledge, experience, and passion for openSUSE and open source. Speakers may also apply for support from the openSUSE Travel Support Program (TSP). We encourage everyone, near or far, to submit their proposals and join us in Yogyakarta!

Topics

The examples of the topics (not limited to) are as the following:

openSUSE (e.g., Leap, Tumbleweed, Micro OS, Open Build Services, openQA, YaST)
Desktop environments and applications (e.g., GNOME, KDE, XFCE)
Office suite, graphic art, multimedia (e.g., LibreOffice, Calligra, GIMP, Inkscape)
Multilingualization support (e.g., input methods, translation)
Cloud, Virtualization, Container, and Container Orchestration (e.g., Kubernetes, Rancher)
Package supply-chain security, vulnerability management
Embedded and IoT
Other applications running on openSUSE

Topics that are not related to a specific technology are also welcome. For example:

An overview of FLOSS technologies
Development, Quality Assurance, Translation
Tips & Tricks, Experience stories (success or fail), Best practice
Marketing and community management
Education

Types of sessions

We are inviting proposals for these two types of sessions.

Long talks with presentation (45 min. + Q&A)
Short talks with presentation (30 min. + Q&A)

Lighting talk sessions (5 min.) will be announced later.

Schedule

Proposal submission deadline: 1 July, 2026
Notification to speakers: 21 July, 2026

How to submit your proposal document

Please submit your proposal at events.opensuse.org. If you do not have a SUSE community account, please sign up before submitting your proposal.

You must follow the openSUSE Conference Code of Conduct.
Your proposal should be written in English, between 130 and 250 words, and have a clear, relevant title.
Please check for spelling and grammar before submitting, using tools like LibreOffice, Google Docs, or Grammarly.
See our guide for tips on writing a great proposal.
If you need help, contact committee members in your country or region.

Requirements for your presentation

You may present in English or Bahasa Indonesia, but all documents and slides must be in English.
Speakers must be present at the venue; prerecorded videos and remote presentations are not allowed.

Quantum-Resilient Cryptography in the openSUSE Ecosystem

admin@opensuse.org (Alessandro de Oliveira Faria) — Tue, 28 Apr 2026 04:00:00 +0000

It is with great joy that I officially announce the release in the openSUSE family (Leap and Tumbleweed) of the new package focused on cryptography resistant to the post-quantum era.

The libzupt library is designed to offer encryption and decryption of files and binary data in memory using a hybrid approach based on ML-KEM-768 + X25519.

libzupt is a modern SDK that simplifies the adoption of post-quantum cryptography in real-world applications. Currently, it has initial support for C++, Python, and Java, with support for Node.js (under development). Its goal is to make the implementation of advanced cryptographic mechanisms accessible without compromising usability for developers.

libzupt, created by Alessandro de Oliveira Faria, is a modern SDK that simplifies the adoption of post-quantum cryptography in real-world applications. Currently, it has initial support for C++, Python, and Java, with Node.js support (under development). Its goal is to make the implementation of advanced cryptographic mechanisms accessible without compromising usability for developers.

The project originates from the Zupt initiative, conceived by Cristian Cezar Moisés. As a tribute, the library inherited the name of the original project. Zupt, in turn, is a compression and backup tool that already incorporated advanced concepts such as authenticated AES-256 encryption and post-quantum key encapsulation.

The motivation behind libzupt is directly linked to the evolution of modern cryptography. The ML-KEM algorithm was standardized by NIST on August 13, 2024, as a secure key encapsulation mechanism for post-quantum scenarios. It allows for the secure establishment of keys even in insecure channels, anticipating future threats.

Below is a simple example of using libzupt in Python:

import zupt
encryptor = zupt.Encryptor(keypair.public_key)
message = b"Hello, Post-Quantum World! This is a secret message."
ciphertext, enc_header = encryptor.encrypt(message)

The main benefit of natively providing this library in openSUSE, is that it allows current applications to be prepared for a scenario where quantum computing could compromise classical algorithms, such as Shor’s Algorithm.

By combining traditional cryptography with mechanisms resistant to quantum computing, libzupt adds a strategic layer of protection. This enables the development of more resilient systems, ensuring the confidentiality and integrity of data in the long term, even in the face of technological evolution.

For more information, go to software opensuse or the source.

openSUSE News

TSP Open for Asia Summit

Tumbleweed Monthly Update - May 2026

New Features and Enhancements

Key Package Updates

Security Updates

Conclusion

Slowroll Arrivals

Contributing to openSUSE Tumbleweed

Planet News Roundup

Tumbleweed – Review of the Weeks 2026/21

Managing System Extensions with sysextmgrcli

Managing System Extensions on openSUSE MicroOS with sysextmgrcli

What is sysextmgrcli?

The Architecture: Smart Snapshots

Essential Commands

1. Listing and Checking Images

2. Installing New Extensions

3. Maintenance and Updates

The “Activation” Catch

Available default system extention (sysext) images:

Summary

You need git on your openSUSE MicroOS ?

You do not need ‘git’ anymore on your system ?

Planet News Roundup

Tumbleweed – Review of the Weeks 2026/18 & 19

Planet News Roundup

Summit Draws Landmark Regional Gathering

Tumbleweed Monthly Update - April 2026

New Features and Enhancements

Key Package Updates

Security Updates

Conclusion

Slowroll Arrivals

Contributing to openSUSE Tumbleweed

openSUSE Asia Summit 2026 Call for Speakers

Topics

Types of sessions

Schedule

How to submit your proposal document

Requirements for your presentation

Quantum-Resilient Cryptography in the openSUSE Ecosystem

Managing System Extensions on openSUSE MicroOS with `sysextmgrcli`

What is `sysextmgrcli`?

You need `git` on your openSUSE MicroOS ?