Tools Strace, BusyBox Update in Tumbleweed

openSUSE Tumbleweed had a variety of package updates in smaller snapshots throughout this week.

A few things being prepared for Tumbleweed is that the Linux Kernel 5.16.1 was scheduled for check in and pre-integration tests for GNU Compiler Collection 12 have been started; the rolling release anticipates a merge of GCC 12 in mid-Spring.

The latest Tumbleweed snapshot, 20220117, updated Italian translations for libstorage-ng 4.4.75 and added python-rpm-macros for building the package. Haskell support was dropped in the thrift 0.15.0 package, which is a scalable cross-language service framework for Remote Procedure Call and Inter-Process Communication. No changelogs were provided for the plugins package written in Rust called gstreamer-plugins-rs. The remaining packages in the snapshot were all Python Package Index updates. Among the key PyPI packages to point out is the major version update of python-unicodedata2 14.0.0, which dropped support for End of Life Python 2.7 and 3.5 and added support for Python 3.9, 3.10 and PyPy3. A Tumbleweed arm 20220118 snapshot was release updating the same package listed above.

Anti-virus toolkit ClamAV 0.103.5 was updated in snapshot 20220116; the package fixed a Common Vulnerabilities and Exposures that had an invalid pointer read that could cause a crash. The shadow package that converts UNIX password files to the shadow password format updated to version 4.11.1. This package fixed CVE-2013-4235, which affects the race condition when copying and removing directory trees. Object-oriented Universal Plug and Play framework gupnp 1.4.3 now properly propagates canceled actions in deprecated calls and fixed deprecated asynchronous calls. PyPI updates in this snapshot were python-python-lzo 1.14, python-tables 3.7.0, and the major version update of python-hiredis 2.0.0 dropped support for EOL Python versions 2.7, 3.4, and 3.5.

Mozilla Firefox 96.0.1 was updated in the 20220115 snapshot. The web browser made improvements to the parsing of content-length headers. An update of Mesa 21.3.4 was able to fix a bit of the glitches with the Rockchip RK3399 processor as well as the Panfrost G52 Firefox glitches on YouTube playback. Several patches were added in the 6.3.20220101 ncurses update, which improved the configuration check for getttynam. openSUSE’s perl-Bootloader 0.937 package now supports secure boot on PowerPC and autoyast2 4.4.25 was able to properly merge the autoupgrade workflow when using the online medium. Another package to update in the snapshot was firewalld 1.0.3, which fixed some build features, ipsets and inputs.

The 5.16 strace package had many improvements and a couple implementations in the 20220114 snapshot. The package is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process states. The updated Strace package implemented a --secontext=mismatch option to find mismatches in SELinux contexts and implemented decoding of futex_waitv syscall introduced in Linux Kernel 5.16. The update of Flatpak 1.12.3 made minor improvements to the search command, to the list command and to the repair command. Flatpak also fixed a CVE that had a malicious repository, which could have sent invalid application metadata in a way that hides some of the app permissions displayed during installation. The snapshot was a CVE killer thanks to busybox 1.35.0, which addressed 17 CVEs. One of those, CVE-2016-6301, was an Network Time Protocol server denial of service flaw. BusyBox also added some new features in find, date and cpio. The free implementation of the Remote Desktop Protocol, freerdp 2.5.0 backported OpenSSL 3.0 support and some Wayland client clipboard issues. Other packages to update in the snapshot were btrfsprogs 5.16, GNOME display manager gdm 41.3, gnome-session 41.3, poppler 22.01.0 and about 15 more packages.

The snapshot to start the week, 20220113, updated only two packages. The update of 389-ds 2.0.11 fixed various User Interface bugs. This enterprise-class package for Open Source LDAP servers fixed many bugs and also fixed the multiple index types not handled in the openldap migration. The second package to update in the snapshot was sqlite3 3.37.1. This C-language library added the .connection command, allowing the CLI to keep multiple database connections open at the same time. The SQL database engine also added the --safe command-line option that disables dot-commands and SQL statements that might cause side-effects that extend beyond the single database file named on the command-line.

Another arm specific Tumbleweed snapshot was released this week; the arm 20220116 snapshot updated all the above listed packages from snapshots 20220113, 20220114, 20220115 and 20220116.