Firefox, Apache, LibreOffice update in Tumbleweed

This week in openSUSE Tumbleweed there was a change from a 2048 bit RSA to a 4096 bit RSA key and four snapshots were released so far.

The larger bit key was a security recommendation and can be found in /usr/lib/rpm/gnupg/keys. The key can be viewed with rpm -qi and the key name. More info about the topic can be found on the Facotry email thread.

The latest snapshot to arrive was 20230124. This snapshot updated apache2 2.4.55 and took care of a few Common Vulnerability and Exposures. CVE-2022-37436 describes a flaw where a malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them. This could result in some headers being incorporated into the response body and not being interpreted by a client. CVE-2006-20001, which could result in a Denial of Service attack, was fixed. An update of gedit 44.2 fixed a plugin bug and updated translations. The gnome-desktop 43.1 version fixed a thumbnails issue and made the default es-US keyboard more sensible. Meanwhile, glib2 2.74.5 also updated translations and the package dropped a patch that was fixed by upstream. An update of dracut fixed missing entries from version 058 that were added in the 059+suse update; It also adds execute permissions for chore scripts. An update of sudo 1.9.12p2 fixes compilations errors, a potential crash and CVE-2023-22809, which had affected how sudoedit handles user-provided environment variables. The package for atomic updates for Linux operating systems, transactional-update, had some cleanup and small code optimizations in the 4.1.2 version. It also had a fix where previously internal mounts would potentially overwrite user bind mounts. Portuguese and Macedonian languages were updated in yast2-trans. Text editor vim 9.0.1234 and a few other packages were updated in the snapshot.

A few RubyGems and Python Package Index packages were updated in snapshot 20230123. The rubygem-rack updates to 2.2.6.2 and 3.0.4.1 fixes three CVEs all related to regular expression denial of service attacks. An update of python-future, which is a missing compatibility layer between Python 2 and Python 3, updated to version 0.18.3 and added a docker push to optimize continuous integration. The package also dropped a CVE-2022-40899 patch, which could have allowed a remote attack to cause a denial of service via a crafted Set-Cookie. Several other packages were updated in the snapshot including CoreFreq 1.95.1, which is CPU monitoring software designed for 64-bits processors; it adds support for AMD and Intel hardware.

A new major version of Mozilla Firefox arrived in snapshot 20230122. Firefox 109.0! The new version has changes to the WebExtensions Application Programming Interface that is termed Manifest V3 (MV3). The extension support is now enabled by default; it ushers an user interface changes in the form of the new extensions button that looks like a puzzle piece. Linux specific CVE-2023-23598, which was related to a GTK wrapper, was fixed and Spanish users got some changes. The browser builds for es-ES and es-AR locales now come with a built-in dictionary for the Firefox spellchecker. The update of git 2.39.1 took care of a log format and a parsing integer overflow. The update of iptables 1.8.9 supports more chunk types in the Stream Control Transmission Protocol extension; its administration space tool arptables also supports an --exac flag. An update of LibreOffice 7.4.4.2 fixes more than 110 bugs. Bugs like tdf#152495, which crashes Writer when dismissing a guide dialog with the escape button. A fix was also made that deletes paragraph breaks while moving text in ”track changes” mode. Several other packages updated in the snapshot like yast2 4.5.22, xfsprogs 6.1.1, icewm 3.3.0, llvm15 15.0.7 and more.

GNU Compiler Collection 13.0.1 was update in snapshot 20230119 and its added a patch to fix unwinding on AArch64 with pointer signing. The kernel-sourcel 6.1.7 update had less than a handful of Advanced Linux Sound Architecture fixes and Direct Rendering Manager optimizations. Line-oriented text editor ed 1.19 changed the long name of option -s to --script; the option -s now only suppresses byte counts. The adwaita-xfce-icon-theme 0.0.3 package also updated in the snapshot.