Major QEMU Version Lands in Tumbleweed

The openSUSE Conference did not slow down openSUSE Tumbleweed snapshots from frequently being released this week.

Three snapshots have been released since last Friday when the conference began and a new major version of QEMU arrived just days after the conference.

This emulator and virtualizer arrived in snapshot 20230530. The update of qemu 8.0 fixed dependencies and improved the spec file; the package added support for Xen guests under KVM with Linux Kernel version above 5.12. Two newly emulated CPU types were arm’s Cortex-A55 and Cortex-R52. RISC-V also had some support extensions added with the emulator, and s390x improved device handling and fixed some emulation instructions with the major version package update. Python Package Index had an update. The 23.1.2 version of python-pip upgraded setuptools to 67.7.2 and added a --keyring-provider flag. An old Common Vulnerability and Exposure was fixed with the python310 3.10.11 update. CVE-2007-4559 that could allow for user-assisted remote attackers to overwrite arbitrary files was fixed and the language package also fixed a bug that caused a crash when deallocating deeply nested filter objects. Another package to update in the snapshot was Btrfs 6.3. The file system added a patch, removed some old files and provided some integration with GitHub actions. A few GNOME packages were updated in the snapshot. Several fixes were made with gnome-software 44.2 like fixing a bug with listing Flatpak addons when multiple Flathub remotes are enabled. Extensible screen reader Orca updated to version 44.1 and improves performance by checking for duplicate object events. The 44.2 version of the gnome-control-center had fixes in GTK template usage that caused crashes on some systems.

The snapshot that arrived the day before was 20230529. This updated the Linux Kernel; with the kernel-source 6.3.4, fixes were made in different areas like networking, scsi, netfilter, bonding, and more. An update of grep 3.11 fixed a pattern matching issue with the -P option. Patterns like [\d] now work again, which was broken in the previous version. Multiple CVEs associated with Chromium were fixed in libqt5-qtwebengine 5.15.14; these included a stack buffer overflow, heap buffer overflow, an out-of-bounds memory access, and other vulnerabilities that could potentially be exploited by attackers to compromise the system.

An update of gstreamer 1.22.3 fixed a video decoder deadlock with ffmpeg 6 as well as some regression handling of input streams. The pixel encoder babl 0.1.106 has a faster startup by caching balanced RGB to XYZ matrices. Several other packages updated in the snapshot including window manager icewm 3.3.5, diffutils 3.10, xfce4-panel 4.18.4 and crypto-policies.

The 20230526 snapshot had eight packages update. ImageMagick 7.1.1.10 was among the packages to update and it fixed security vulnerability CVE-2023-2157. Mozilla Firefox 113.0.2 fixed a bug causing it to freeze on certain pages with the Developer Tools Web Console open. There was also a bug fixed related to the vertical resizing of the bookmark and history sidebars. Programming language guile updated to version 3.0.9 and introduced a new interface, functionality and refreshed some patches. An update of libreoffice 7.5.3.2 also refreshed some patches and fixed a Microsoft PPTX format issue. Translations for Georgian using Weblate were made in the libstorage-ng 4.5.110 update. Two CVEs were fixed in the snapshot as well; mariadb 10.11.3 took care of CVE-2022-47015, which had a Denial of Service vulnerability for MariaDB Servers in versions 10.3.34 thru 10.9.3, and an updated 4.17.1 version of xen took care of CVE-2022-42336, which had a security vulnerability on AMD hardware specific to the AMD Family 17h and Hygon Family 18h processors.