openSUSE Tumbleweed Monthly Update - March
28. Mar 2024 | Douglas DeMaio | CC-BY-SA-3.0
Welcome to the monthly update for openSUSE Tumbleweed for March 2024. This month provided several anticipated updates for the rolling release.
Before getting in the package updates, know that this blog aims to provide readers an overview of the key changes, improvements and issues addressed in openSUSE rolling release throughout the month. Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.
Let’s get started.
New Features and Enhancements
- Linux Kernel: Versions for the month of March progressed update version 6.8.1. These updates enhance system stability, security and hardware compatibility. Snapshot 20240319 that moved the kernel from 6.7.9 to 6.8.1 did the following:
- Patches addressed Register File Data Sampling (RFDS) microarchitectural vulnerabilities CVE-2023-28746. The patch includes mitigation measures such as exporting to guests in KVM/x86 environments and adds new documentation. There was a patch to disable KVM mitigation when the
X86_FEATURE_CLEAR_CPU_BUF
is set. - A notable reversion is the removal of code for
inode_cache
andrecovery
mount options from Btrfs, following an issue. Fixes related to Btrfs, such as addressing a race condition when detecting Delayed Allocation ranges during fiemap. - The updates involve significant configuration changes for arm architectures (armv6hl, armv7hl, and arm64). The updates mirror option values across different architectures and include new configurations for hardware support, such as various PINCTRL (Pin Control), GPIO (General-Purpose Input/Output), VIDEO, DRM (Direct Rendering Manager) and SND_SOC (Sound System on Chip) settings.
- Patches addressed Register File Data Sampling (RFDS) microarchitectural vulnerabilities CVE-2023-28746. The patch includes mitigation measures such as exporting to guests in KVM/x86 environments and adds new documentation. There was a patch to disable KVM mitigation when the
- Plasma 6: Find the article on news.opensuse.org
- GNOME 46: Find the article on news.opensuse.org
- systemd: From version 254.9 to 255.4, the updated provided the following:
- Specific issues have been either rebased or removed if they’ve become part of the core version 255 updates. This indicates a significant step towards maintaining consistency with upstream developments while also ensuring the stability and reliability of systemd functionalities within penSUSE.
- A clear emphasis has been placed on enhancing the testing framework within the systemd package to ensure the reliability of bootloader installation processes during testing phases. Read more info about the systemd-bootl integration.
- libzypp 17.32.0
- Introduction of a new resolver option ‘removeOrphaned’ for dist-upgrade processes to enhance package management
- Fixes applied to
vsftpd.conf
addressing issues where SUSE and Fedora use different defaults. - Security Updates: Modification to avoid using the deprecated OPENSSL_config in the Digest section, enhancing security practices.
- Introduction of ProblemSolution::skipsPatchesOnly overload to improve patch management processes.
- Removal of HTTPS->HTTP redirection exceptions for download.opensuse.org, reinforcing security and integrity in download processes.
- zypper 1.14.70:
- Integration of a new option
--remove-orphaned
to remove all orphaned packages during a system upgrade. - Improved user interface indicating active dry-run/download-only options at the commit prompt, enhancing user experience and clarity.
- Setting of libzypp shutdown request signal upon
Ctrl+C
to improve responsiveness and control.
- Integration of a new option
- LLVM 18:
- The patches
llvm-do-not-install-static-libraries.patch
andllvm-normally-versioned-libllvm.patch
have been rebased to align with the new version, addressing specific distribution and library concerns. - Modification to prefer
ld.bfd
over other linkers to achieve a Transparent Huge Pages (THP)-compatible section layout, optimizing memory management and performance.
- The patches
- shadow: Updates to version 4.15.1
- Resolved an issue causing unwarranted error messages about unknown login.defs configuration options and implements checks for file descriptor omission to improve security and reliability
- The
shadow-4.15.0-fix-definition.patch
has been updated to address the erroneous error messages regarding configuration options, - Improved linking with libdl for better dynamic library handling.
- Revised the
shadow-login_defs-unused-by-pam.patch
to ensure continued compatibility and effectiveness.
- Revised the
Bug Fixes
- Mozilla Firefox 124.0.1: Had multiple Common Vulnerabilities and Exposures fixes. These included CVE-2024-29943, which an attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination, and related CVE-2024-29944. There were 12 more CVEs addressed in the update from snapshot 20240326
- redis 7.2.3: The update provides a fix for CVE-2023-41056 that caused memory issues and security risks.
- python311: CVE-2024-0450 was added to the changelog due to a revert use of automated tool scripts.
- Linux Kernel 6.8.1: CVE-2023-28746 was related to microarchitectural vulnerabilities as mentioned above. Expat 2.6.2: This CVE-2024-28757 fix prevent a vulnerable attacks that overloads it with XML entities, especially when using external parsers created in a certain way.
- opensc 0.25.0: Has a fix for CVE-2023-5992 where PKCS#1 encryption padding removal was not implemented as side-channel resistant and fixes CVE-2024-1454 that requires physical access and special device related to its AuthentIC driver that happens when setting up new cards.
- libvirt 10.1.0: The update brings a fix for CVE-2024-1441 that has an off-by-one error that could allow Denial of Service via crafted data to crash daemon.
- Unbound 1.19.2: Provides a fix for CVE-2024-1931, which could lead to a Denial of Service from infinite loop in Extended DNS Error record trimming.
- graphviz: Exploitability for CVE-2023-46045 may be uncommon because this file is typically owned by root, but is related to an out-of-bounds read via a crafted config6a file. A welcoming fix was provided.
- openjpeg2 2.5.2: With CVE-2021-3575, an attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.
Conclusion
March 2024 brought numerous updates for openSUSE Tumbleweed systems. Besides Plasma and GNOME desktop environments, there were improvements across systemd, libzypp, LLVM and more. Other significant upgrades during the month included updates to bind, CMake, KDE Gear 24.02.1, Mesa, qemu and more. For those Tumbleweed users that want to contribute, subscribe to the openSUSE Factory mailing list. The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.
Contributing to openSUSE Tumbleweed
Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.
(Image made with DALL-E)