The rolling release Tumbleweed continues enhancements in April and brings more usefulness to gamers, developers and others with the delivery of several snapshots.

Among the key highlights this month, Tumbleweed users benefit from a major security boost with OpenSSH 10.0p2, featuring faster, quantum-resistant key exchange and improved session performance. Developers will notice smoother workflows with GDB 16.3’s smarter multithreaded debugging and better tracing tools, while gamers and multimedia users will see enhanced GPU performance and stability thanks to Mesa 25.0.4 and critical fixes in FFmpeg 7.1.1. Audio reliability has improved across more devices with SBC 2.1 and new kernel-firmware-sound 20250408 updates. Meanwhile, major updates to KDE Gear 25.04.0, GTK4 4.18.3, and system packages like iproute2 6.14 and rsyslog 8.2502 bring refinements that enhance daily desktop, server, and development environments. Numerous security vulnerabilities have also been patched across Mozilla Firefox 137.0, PHP 8.4.5, OpenVPN 2.6.14, and Python 3.13.3..

As always, be sure to roll back using snapper if any issues arise.

Happy updating and tumble on!

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

OpenSSH 10.0p2: This major version brings major security, stability, and performance updates important for all openSUSE Tumbleweed users. It removes support for the outdated DSA algorithm, making SSH connections more secure by default, and introduces faster, quantum-resistant key exchange with mlkem768x25519-sha256. For desktop and server users, SSH sessions are now faster and more efficient thanks to cipher improvements favoring AES-GCM. Developers will benefit from new flexible configuration options, like session-type matching and environment variable expansion. The update also strengthens security by fixing issues with forwarding settings and restructuring the SSH daemon to reduce its attack surface after login. Day-to-day remote access, file transfers, and automation workflows will be more secure, slightly faster, and better prepared for future cryptographic standards.

GDB 16.3: The new major version update improves debugging precision, performance, and integration for developers on openSUSE Tumbleweed. Smarter thread-specific breakpoints reduce overhead when debugging large, multi-threaded applications. Support for watchpoints with tagged pointers, like Intel’s LAM (Linear Address Masking), means better handling of modern CPU features. New tracing options using Intel Processor Trace make it easier to analyze programs at the instruction level. ARM users benefit from improved support for Memory Tagging Extension (MTE) debugging. This release also expands Python scripting APIs and improves Debug Adapter Protocol (DAP) integration, helping GDB fit more seamlessly into modern development tools and workflows. Overall, a solid update for anyone working with complex applications or the latest hardware.

SBC 2.1 Another major update brings important under-the-hood improvements for audio handling. SBC (Subband Codec) is widely used for Bluetooth audio, and this update fixes critical issues when running on non-x86 hardware (like ARM-based devices) and ensures better stability when SSE CPU optimizations are disabled. While casual users won’t notice immediate differences, this makes Bluetooth audio more reliable across more systems, especially useful for newer laptops, desktops, and ARM boards. Developers also benefit from cleaner builds and better cross-platform support.

kernel-firmware-sound 20250408: This update adds new Sound Open Firmware (SOF) support for two MediaTek chips: the MT8195 and MT8188. This means improved audio hardware compatibility and support on newer MediaTek-based devices using these chipsets.

xz 5.8.1: The command line tool and utilities package brings performance improvements and a key security fix. The multithreaded .xz decoder now correctly handles invalid input that led to crashes. A performance bug was also fixed to ensure all threads are used during decompression in certain scenarios. For systems using SSE2, such as x86 with musl libc, decompression can be noticeably faster, up to 15 percent in some cases. This update also improves encoder speed on 64-bit PowerPC and RISC-V processors, and adds low-level Application Programming Interface access for BCJ filters on RISC-V, ARM64, and x86_64 . On Linux, xz now uses fsync() to safely sync output files before deleting the input file, with a new --no-sync option if you want to skip that behavior.

rsyslog 8.2502: This maintenance release improves stability, better error handling, and support for newer platforms. The update fixes a multithreading issue in the forwarding module (omfwd), improves TLS support by handling OpenSSL and gnutls handshakes more gracefully, and adds a socketBacklog setting to tune TCP listener behavior. Improvements to Kafka logging and SNMP support are included as well. The package now also supports building under the latest C23 standard, which brings the project up to date with modern compiler toolchains.

tigervnc 1.15.0: This package adds several usability improvements for both viewers and servers. You can now use the back and forward mouse buttons in the native viewer and makes remote desktop navigation smoother. Clipboard redirection has been added to x0vncserver, letting you copy and paste between your local system and the remote desktop. The native viewer now remembers your username and password on reconnect, saving time during repeated sessions. Both the native and Java viewers can display a standard arrow cursor when the server cursor is hidden, making it easier to see where your pointer is. Finally, vncpasswd can now check password strength using pwquality, enhancing security.

ffmpeg 7.1.1: Audio decoding is now more robust, with protections against overflows in WAV file parsing and better handling of invalid DVD video packets. Timecode calculation has been improved to avoid FPS-related overflows. The MJPEG decoder now disallows unsupported progressive Bayer images, and audio packets in fragmented MP4 (mov) files are no longer incorrectly marked as keyframes. OpenVINO support has been disabled to simplify dependencies for openSUSE Factory.

harfbuzz 11.0.1 and 11.1.0: This first minor version of version 11 restores compatibility by reverting a recent change to trak tracking behavior, now applied during shaping instead of directly. It improves shaping performance, refines glyph rendering (like rounding extents and emboldening at the font layer), and adds experimental access to raw CFF/CFF2 CharStrings. The CLI tools now return meaningful error codes and come with optional manpages. The 11.1.0 version improves font subsetting by including bidirectional (bidi) mirroring variants by default, which helps ensure better rendering of right-to-left scripts. A new flag allows disabling this if needed. The release also includes general bug fixes, build improvements, and enhancements to the test suite.

cups 2.4.12: This release now honors system-wide cryptographic policies with GnuTLS and adds an option (NoSystem) to opt out. Users will see clearer alerts when secure IPP printing (IPPS) encounters certificate issues, and the scheduler now logs detailed debug history if a backend fails. Bug fixes address potential job loss during install failures, improved PPD option parsing, and better IPP keyword validation.

Key Package Updates

kernel-source 6.14.4 and 6.14.3: The 6.14.4 version was a small maintenance update for the Linux Kernel that fixes several memory leaks, improves Wi-Fi and Bluetooth stability, and resolves issues with SCSI, RAID and sound drivers. Networking reliability is enhanced, especially for IPv6 and Open vSwitch users. This release also brings a few targeted fixes for Intel IGC networking, block device handling, and hardware-specific improvements for devices like Rockchip CAN and AMD graphics. The 6.14.3 update provided Bluetooth reliability improvements for some Qualcomm devices, while fixes in graphics drivers like Intel and VirtIO solve flickering and memory leaks. Networking sees more robust handling in drivers like ethtool and TLS, which benefits server admins and gaming setups relying on low-latency connections. Developers and advanced users benefit from better tracing tools and memory management fixes, reducing the chance of subtle bugs during debugging.

systemd 257.5: This maintenance updates documentation and test behavior. It fixes the location references for pstore.conf and coredump.conf templates, which is important for admins managing system crashes or dumps. It also adjusts network tests by using a copy instead of a symlink for default network configuration.

libxmlb 0.3.22: This release improves file integrity checks and XML export reliability. This release adds safeguards to detect file truncation and malformed string tables, preventing potential crashes or data corruption when working with .xmlb binary XML files. For developers, exporting XML with the COLLAPSE_EMPTY feature is now supported and more robust, especially when dealing with empty elements or silos. These improvements help ensure tools using libxmlb (like GNOME Software) handle XML metadata more reliably.

GTK4 4.18.3: This update improves text editing by fixing margins, double-click selections, and dead key handling. The update resolves a regression where input methods showed incorrect positions when line numbers were enabled. It also improves menu behavior on mobile by preventing text overflow and ensures window resizing always works. Accessibility stability is improved by fixing errors related to accessibility relations. The column view and listbox widgets now handle measurements and selections more reliably. The GTK Inspector now remembers some user interface states between sessions. Several internal fixes reduce warnings and improve memory management when running on Wayland. The release also includes documentation updates and refreshed translations.

Mesa 25.0.4: This bugfix update improves performance and stability across several GPUs and games. AMD users with GFX8/Polaris cards will see better performance in titles like Elden Ring, and GPU hangs in The Last of Us Part I on RDNA3 (gfx1201) have been resolved. Vulkan 1.4 support continues, bringing smoother rendering and compatibility improvements for modern games. Fixes also address visual glitches in Satisfactory, rendering errors on Intel Battlemage (BMG), and memory leaks in Vulkan swapchain handling.

KDE Gear 25.04.0: This release brings refined accessibility, right-to-left language support, safer file operations, digital signing with Okular, and better performance in creative tools like KWave and Kdenlive. It also includes enhancements for social media apps like Mastodon client Tokodon, with support for scheduled posts and content filters, and introduces useful new features in travel, productivity, and system tools.

curl 8.13.0: This version now supports TLS 1.3 early data with OpenSSL/quictls, adds ECH support with DoH in rustls, and introduces --upload-flags for IMAP uploads. You can also load URLs from a file and access new write-out variables like tls_earlydata. Numerous bug fixes improve HTTP/2 handling, OpenSSL compatibility, and SSH file transfers.

fwupd 2.0.8: This super-thin layer library n the DBus interface adds support for updating the UEFI Signature Database and KEK via two new plugins and now reports the updated UEFI db as part of the device’s HSI attributes. The update improves compatibility with UEFI systems and fixes bugs related to EFI paths, Redfish detection on non-Supermicro systems, and JSON mode behavior. It also ensures safer firmware updates on UEFI-capable architectures and enhances support for certain device protocols.

iproute2 6.14: This version adds new functionality for advanced networking setups, including support for IPv6 flow labels in ip route and ip rule, monitoring for multicast addresses via ip monitor maddress, and improved readability in ss by showing Multipath Transmission Control Protocol subflow sequence counters in decimal format.

** selinux-policy 20250410**: This update provides a fix to allow logging into Podman containers from a terminal (TTY), which resolved issues some users faced with interactive sessions. It also introduces a test for RPM builds in the CI pipeline. A workaround has been included to address persistent issues with semodule removal, pending a more permanent fix (PED-12491).

python313 3.13.3: This update bundled libraries like libexpat for improved security, fixes multiple bugs affecting subprocess handling, sockets, and gzip files, and corrects crashes and resource leaks in rare cases. Important security improvements include safer email header handling and better tempfile behavior.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month. Common Vulnerabilities and Exposures this month are:

Security Updates

Mozilla Firefox 137.0:

• CVE-2025-3028: Use-after-free triggered by XSLTProcessor.
• CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters.
• CVE-2025-3030: Memory safety bugs (various components).
• CVE-2025-3031: JIT optimization bug with different stack slot sizes.
• CVE-2025-3032: Leaking file descriptors from the fork server.
• CVE-2025-3033: Opening local .url files could lead to another file being opened.
• CVE-2025-3034: More memory safety bugs.
• CVE-2025-3035: Tab title disclosure via AI chatbot.

php 8.4.5:

• CVE-2024-11235: Use-after-free in php_request_shutdown.
• CVE-2025-1217: Stream wrapper does not handle folded headers properly.
• CVE-2025-1219: libxml2 content-type misbehavior during redirects.
• CVE-2025-1734: HTTP wrapper allows headers without colons.
• CVE-2025-1736: HTTP wrapper may omit basic auth headers.
• CVE-2025-1861: Redirect location truncated to 1024 bytes.

openvpn 2.6.14:

• CVE-2024-28882: Authenticated client could force server to keep session alive.
• CVE-2024-5594: DoS via control channel with malformed data.
• CVE-2025-2704: --tls-crypt-v2 misuse leading to assertion failures.

ffmpeg 7.1.1:

• CVE-2025-1816: Missing constraints for audio element parameter count.
• CVE-2025-22919: Fixed reachable assertion in FFmpeg that could cause DoS via crafted AAC files.
• CVE-2025-0518: Fixed unchecked return value and out-of-bounds read in FFmpeg’s af_pan.c, preventing data leaks.

poppler 25.04.0:

• CVE-2025-32364: Fixed a floating-point exception in Poppler’s PSStack::roll function triggered by malformed input.
• CVE-2025-32365: Fixed out-of-bounds read in Poppler’s JBIG2Bitmap::combine function due to misplaced isOk check.

c-ares 1.34.5:

• CVE-2025-31498: Fixed a use-after-free in c-ares read_answers() caused by premature connection closure handling.

giflib:

• CVE-2025-2173: Buffer overflow in DumpScreen2RGB function.

mozjs128 128.8.1:

• CVE-2025-2857: Sandbox escape via IPC handle mismanagement on Windows.
• CVE-2024-43097: Out-of-bounds write in SkRegion due to integer overflow.
• CVE-2025-1930: Use-after-free in AudioIPC allowing sandbox escape on Windows.
• CVE-2025-1931: Use-after-free in WebTransport connection handling.
• CVE-2025-1932: Out-of-bounds access in xslt/txNodeSorter due to inconsistent comparator.
• CVE-2025-1933: WASM i32 return values may pick up bits from leftover memory on 64-bit CPUs.
• CVE-2025-1934: Fixed a RegExp bailout flaw in Firefox that allowed unexpected JavaScript execution and GC triggering.
• CVE-2025-1935: Fixed an issue where websites could trick users into setting them as default URL protocol handlers.
• CVE-2025-1936: jar: URL handling flaw could allow code hiding in web extensions.

xz 5.8.1:

• CVE-2025-31115: Heap use-after-free and null pointer dereference in multithreaded .xz decoder.

python-h11 0.16.0:

• CVE-2025-43859: Fixed lenient line terminator parsing in h11, preventing potential HTTP request smuggling.

augeas:

• CVE-2025-2588: Null pointer dereference in Augeas re_case_expand, potentially leading to crashes.

java-21-openjdk 21.0.7.0

• CVE-2025-21587: Fixed a JSSE flaw in Java SE allowing remote data access/modification via crafted protocol input.
• CVE-2025-30691: Fixed a Java SE compiler flaw that allowed limited remote access to application data.
• CVE-2025-30698: Fixed a flaw in Java SE 2D allowing remote attackers to access or modify limited data or cause partial DoS.

libraw 0.21.4:

• CVE-2025-43964: Fixed missing minimum checks for w0 and w1 in LibRaw’s tag 0x412 processing.

• CVE-2025-43962: Fixed out-of-bounds read in LibRaw’s phase_one_correct due to improper handling of tag 0x412 values.

• CVE-2025-43961: Fixed out-of-bounds read in LibRaw’s Fujifilm tag parser in metadata/tiff.cpp.

• CVE-2025-43963: Fixed out-of-bounds access in LibRaw’s phase_one_correct due to unchecked image split values.

python311:

• CVE-2025-0938: Fixed improper parsing in Python’s urllib.parse that accepted invalid square-bracketed domains.

libsoup2:

• CVE-2025-2784: Fixed potential HTTP/2 request queue issue leading to unexpected behavior or resource exhaustion.
• CVE-2025-32050: Addressed a flaw where incorrect HTTP/2 stream reset handling could cause crashes.
• CVE-2025-32052: Fixed improper HTTP trailer processing that could cause request handling errors.
• CVE-2025-32053: Resolved an issue with trailer field names incorrectly accepting invalid characters.

libxml2:

• CVE-2025-32415: Fixed a heap buffer overflow in xmlSchemaIDCFillNodeTables during XML Schema validation.
• CVE-2025-32414: Limited Python bindings’ XML reading to prevent buffer overreads when parsing data.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

April 2025 continued to show why Tumbleweed is a benchmark for modern Linux distributions. This month brought major security advancements with OpenSSH 10, deeper hardware compatibility through new kernel firmware and Mesa updates. It also brings smarter developer tools with GDB 16.3 and KDE Gear 25.04. April’s snapshots delivered faster, quantum-resistant SSH sessions, improved Bluetooth audio reliability, and boosted game performance, making Tumbleweed even more capable across desktops, servers, and ARM-based systems.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list ](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/).

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

arbuloj hat dem Pool ein Foto hinzugefügt: