Action: Feed

Also available in Deutsch, Français, Русский


{{feed
	url="https://...[|https://...|https://...]"
	[title="News feed title|no"]
		"text" - displayed as title
		"no" - means show no title
		empty title - title taken from feed
	[max="x"]
	[time=1]
		1 - show time tag of feed item
		0 - hide time tag of feed item (default)
	[nomark=1]
		1 - makes feed header h3 and feed-items headers h4
		0 - makes it all default
}}	

Example

{{feed url="https://news.opensuse.org/feed/" time=1 max=2}}


XML

Feed Title: openSUSE News


Tumbleweed Monthly Update - June 2026

Contributors to openSUSE had a great time at the openSUSE Conference in June. Even as many of them gathered in Nuremberg to discuss how to drive development of the rolling release forward, software package updates for openSUSE Tumbleweed kept rolling out.

June brought major version bumps across the stack with Samba jumping to 4.24.3 carrying seven Common Vulnerabilities and Exposures fixes, MariaDB advancing from 11.8 to 12.3.2, and Flatpak reaching 1.18.0.

KDE Gear 26.04.2 landed as the second bugfix release of the series, and GStreamer progressed to 1.28.4 with security and playback fixes. OpenSSL received a massive security update and both WebKitGTK and the Linux kernel received extensive rounds of vulnerability fixes.

The second half of June was headlined by KDE Plasma 6.7.0 and KDE Frameworks 6.27.0. NetworkManager advanced to 1.56.1 and python-cryptography reached 49.0.0 with post-quantum ML-DSA signing support. FreeRDP 3.27.1 raised the minimum TLS version to 1.2 while addressing multiple CVEs. VirtualBox 7.2.10 added Linux kernel 7.1 support and Wayland clipboard sharing.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

Samba 4.24.3: A major version bump from the 4.23 series brings a major security refresh with several CVE fixes. Notable changes include a fix for unauthenticated remote code execution in the AD DC, SAMR remote code execution, and group policy certificate enrollment without validation.

Flatpak 1.18.0: This major update improves error handling and printed output of flatpak-coredumpctl, adds support for the AMD vendor-specific compute interface (/dev/kfd) via DRI device permissions, and improves startup time for fish shell integration. Ignoring system bus failures in parental controls check and replacing deprecated GTimeVal with g_get_real_time() round out the release.

GPGME 2.1.0: This update introduces new flags is_de_vs and beta_compliance for encryption results, a new decryption flag GPGME_DECRYPT_SESSION_HASH, and support for setting CMS signature attributes via gpgme_sig_notation_add. A new context flag export-filter is also added. Several locking and passphrase handling fixes are included, along with the companion gpgmepp 2.1.0 and qgpgme 2.1.0 updates.

MariaDB 12.3.2: A major version jump from 11.8.8 brings the database server to the 12.3 series. This release carries multiple security fixes alongside a changelog of improvements documented in the upstream release notes.

KDE Gear 26.04.2: Dolphin fixes a dangling pointer access in SettingsDataSource and a swapActiveView crash. Kate corrects working directory handling when invoking git and fixes urlinfo for relative files. Konsole fixes a copy command causing unwanted scroll-to-bottom. Kitinerary adds extractors for BDŽ (Bulgarian State Railways) PDF tickets and Condor PKPass. KOrganizer fixes recurring event start-end time display and Kleopatra now requires GpgME 1.24.2 (at the beginning of the month in Tumbleweed updated to version 2.1.0).

GStreamer 1.28.4: The rtspsrc2 element receives major feature expansion with support for SRTP, authentication, HTTP tunnelling, keep-alive, TLS validation, and latency configuration. Wavpack audio receives channel and channel-mask related fixes. Debug logging performance is improved, and memory leaks across caps allocation, buffer pools, and the GL upload path are resolved. The d3d12decoder gets a fix for Qualcomm GPUs on ARM64 Windows.

GraphicsMagick 1.3.47: DPX subsampling validation is corrected to avoid divide-by-zero. The JNG writer properly handles NULL returns from ImageToBlob(), and the MNG writer enforces a 256-color palette limit. The PS/PS2/PS3 coders enforce dimension limits to prevent Ghostscript-based denial-of-service. SVG gains validations for element id syntax and rejects attribute values with single quotes. The XCF reader reports errors for layerless images and fixes two unsigned integer overflow cases.

fwupd 2.1.4 & 2.1.5: The firmware update daemon received two updates during June. Version 2.1.4 adds support for Compal BIOS version format, NixOS quickstart, encrypted swap detection below device-mapper, and removes the flashrom plugin. Dozens of bounds checks and validation fixes are included across Dell dock, Novatek, Goodix MoC, Synaptics RMI, CCGX DMC, and other device updaters. The 2.1.5 follow-up fixes a msgpack regression for Huddly cameras, adds Elan touchscreen support, and expands the netlink socket buffer to prevent packet loss during event floods.

SDL3 3.4.10: This update adds depth texture array support in the GPU API, GameInput v3 controller sensor support, rumble support for the new Steam Controller, and GameCube rumble support when the adapter is in PC mode. Several new controllers are supported including the GameSir Super Nova and PDP Afterglow Wave Wireless. The X11 Synchronization Extension is disabled by default and can be re-enabled via SDL_HINT_VIDEO_X11_ENABLE_XSYNC_EXT.

Key Package Updates

Linux kernel 7.0.11 & 7.0.12: The kernel received two updates during June with a heavy security focus. Version 7.0.11 carried an extensive set of CVE fixes spanning BPF (end-of-list detection in cgroup storage, negative CO-RE accessor indices), netfilter (divide-by-zero in nfnetlink_osf, IEEE1394 ARP payload handling, arp_tables), ALSA USB audio UAC2 rate parsing, and more. Version 7.0.12 added fixes for NFC LLCP use-after-free, xfrm underflow, netfilter ebtables OOB read, nf_tables dst corruption, tun/tap XDP page handling, ethtool RSS context handling, ALSA HDA cs35l56 and OSS setup UAF, and HSR OOB access in supervision frame handling.

WebKitGTK 2.52.4: A security-focused update fixing 16 CVEs in the web rendering engine. The release adds support for half-width fonts, improves content filter compilation, improves handling of out-of-disk-space conditions in the NetworkProcess cache, fixes scrollbar painting during width changes, fixes playback of certain YouTube videos with low frame rates, and addresses several crashes and rendering issues.

ImageMagick 7.1.2.25: A security-focused update rejecting malformed HDR, PGX, RLA, FITS, SGI, and DDS files with invalid dimensions. Polynomial distortion argument count validation is added, and an out-of-bounds read of GPS rationals in GetEXIFProperty is fixed.

Mesa 26.1.2: The update resolves graphical corruption on older Intel integrated GPUs (e.g., i5-2400) introduced in 26.1.0 and fixes a crash in ANV’s ASTC texture handling on Xe3 when floating-point exceptions are enabled. Vulkan drivers see important corrections: RADV adds workarounds for Forza Horizon 6 and Crimson Desert, ANV restores Android external format compatibility in debug builds, and PanVK/Turnip improve memory reporting and depth state handling. More details are available in the Mesa 26.1.2 release notes.

mutter 50.2: Fixes size increases when quickly unmaximizing windows by drag, cursor position hint for Xwayland with scaling, fullscreening of edge-tiled windows, tablet tool cursor hotspot scaling, alt-tab with sloppy/mouse focus, and broken switch-monitor mapping on stylus buttons. Support for version 2 of the text_input_v3 protocol is implemented, and DND with tablets now works across surfaces.

flatpak 1.18.0: This update adds support for the AMD compute interface (/dev/kfd) via the DRI device permission, enabling GPU compute access for Flatpak applications on AMD hardware. The output of flatpak update is improved with clearer failure causes, and flatpak-coredumpctl gains better error handling. Fish shell integration startup time is improved. Bug fixes include ignoring system bus failures in parental controls checks and replacing deprecated GTimeVal usage.

cups-filters: The cups-browsed service is now provided as a separate sub-package, allowing users to uninstall it to avoid the security risk of automatic print queue creation from any DNS-SD announcement on the local network.

libzypp 17.38.13: Two security fixes in the package management library. A path= entry in .repo files must not refer to a location outside the repo (CVE-2026-44942), and repo keyhint must denote a filename not a path (CVE-2026-44941).

wicked 0.6.79: Fixes an indirect remote shell command injection via unsanitized DHCP strings and leaseinfo dump (CVE-2026-44932). Single-quote escaping is added to leaseinfo dump output, and posix-tz-dbname processing now permits only valid characters per RFC 4833.

Security Updates

OpenSSL 3:

  • CVE-2026-45447: Fixes a heap use-after-free in PKCS7_verify() that could lead to memory corruption.

  • CVE-2026-45446: Addresses incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes.

  • CVE-2026-42770: Resolves FFC-DH peer validation using attacker-supplied q, potentially weakening key exchange.

  • CVE-2026-45445: Fixes AES-OCB IV being ignored on the EVP_Cipher() path.

  • CVE-2026-42767: Addresses a NULL pointer dereference in CRMF EncryptedValue decryption.

  • CVE-2026-42768: Resolves a multi-recipient Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt().

  • CVE-2026-42769: Fixes trust-anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate.

  • CVE-2026-42766: Addresses a possible NULL dereference in password-based CMS decryption.

  • CVE-2026-34183: Resolves unbounded memory growth in the QUIC PATH_CHALLENGE handler.

  • CVE-2026-42764: Fixes a NULL pointer dereference in QUIC server initial packet handling.

  • CVE-2026-34182: Addresses CMS AuthEnvelopedData processing that could accept forged messages.

  • CVE-2026-9076: Fixes an out-of-bounds read in CMS password-based decryption.

  • CVE-2026-7383: Resolves a possible heap buffer overflow in ASN.1 multibyte string conversion.

  • CVE-2026-34180: Addresses a heap buffer over-read in ASN.1 content parsing.

Linux kernel 7.0.11:

WebKitGTK 2.52.4:

  • CVE-2026-28847: Fixes a WebKit memory handling issue that could cause an unexpected crash.

  • CVE-2026-28883: Addresses a flaw where processing malicious web content could lead to memory corruption.

  • CVE-2026-28901: Resolves a WebKit vulnerability where processing malicious web content could lead to an unexpected crash.

  • CVE-2026-28902: Fixes a WebKit issue where processing malicious web content could lead to memory corruption.

  • CVE-2026-28903: Addresses a flaw where visiting a malicious website could lead to unexpected behavior.

  • CVE-2026-28904: Resolves a WebKit memory corruption issue when processing malicious web content.

  • CVE-2026-28905: Fixes a logic issue where a malicious website could access restricted resources.

  • CVE-2026-28907: Addresses a WebKit vulnerability that could cause an unexpected crash.

  • CVE-2026-28942: Resolves a cross-origin issue in WebKit’s Navigation API.

  • CVE-2026-28946: Fixes a WebKit memory handling issue that could lead to an unexpected process crash.

  • CVE-2026-28947: Addresses a WebKit flaw where processing malicious web content could bypass the Same Origin Policy.

  • CVE-2026-28953: Resolves a logic issue where a malicious website could access script message handlers intended for other origins.

  • CVE-2026-28955: Fixes a WebKit memory handling issue that could cause an unexpected process crash.

  • CVE-2026-28958: Addresses an authorization flaw where a maliciously crafted webpage could fingerprint the user.

  • CVE-2026-43658: Resolves a WebKit sandbox issue where restricted content could be processed outside the sandbox.

  • CVE-2026-43660: Fixes a logic flaw where visiting a malicious website could lead to a cross-site scripting attack.

Samba 4.24.3:

  • CVE-2026-4480: Fixes unauthenticated remote code execution in the AD DC.

  • CVE-2026-4408: Addresses remote code execution in the SAMR protocol.

  • CVE-2026-3238: Resolves an unauthenticated UDP packet crash in the AD DC NBT server.

  • CVE-2026-3012: Fixes group policy certificate enrollment using HTTP without validation.

  • CVE-2026-1933: Addresses a missing access check on reparse point operations.

  • CVE-2026-2340: Resolves a vfs_worm not blocking directory modification.

  • CVE-2026-40170: Addresses a third-party ngtcp2 update requirement.

OpenEXR 3.4.12:

  • CVE-2026-45696: Fixes a heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode.

  • CVE-2026-44663: Addresses an integer overflow in the HTJ2K decoder leading to heap-buffer-overflow.

GraphicsMagick 1.3.47:

  • CVE-2026-25799: Fixes YUV sampling-factor argument validation to prevent potential security issues.

  • CVE-2026-26284: Fixes a security vulnerability in GraphicsMagick image processing.

  • CVE-2026-28690: Addresses MNG writer enforcing a 256-color palette limit to prevent excessive memory usage.

  • CVE-2026-30883: Fixes detection and reporting of excessively large profiles in the PNG writer.

  • CVE-2026-33535: Addresses a static buffer overflow in MagickXImageWindowCommand when a numeric key is held depressed.

  • CVE-2026-42050: Fixes an off-by-one error in GraphicsMagick.

MariaDB 11.8.8:

python-tornado6 6.5.7:

  • CVE-2026-49853: Fixes credentials and cookies not being stripped when following redirects to a different origin.

  • CVE-2026-49855: Addresses a denial-of-service via large compressed responses bypassing max_body_size.

  • CVE-2026-49854: Resolves an out-of-bounds read of up to three bytes past an input array in the C extension.

7-Zip 26.01:

  • CVE-2026-48095: Fixes a heap buffer write overflow that could be triggered by crafted archives.

sshfs 3.7.6:

  • CVE-2026-47187: Fixes a symlink escape vulnerability where a rogue SFTP server could read or write local files.

  • CVE-2026-48711: Addresses an argument injection vulnerability in SSH command handling.

php8 8.5.7:

  • CVE-2026-44927: Fixes pointer difference truncation to int in uriparser that could lead to incorrect URI handling.

  • CVE-2026-44928: Addresses a flaw where the EqualsUri function could misclassify two unequal URIs as equal.

libzypp 17.38.13:

  • CVE-2026-44942: Fixes a path= entry in .repo files that could refer to locations outside the repository base.

  • CVE-2026-44941: Addresses a repo keyhint entry that could specify a path instead of a filename.

wicked 0.6.79:

  • CVE-2026-44932: Fixes an indirect remote shell command injection via unsanitized DHCP strings and leaseinfo dump.

perl-Cpanel-JSON-XS 4.41:

  • CVE-2026-9516: Fixes a BOM-shift PV-corruption that could cause a SIGABRT.

  • CVE-2026-9334: Addresses a type confusion in dupkeys_as_arrayref handling.

openssh:

  • CVE-2026-3497: Fixes a possible information disclosure or denial of service due to uninitialized variables in GSSAPI key exchange patches.

python-pip 26.1.2:

  • CVE-2026-8643: Fixes console_scripts and gui_scripts entry points whose name would install a script outside the scripts directory.

OpenSC:

  • CVE-2026-10275: Fixes a global buffer overflow during key pair generation tests due to missing input validation.

python-M2Crypto 0.48.0:

  • CVE-2026-0672: Fixes authcookie handling of CookieError from Python 3.13.12+ to prevent potential security issues.

freeipmi 1.6.18:

  • CVE-2026-50031: Fixes potential stack corruption in Dell and Fujitsu IPMI OEM commands and a potential buffer overflow in Fujitsu SEL entry handling.

graphite2 1.3.15:

  • CVE-2026-50593: Fixes a security vulnerability in the graphite font shaping library.

ldns 1.9.2:

  • CVE-2026-10846: Fixes insufficient verification that DNS responses belong to a query, enabling potential cache poisoning.

glib-networking:

  • CVE-2026-10028: Fixes a cycle detection issue when setting the issuer property in the TLS certificate chain.

perl-GD 2.86:

  • CVE-2026-11526: Fixes a command injection via 2-arg open() in _make_filehandle.

perl-HTML-Parser 3.85:

  • CVE-2026-8829: Fixes a heap-use-after-free in _decode_entities.

djvulibre 3.5.30:

  • CVE-2021-46312: Fixes a security vulnerability in DjVu file processing.

rav1e:

  • CVE-2025-58160: Fixes a security vulnerability in Rust AV1 encoder dependencies.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

June came with some heavy security hardening across openSUSE Tumbleweed. Samba jumped to the 4.24 series with many CVE fixes, MariaDB advanced to 12.3.2, and Flatpak reached 1.18.0. OpenSSL received an extensive security refresh, while WebKitGTK and the Linux kernel each received large rounds of vulnerability fixes. KDE Gear 26.04.2 continued the steady cadence of KDE application refinements, GStreamer 1.28.4 delivered major RTSP infrastructure improvements, and GraphicsMagick 1.3.47 rolled up years of accumulated upstream security patches. The openSUSE Conference in Nuremberg provided the community backdrop for planning the next phase of the rolling release.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.


{{feed url="https://www.flickr.com/services/feeds/groups_pool.gne?id=82323459@N00&lang=de-de&format=atom" max=1 time=1}}


XML

Feed Title: Pool von Japan Through the Eyes of Others