OpenSUSE and Tumbleweed News
-
OpenSUSE ☛ Submit a Presentation for the openSUSE Conference
The conference is scheduled to take place June 26 to 28 in Nuremberg, Germany.
-
Agama Releasing version 11
The first beta versions of SUSE GNU/Linux Enterprise Server 16 are almost around the corner and openSUSE Leap 16 is already at alpha phase. So the YaST Team (or should we already say the Agama Team?) has focused during the last couple of weeks on providing a better installation experience for both families of distributions. Agama 11 is the result, so let's see what's new on this release.
Bear in mind that some minor revisions of Agama 11 could be released in the following days to correct issues detected during the testing of SLES 16 Beta and openSUSE Leap 16 Alpha. We will update this blog post if any of those changes affect significantly any of the features listed
Agama can install Slowroll now
Let's start welcoming a new member to the family of operating systems Agama can install. Thanks to WesFun now it is possible to select openSUSE Slowroll when using the Agama testing iso for openSUSE.
-
Dominique Leuenberger ☛ Tumbleweed – Review of the week 2025/04
Dear Tumbleweed users and hackers,
This week was filled with snapshots – in just 7 days, we have published 8 snapshots; ok, there is just the co-incidence that the snapshot that was in QA from Thursday to Friday finished much quicker this week than last week – so we ended up having the latest one already on the mirrors at the time of my writing. We have not (yet) invented the time compression machine to publish more snapshots in a week. But honestly, I also don’t think anybody would care for more snapshots. Let alone: the numbering scheme does not support more than one snapshot ‘built’ per day (in rare cases, QA can be speedy and we had seen 2 snapshots syncing out on the same day).
Now, the curious one doesn’t care about the number of snapshots, but rather what changes those snapshots contained. Here are the changes delivered in the snapshot 0116…0123: [...]
-
dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222)
We received a review request for the Deepin api-proxy D-Bus service which is part of the Deepin desktop environment. During the review we discovered a major authentication flaw in the design of this D-Bus service which allows local users to escalate privileges in various ways.
We reported this issue privately to Deepin security in December and did not receive a reply for a month. As we were preparing for publication, upstream became alive and quickly released a bugfix which is, sadly, still incomplete.
This report is based on dde-api-proxy version 1.0.17. The findings still apply to release 1.0.18. Upstream has attempted to fix these findings in release 1.0.19, but the bugfix is insufficient as outlined in section 6).
2) Authentication Bypass Issue
Dde-api-proxy runs as
rootand provides various D-Bus services on the D-Bus system bus. It sticks out since it ships a lot of D-Bus configuration files but only little code. The reason for this is that the service only forwards D-Bus requests between its clients and the actual Deepin D-Bus services. We believe this is for backward compatibility due to changes in Deepin D-Bus interface names, alas the component’s Microsoft's proprietary prison GitHub repository provides little insight into its purpose.