Sync Updates for Week 38, 2025

EbonJaeger

Heya folks! It's sync day, and that means it's time for the weekly Solus roundup!

KDE Frameworks has been updated to 6.18.0. This release contains many fixes and improvements to the Frameworks stack. Check out the full release announcement here.

GNOME 48.5 has landed in the repository this week. 48.5 is a bugfix release for the GNOME 48 series. The changelog can be found here.

Security updates

We have some security updates for you this week. Be sure to install available updates to get the latest vulnerability protections.

expat was updated to 2.7.2-34 (@EbonJaeger). Includes security fixes for CVE-2025-59375.
libssh was updated to 0.11.3-18 (@silkeh). Includes security fixes for CVE-2025-8277, CVE-2025-8114.
qt6-webengine was updated to 6.9.2-41 (@HarveyDevel, @HarveyDevel). Includes security fixes for CVE-2025-20200, CVE-2025-9866, CVE-2025-10502, CVE-2025-10201.
wireshark was updated to 4.4.9-97 (@silkeh). Includes security fixes for CVE-2025-9817.

General updates

The full list of updated packages can be found here.

For the list of currently known issues, see the dedicated thread for it. If you begin experiencing a bug, please look for an issue on our issue tracker, and open a new one if one does not exist.

That’s all for this week, folks! We'll be here same time, same place next week for another roundup of the news!

banger

All good came down fast on my new fibre. 2 x Plasma updated successfully.

Original-Syn

Traveling this evening, but my systems on unstable have been solid. Posted to social.

EbonJaeger

Cherry-picked jasper for CVE-2025-8837.

ernesto

Everything is ok on XFCE. Thank You to the team

AlphaElwedritsch

so far, so good...gnome

Moltes34

;-) top merci ...

Harvey

Cherry-picked vivaldi-stable v7.6.3797.56

Harvey

Cherry-picked qt6-webengine for bundled chromium update addressing CVEs

Harvey

Cherry-picked qt6-webengine for bundled chromium update addressing CVE. (Yes again, didn't realise they hadn't finished porting all the fixes from the latest chromium release).

brent

Harvey you've done about 6 updates to this (thank you I use chromium) in the last 7 days if I'm counting correctly (but likely wrong).
What's the backstory on this? Cant seem to find much online. Seemed to start off as CVE's but none of the fixes stuck? something like that? thanks for any info.

WhiteWolf

After update cpu-x can't start:

DE: Gnome

trinajstica

WhiteWolf

quick solution from terminal:
sudo ln -s /usr/lib64/libproc2.so.1 /usr/lib64/libproc2.so.0

Original-Syn

WhiteWolf Yep can confirm on Plasma and Budgie as well as quick fix by @trinajstica

Harvey

This was due to cpu-x not being rebuilt for a procps-ng update that changed libproc2.so.0->libproc2.so.1

intel-gpu-tools will likely have the same issue, rebuilding it now. Both will be fixed properly in tomorrows sync.

Axios

Shit where did the week go.

DinimixisDEMZ

1 Week, not found problems here. ^^

Harvey

qt6-webengine uses a bundled version of chromium, for the current release cycle of qt6-webengine it is on the v130.x branch of chromium. This package is not used by any browsers, it is used by things such as rssguard which need a web engine but do not ship their own (Because that would be dumb) gtk apps have their own equivalent.

I am following a rss feed of commits to this bundled version of chromium v130.x so I know when it needs updating for a CVE or bugfix. However because these fixes usually come from a newer major version of chromium like v140.x its not something that happens instantly when a new version of chromium is released.

I have been updating it soon as I get the rss feed notification for a new fix but... they haven't finished porting back all the CVEs addressed in the latest version, so the next day I end up doing it again for another CVE.

Example, these CVEs were addressed across the two latest qt6-webengine updates I pushed but came from this single upstream chromium release. I just didn't give them enough time to backport all of them to v130.x so I updated it twice.

CVE-2025-10890
CVE-2025-10892
CVE-2025-10891

https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html

In future I will reference the chromium release blog to get an idea if all the CVEs had been addressed before updating. It is not quick to build even on a 12c/24t cpu and waiting a day to get all of them is fine.

brent

very clear picture of this underneath layer (as I see it anyway), thanks for explaining,
better context for your head-beating-against-wall gif

Harvey This package is not used by any browsers,

got it. thanks for all this, it's appreciated