aeolus (Posts by Arch)

zabbix >= 7.4.1-2 may require manual intervention

Arch — Mon, 04 Aug 2025 14:58:22 GMT

Starting with 7.4.1-2, the following Zabbix system user accounts (previously shipped by their related packages) will no longer be used. Instead, all Zabbix components will now rely on a shared zabbix user account (as originally intended by upstream and done by other distributions):

zabbix-server
zabbix-proxy
zabbix-agent (also used by the zabbix-agent2 package)
zabbix-web-service

This shared zabbix user account is provided by the newly introduced zabbix-common split package, which is now a dependency for all relevant zabbix-* packages.

The switch to the new user account is handled automatically for the corresponding main configuration files and systemd service units.

However, manual intervention may be required if you created custom files or configurations referencing to and / or being owned by the above deprecated users accounts, for example:

PSK files used for encrypted communication
Custom scripts for metrics collections or report generations
sudoers rules for metrics requiring elevated privileges to be collected
...

Those should therefore be updated to refer to and / or be owned by the new zabbix user account, otherwise some services or user parameters may fail to work properly, or not at all.

Once migrated, you may remove the obsolete user accounts from your system.

linux-firmware >= 20250613.12fe085f-5 upgrade requires manual intervention

Arch — Sat, 21 Jun 2025 23:09:08 GMT

With 20250613.12fe085f-5, we split our firmware into several vendor-focused packages. linux-firmware is now an empty package depending on our default set of firmware.

Unfortunately, this coincided with upstream reorganizing the symlink layout of the NVIDIA firmware, resulting in a situation that Pacman cannot handle. When attempting to upgrade from 20250508.788aadc8-2 or earlier, you will see the following errors:

linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad103 exists in filesystem
linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad104 exists in filesystem
linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad106 exists in filesystem
linux-firmware-nvidia: /usr/lib/firmware/nvidia/ad107 exists in filesystem

To progress with the system upgrade, first remove linux-firmware, then reinstall it as part of the upgrade:

# pacman -Rdd linux-firmware
# pacman -Syu linux-firmware

Plasma 6.4.0 will need manual intervention if you are on X11

Arch — Fri, 20 Jun 2025 07:08:17 GMT

On Plasma 6.4 the wayland session will be the only one installed when the users does not manually specify kwin-x11.

With the recent split of kwin into kwin-wayland and kwin-x11, users running the old X11 session needs to manually install plasma-x11-session, or they will not be able to login. Currently pacman is not able to figure out your personal setup, and it wouldn't be ok to install plasma-x11-session and kwin-x11 for every one using Plasma.

tldr: Install plasma-x11-session if you are still using x11

Transition to the new WoW64 wine and wine-staging

Arch — Mon, 16 Jun 2025 16:22:01 GMT

We are transitioning the wine and wine-staging package to a pure wow64 build. This change removes the dependency on the multilib repository for wine and wine-staging.

The main reason for this is to align with upstream Wine development, which simplifies packaging and the dependency chain.

Potential Issues:

OpenGL Performance: A known limitation of the new WoW64 mode is reduced performance for 32-bit applications that use OpenGL directly
Breaking Changes: Existing 32-bit prefixes needs to be recreated

If you are facing issues with 32 bit prefixes, please recreate these and reinstall the application.

[ASA-202506-6] python-django: content spoofing

Arch — Thu, 12 Jun 2025 07:48:46 GMT

A remote attacker can manipulate log entries by sending crafted HTTP requests with control characters in the path, potentially spoofing or injecting content into server logs.

[ASA-202506-5] konsole: arbitrary code execution

Arch — Wed, 11 Jun 2025 03:16:24 GMT

A remote attacker can trick a user into opening a specially crafted URL that exploits Konsole’s scheme handler fallback mechanism, leading to arbitrary code execution.

[ASA-202506-4] go: multiple issues

Arch — Sat, 07 Jun 2025 02:58:28 GMT

A remote attacker can exploit Go's HTTP client to leak proxy credentials via cross-origin redirects, or bypass certificate policy validation when ExtKeyUsageAny is used during TLS verification.

[ASA-202506-3] samba: access restriction bypass

Arch — Fri, 06 Jun 2025 20:30:23 GMT

A remote authenticated attacker may retain unintended access to file shares in Samba.

[ASA-202506-2] curl: denial of service

Arch — Thu, 05 Jun 2025 00:13:14 GMT

A remote attacker can send a specially crafted WebSocket frame that triggers an infinite busy-loop in libcurl, causing the application to hang indefinitely potentially leading to a denial of service.

[ASA-202506-1] roundcubemail: arbitrary code execution

Arch — Wed, 04 Jun 2025 19:23:10 GMT

A remote attacker with access to an authenticated Roundcube session can exploit a vulnerability leading to arbitrary code execution.