LWN.net

LiteLLMis a gateway library providing access to a number of large language models(LLMs); it is popular and widely used. On March24, the word went outthat the version of LiteLLM found in the PythonPackage Index (PyPI) repository had beencompromised with information-stealing malware and downloaded thousands oftimes, sparking concern across the net. This may look like just anothersupply-chain attack - and it is - but the way it came about reveals justhow many weak links there are in the software supply chains that we alldepend on.

The SafeDep blog reportsthat compromised versions of the telnyx package have been found in the PyPIrepository:

Greg Kroah-Hartman has announced the release of the 6.12.79 stable kernel. This releaseonly reverts a patchthat caused a regression on the LoongArch platform; users whocould not build 6.12.78 on LoongArch need to upgrade.

Security updates have been issued by AlmaLinux (389-ds:1.4, gnutls, mysql:8.0, mysql:8.4, nginx, nginx:1.24, opencryptoki, python3, vim, and virt:rhel and virt-devel:rhel), Debian (firefox-esr, ruby-rack, and thunderbird), Fedora (fontforge, headscale, kryoptic, libopenmpt, pyOpenSSL, python-cryptography, rubygem-json, rust-asn1, rust-asn1_derive, rust-cryptoki, rust-cryptoki-sys, rust-wycheproof, vim, and vtk), Oracle (freerdp, golang, mysql:8.0, and ncurses), Red Hat (osbuild-composer), Slackware (libpng and tigervnc), SUSE (chromium, frr, kea, kernel, nghttp2, pgvector, python-deepdiff, python-pyasn1, python-tornado6, python-urllib3, python3, python310, ruby2.5, salt, sqlite3, systemd, tomcat, vim, and xen), and Ubuntu (libcryptx-perl).

Toma Hrka has announcedthat the Forgejo-based Fedora Forge is now afully operational collaborative-development platform; it is ready foruse by the larger Fedora community, which means the homegrown Pagure platform's days are numbered:

A number of projects have been struggling with the question of whichsubmissions created by large language models (LLMs), if any, should beaccepted into their code base. This discussion has been further muddied byefforts to use LLM-driven reimplemention as a way to remove copyleftrestrictions from a body of existing code, as recently happened with the Python chardet module. Inthis context, an attempt to introduce an LLM-generated implementation ofthe Linux ext4 filesystem into OpenBSD was always going to create somefireworks, but that project has its own, clearly defined reasons forlooking askance at such submissions.

Security updates have been issued by Debian (awstats, firefox-esr, and nss), Fedora (chromium, dotnet10.0, dotnet8.0, dotnet9.0, freerdp, and wireshark), Mageia (graphicsmagick and xen), Oracle (mysql:8.4 and nginx), Red Hat (podman), Slackware (bind and tigervnc), SUSE (azure-storage-azcopy, firefox-esr, giflib, glances-common, govulncheck-vulndb, grafana, kernel, libpng16, libsoup, mumble, net-snmp, perl-Crypt-URandom, pgvector-devel, pnpm, postgresql17, Prometheus, protobuf, python-cbor2, python-Jinja2, python-simpleeval, python311-dynaconf, python311-pydicom, python313-PyMuPDF, salt, snpguest, systemd, and vim), and Ubuntu (bind9, linux-azure, linux-azure, linux-azure-6.17, linux-azure-6.8, and mbedtls).

Inside this week's LWN.net Weekly Edition:

The keynote for Sun Security Con2026 (SunSecCon) was given by Farzan Karimi on how incident handlingcan go awry because of a lack of collaboration between the "goodguys"-which stands in contrast to how attackers collaboratively operate.He provided some "war stories" where security incident handling hadbenefited from collaboration and others where it was hampered by its lack.SunSecCon was held in conjunction with SCALE 23x in Pasadenain early March.

The Tor Blog has an interesting articleabout the non-technical side of setting up a Tor Relay. It documents how acomputer science student at National Taiwan Normal University worked with theuniversity system to set up a relay and provides a template for futureattempts:

Version2.0 of the LibreQoS traffic-management and network operationsplatform has been released.

The kernel's direct map provides code running in kernel mode with directaccess to all physical memory installed in the system - on 64-bit systems,at least. It obviously makes life easier for kernel developers, but thedirect map also brings some problems of its own, most of which aresecurity-related. Interest in removing at least some pages from the directmap has been simmering for years; a couple of patch sets under discussion show some use cases for memory that has been removed from thedirect map, and how such memory might be efficiently managed.

Greg Kroah-Hartman has announced the release of the 6.19.10, 6.18.20, 6.12.78, 6.6.130, and6.1.167 stable kernels. Each contains importantfixes throughout the tree. Users are advised to upgrade.

Security updates have been issued by Debian (chromium), Fedora (chromium, containernetworking-plugins, musescore, and python-multipart), Mageia (perl-XML-Parser, roundcubemail, trilead-ssh2, vim, and webkit2), Oracle (389-ds:1.4, gimp:2.8, glibc, gnutls, kernel, libarchive, nginx:1.24, opencryptoki, python3, uek-kernel, vim, yggdrasil, and yggdrasil-worker-package-manager), Red Hat (delve, osbuild-composer, and skopeo), Slackware (mozilla), SUSE (dpkg, go1.26-openssl, gstreamer-plugins-ugly, kernel, libssh, ovmf, python-pyasn1, python-tornado6, python311, salt, sqlite3, and systemd), and Ubuntu (linux-aws-fips, linux-azure, linux-azure-fips, linux-fips, linux-gcp-fips, linux-iot, linux-kvm, pjproject, and redis).

Version149.0 of the Firefox web browser has been released. Notablefeatures in this release include a new split-view feature for viewingtwo web pages side-by-side, a built-inVPN for browser traffic only, and more.

PHP's licensing has been a source of confusion for some time. The project is,currently, using two licenses that cover different parts of the code base: PHP v3.01 for thebulk of the code and Zend v2.0 for codein the Zend directory. Much has changedsince the project settled on those licenses in 2006, and the need for customlicensing seems to have passed. An effort to simplify PHP's licensing, led byBen Ramsey, is underway; if successful, the existing licenses will be deprecatedand replaced by the BSDthree-clause license. The PHP community is now voting on the licenseupdate RFC through April4, 2026.

This issuereport describes a credential-stealing attack buried within LiteLLM1.82.8 in the PyPI repository. It collects and exfiltrates a wide varietyof information, including SSH keys, credentials for a number of cloudservices, crypto wallets, and so on. Anybody who has installed thispackage has likely been compromised and needs to respond accordingly.Update: see thisfuturesearch article for some more information. "The releasecontains a malicious .pth file (litellm_init.pth) that executesautomatically on every Python process startup when litellm is installed inthe environment."

Chris Down has posted adetailed look at how the kernel's zswap and zram subsystems work - andhow they differ.

The Krita project has announcedthe release of Krita 5.3.0 and 6.0.0:

Security updates have been issued by Debian (strongswan and vlc), Fedora (cmake, giflib, and python-diskcache), SUSE (curl, docker-stable, freeciv, freerdp, freerdp2, freetype2, go1.25-openssl, go1.26-openssl, GraphicsMagick, gvfs, harfbuzz, kernel, lemon, libpng16, librsvg, libsodium, libsoup, net-snmp, protobuf, python-Authlib, python-maturin, python-tornado6, python310, python311-pypdf, python311-PyPDF2, python314, python39, rust-keylime, strongswan, systemd, ucode-intel, util-linux, and vim), and Ubuntu (gvfs, linux-aws-6.8, linux-azure, linux-azure, linux-azure-4.15, linux-azure-fips, linux-hwe-5.4, linux-ibm, linux-intel-iot-realtime, linux-nvidia-tegra-igx, linux-realtime-6.17, pyopenssl, rust-sized-chunks, strongswan, systemd, and tiff).

BPF programs can run in both sleepable and non-sleepable (atomic) contexts.Currently, sleepable BPF programs are not allowed to enter an atomic context.Puranjay Mohan has anew patch set that changes that. The patch set would let BPF programs calledin sleepable contexts temporarily acquire locks that cause the programs totransition to an atomic context. BPF maintainer AlexeiStarovoitov objected to parts of the implementation, however, so acceptance ofthe patch depends on whether Mohan is willing and able to straighten it out.

Linus has released 7.0-rc5 for testing."It looks like things are starting to calm down - rc5 is smaller thanthe previous rc's this merge window, although it still tracks a bit largerthan rc5s historically do."

Security updates have been issued by AlmaLinux (gimp:2.8, grub2, kernel, libarchive, libvpx, nginx, opencryptoki, python3.12, vim, yggdrasil, and yggdrasil-worker-package-manager), Debian (chromium, freeciv, libvirt, libyaml-syck-perl, mapserver, ruby-rack, spip, and webkit2gtk), Fedora (chromium, cpp-httplib, glib2, libsoup3, localsearch, openssh, python-scitokens, python-ujson, python3.6, scitokens-cpp, uxplay, wordpress, and xen), Mageia (expat), Red Hat (osbuild-composer), SUSE (Announcement ID: SUSE-SU-2026:0940-1 Release Date: 2026-03-20T13:41:23Z Rating: important References:, Announcement ID: SUSE-SU-2026:0941-1 Release Date: 2026-03-20T13:41:30Z Rating: important References:, Announcement ID: SUSE-SU-2026:0943-1 Release Date: 2026-03-20T13:41:33Z Rating: important References:, Announcement ID: SUSE-SU-2026:0944-1 Release Date: 2026-03-20T13:41:37Z Rating: important References:, Announcement ID: SUSE-SU-2026:0945-1 Release Date: 2026-03-20T13:41:40Z Rating: important References:, chromium, docker, go1.25-openssl, GraphicsMagick, helm, mumble, python311, python311-pyasn1, python313, runc, sqlite3, and tempo-cli), and Ubuntu (debian-goodies and libnet-cidr-perl).

Version 0.15.0 of the b4 patch-management tool is out. Highlights in thisrelease include the b4 review workflow manager for maintainers(covered briefly in this article), b4dig, which can find the original mailing-list submission behind acommit, three-way-merge support in b4 shazam, and more. See the releasenotes for details.

Version19 of the Agama installer for openSUSE and SUSE has beenreleased. This release includes major changes in Agama's architecturaldesign, organization of the web interface, and more.

Members of the Manjaro Linux distribution's community have publisheda "Manjaro2.0Manifesto"that contains a list of complaints and a demand to restructure the project to providea clear separation between the community and Manjaro as a company. The manifestoasserts that the project's leadership is not acting in the best interests of thecommunity, which has caused developers to leave and innovation to stagnate. Italso demands a handover of the Manjaro trademark and other assets to ato-be-formed nonprofit association. The responses on the Manjaro forum showed widespread supportfor the manifesto; Philip Muller, project lead and CEO of the Manjarocompany, largely stayed out of the discussion. However, he surfacedon March19 to say he was "open to serious discussions", but onlyafter a nonprofit had actually been set up.

Security updates have been issued by AlmaLinux (capstone, glibc, grub2, kernel, libarchive, libpng, mysql, and python3.11), Debian (evolution-data-server, imagemagick, and snapd), Fedora (bpfman, chromium, cpp-httplib, dotnet10.0, openssh, polkit, and vim), Mageia (graphicsmagick, imagemagick, openssh, and perl-YAML-Syck), Oracle (capstone, grub2, kernel, mysql, and python-pyasn1), Red Hat (container-tools:rhel8, rhc, yggdrasil, and yggdrasil-worker-package-manager), SUSE (cargo1.92, cargo1.93, chromedriver, coturn, curl, freerdp, jq, kernel, libssh, php-composer2, python311-uv, python312, qemu, tomcat, util-linux, vim, and virtiofsd), and Ubuntu (exiv2, freerdp3, glance, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux-aws-fips, linux-fips, linux-gcp-fips).

Ars Technica describesthe ritual that will be required before a future Android device willdeign to install apps from somewhere other than the Play Store. It is notfor the impatient.

Greg Kroah-Hartman has announced the release of the 6.19.9 and 6.18.19 stable kernels. As usual, eachhas important fixes throughout the tree; users are advised toupgrade.

Version1.7.0 ("Daffodil") of the Radicle peer-to-peer, local-first codecollaboration stack has been released. Some of the changes in thisrelease include improved I/O usage, the ability to block nodes at theconnection level, and clearer errors for radidupdates. See the release notes for a full list of changes and bugfixes.

The kernel project has a unique approach to tooling that avoids manycommonly used development systems that do not fit the community's scale andways of working. Another way of looking at the situation is that the kernelproject has often under-invested in tooling, and sometimes seems bent ondoing things the hard way. In recent times, though, the amount of effortthat has gone into development tools for the kernel has increased, withsome interesting results. Recent developments in this area include theSashiko code-review system, a patch-review manager built into b4, and a newattempt at a framework for the specification and verification of kernelAPIs.

Security updates have been issued by Debian (freetype), Fedora (aqualung, kiss-fft, libtasn1, mac, and vim), Red Hat (libarchive, osbuild-composer, and rhc), Slackware (expat), SUSE (ca-certificates-mozilla, chromium, cockpit, cockpit-machines, cockpit-podman, curl, docker, docker-compose, docker-stable, gnutls, gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer- plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins- base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer, gvfs, helm, kernel, krb5-appl, libsoup, libxslt, libxml2, openssh, python-cryptography, python-django, python-pypdf2, python-simpleeval, python311, qemu, ruby4.0-rubygem-sprockets, ruby4.0-rubygem-thor, ruby4.0-rubygem-web-console, ruby4.0-rubygem-websocket-extensions, skaffold, smb4k, tomcat, ucode-intel, util-linux, virtiofsd, and zlib), and Ubuntu (bouncycastle, exiv2, freerdp3, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, python2.7, roundcube, and valkey).

Inside this week's LWN.net Weekly Edition:

Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) andshe gave the Saturday morning keynote at SCALE 23x in Pasadenaabout some of the work she and others have done to help protect onlinerights, especially digital privacy. The talk recounted some of the historyof the court cases that the organization has brought over the years to tryto dial back privacy invasions. One underlying theme was therole that attendees can play in protecting our rights, hearkening back toearlier efforts by the technical community.

Version 4.24.0 of the Samba SMB filesystem implementation has beenreleased. There are a number of significant changes, including auditsupport for authentication information, remote password management, anumber of Kerberos improvements, asynchronous-I/O rate limiting, and more.

GNOME50 has beenreleased. Notable changes in this release include enhancements to theOrca screen-reader application, interface and performance improvementsfor GNOME's file manager (Files), a "massive set of stability andperformance updates" for its display-handling technologies, andmuch more. See also the "What's newfor developers" article that covers changes of interest to GNOMEand GNOME application developers.

Qualys has discovereda local-privilege escalation (LPE) vulnerability affecting UbuntuDesktop 24.04 and later:

Fedora AsahiRemix43 isnow available:

The kernel's asynchronousio_uring interface maintains two shared ring buffers:a submission queue for sending requests to the kernel, and a completion queuecontaining the results of those requests. Even with shared memory removing muchof the overhead of communicating with user space, there is still some overheadwhenever the kernel must switch to user space to give it the opportunity toprocess completion requests andqueue up any subsequent work items. Apatch set from Pavel Begunkov minimizes this overhead by lettingprogrammers extend the io_uring event loop with a BPF program that can enqueueadditional work in response to completion events. The patch set hasbeen in development for a long time, but hasfinally been accepted.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 9.0, compat-openssl11, container-tools:rhel8, grub2, and libvpx), Debian (ansible, gst-plugins-base1.0, and nodejs), Fedora (chromium, forgejo, and systemd), Oracle (container-tools:rhel8, grub2, kernel, libpng, libvpx, nginx, opencryptoki, python3.12, and vim), Red Hat (firefox, python-wheel, python3.12-wheel, and thunderbird), SUSE (389-ds, chromium, clamav, container-suseconnect, curl, freerdp, gvfs, kea, kubernetes, ruby4.0-rubygem-minitar, ruby4.0-rubygem-multi_xml, ruby4.0-rubygem-nokogiri, ruby4.0-rubygem-puma, ruby4.0-rubygem-rack, ruby4.0-rubygem-rack-session, ruby4.0-rubygem-rails, ruby4.0-rubygem-rails-html-sanitizer, ruby4.0-rubygem-railties, ruby4.0-rubygem-rubyzip, vim, and xen), and Ubuntu (flask, libssh, linux-aws-5.15, linux-gcp-5.15, linux-gke, linux-hwe-5.15, linux-intel-iotg-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-gcp-6.17, linux-realtime, linux-realtime, linux-realtime, linux-realtime-6.8, snapd, and vim).

Roman Gushchin has announced theexistence of an LLM-driven patch-review system named Sashiko. It automatically creates reviewsfor all patches sent to the linux-kernel mailing list (and some others).

The Free Software Foundation Europe (FSFE) is reportingthat payment provider Nexi has terminated its contract without priornotice, which means that a number of FSFE supporters' recurringpayments have been halted:

Fedora Project Leader (FPL) Jef Spaleta has issueda "modest proposal" for a technology-innovation-lifecycle process that would provide more formal structure for adopting technologies inFedora. The idea is to spur innovation in the project without having an adverseimpact on stability or the release process. Spaleta's proposal issomewhat light on details, particularly as far as specific examples ofwhich projects would benefit; however, the reception so far is mostlypositive and some think that it could make Fedora more "competitive" by being theplace where open-source projects come to grow.

Security updates have been issued by Fedora (mingw-openexr, vim, and yarnpkg), Oracle (freerdp), Red Hat (389-ds-base, container-tools:rhel8, libpng, libpng15, nginx, nginx:1.24, nginx:1.26, opencryptoki, python3, python3.11, python3.12, and python3.9), SUSE (ruby4.0-rubygem-activestorage, ruby4.0-rubygem-activesupport, ruby4.0-rubygem-glogalid, ruby4.0-rubygem-grpc, ruby4.0-rubygem-jquery-rails, ruby4.0-rubygem-loofah, and rubygem4.0-rubygem-fluentd), and Ubuntu (curl, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-hwe-6.17, linux-oracle, linux-oracle-6.17, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-gcp, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gcp, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, python-cryptography, and roundcube).

Version1.5 of Marknote, a Markdown-based note-management application, has been released. Notablefeatures in this release include Source Mode for working directly withMarkdown instead of the WYSIWYG interface, internal wiki-style linksfor notes, as well as simpler management of notes and notebooks.

Kurt Roeckx has announcedthat Debian has moved to the campaigning period for the 2026 DebianProject Leader (DPL) election. This year there is only one candidate,Sruthi Chandran, so Debian voters will have a choice between Chandranas DPL or "None of the above". The campaign period will run throughApril3, and the voting period will run from April4 toApril17. Chandran has not yet posted a platform for the 2026election, but her 2024platform is available on the Debian wiki.

After a year's worth of development since GIMP 3.0 was released,the team behind the open-source image editor has releasedGIMP 3.2. It comes as part of the planto release GIMP more frequently, rather than wait six or seven yearsbetween releases. The release comes with lots of new features (as canbe seen in more detail in the release notes),including 20 new brushes for the MyPaint Brush tool, an "overwrite" paintmode, new and upgraded file formats, UI improvements in a variety ofplaces, such as the on-canvas text editor, and new non-destructive layers:

A pull request that touches over 8,000 files, changing over 20,000 lines ofcode in the process, is (fortunately) not something that happens every day.It did happen at the end of the 7.0 merge window, though, when LinusTorvalds mergedan extensive set of changes by Kees Cook to the venerable kmalloc() API (andits users). As a result of that work, though, the kernel has a new set oftype-safe memory-allocation functions, with a last-minute bonus change tomake the API a little easier to use.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, delve, git-lfs, gnutls, kernel, mingw-libpng, nfs-utils, opentelemetry-collector, python3.11, python3.12, python3.9, and vim), Debian (chromium, gimp, kernel, linux-6.1, and wireless-regdb), Fedora (alertmanager, chromium, freerdp, glab, golang-github-openprinting-ipp-usb, gst-devtools, gst-editing-services, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, insight, pcs, pgadmin4, python-gstreamer1, python3.10, python3.11, python3.6, qgis, SDL2_sound, SDL3_sound, systemd, and wireshark), Mageia (python-nltk, tomcat, and vim), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, compat-openssl11, dtrace, python3.12, and vim), Red Hat (buildah, git-lfs, golang-github-openprinting-ipp-usb, opentelemetry-collector, podman, and runc), and SUSE (amazon-ssm-agent, busybox, clamav, firefox, giflib-devel-32bit, glibc, heroic-games-launcher, himmelblau, kubelogin, libpng15, libsoup, libsoup2, mingw32-binutils, mingw64-binutils, osc, obs-scm-bridge, python, python-black, python3, qemu, ruby4.0-rubygem-actioncable, ruby4.0-rubygem-actiontext, ruby4.0-rubygem-activejob, ruby4.0-rubygem-activemodel, tomcat, and tomcat10).

Linus has released 7.0-rc4 for testing.