LWN.net

Security updates have been issued by Debian (krita and tryton-server), Oracle (bind9.18, ipa, kernel, libssh, redis, redis:7, sqlite, sssd, and vim), Slackware (cups), SUSE (containerd, cups, curl, dovecot24, git-bug, gitea-tea, glib2, grub2, himmelblau, java-25-openjdk, kernel, libmicrohttpd, libvirt, pnpm, powerpc-utils, python311, python313, redis, rnp, runc, sssd, tomcat11, unbound, and xwayland), and Ubuntu (cups, libxml2, openvpn, and webkit2gtk).

Security updates have been issued by Debian (kdeconnect, libssh, and samba), Fedora (7zip, docker-buildkit, and docker-buildx), Oracle (bind, buildah, cups, delve and golang, expat, firefox, gimp, go-rpm-macros, haproxy, kernel, lasso, libsoup, libtiff, mingw-expat, openssl, podman, python-kdcproxy, qt5-qt3d, runc, squid, thunderbird, tigervnc, valkey, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (buildah, cloudflared, containerd, expat, firefox, gnutls, helm, kernel, libxslt, mysql-connector-java, ongres-scram, openbao, openexr, openssh, podman, python311, python312, ruby2.5, rubygem-rack, runc, samba, sssd, tiff, unbound, and yelp), and Ubuntu (edk2, ffmpeg, h2o, python3.13, rust-openssl, and valkey).

KDE's Plasma team has announcedthat KDE Plasma will drop X11 session support with Plasma6.8:

Security updates have been issued by AlmaLinux (bind, binutils, delve and golang, expat, firefox, haproxy, kernel, libsoup3, libssh, libtiff, openssh, openssl, pam, podman, python-kdcproxy, shadow-utils, squid, thunderbird, vim, xorg-x11-server-Xwayland, and zziplib), Debian (cups-filters, libsdl2, linux-6.1, net-snmp, pdfminer, rails, and tryton-sao), Fedora (chromium, docker-buildkit, docker-buildx, and sudo-rs), Gentoo (librnp), Mageia (webkit2), SUSE (amazon-ssm-agent, buildah, curl, dpdk, fontforge-20251009, kernel, libIex-3_4-33, librnp0, python311, rclone, and sssd), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-aws-6.14, linux-oracle-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-realtime, linux-realtime-6.8, mupdf, openjdk-17, openjdk-8, and openjdk-lts).

Security updates have been issued by AlmaLinux (buildah, firefox, go-rpm-macros, kernel, kernel-rt, podman, and thunderbird), Debian (erlang, python-gevent, and r-cran-gh), Fedora (buildah, chromium, k9s, kubernetes1.33, kubernetes1.34, podman, python-mkdocs-include-markdown-plugin, and webkitgtk), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, qtsvg, redict, redis, UDisks, and WebKitGTK+), Mageia (cups-filters and ruby-rack), Oracle (kernel and libssh), Red Hat (.NET 8.0, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (act, bind, cups-filters, govulncheck-vulndb, grub2, libebml, python39, and tcpreplay), and Ubuntu (linux-raspi, linux-raspi-realtime, openjdk-21, openjdk-25, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and runc-app, runc-stable).

AlmaLinux 10.1 has been released. Inaddition to providing binary compatibility with Red Hat EnterpriseLinux (RHEL)10.1, the most notable feature in AlmaLinux10.1 isthe addition of supportfor Btrfs, which is not available in RHEL:

It is rarely newsworthy when a project or package picks up a newdependency. However, changes in a core tool like Debian's Advanced PackageTool (APT) can have far-reaching effects. For example, JulianAndres Klode's declarationthat APT would require Rust in May 2026 means that a few of Debian'sunofficial ports must either acquire a working Rust toolchain ordepend on an old version of APT. This has raised several questionswithin the project, particularly about the ability of a singlemaintainer to make changes that have widespread impact.

Greg Kroah-Hartman has announced the release of the6.17.9,6.12.59, and6.6.117 stable kernels. As usual, he advisesusers of stable kernels to upgrade.

Security updates have been issued by Fedora (calibre, chromium, cri-o1.32, cri-o1.33, cri-o1.34, dotnet10.0, dovecot, gnutls, gopass, gopass-hibp, gopass-jsonapi, kubernetes1.31, kubernetes1.32, kubernetes1.33, kubernetes1.34, and linux-firmware), Mageia (ffmpeg, kernel, kmod-xtables-addons & kmod-virtualbox, kernel-linus, konsole, and redis), Red Hat (bind and bind-dyndb-ldap and kernel), SUSE (act, alloy, amazon-ssm-agent, ansible-12, ansible-core, blender, chromium, cups-filters, curl, elfutils, expat, firefox, glib2, grub2, helm, kernel, libipa_hbac-devel, libxslt, nvidia-container-toolkit, ongres-scram, openexr, podman, poppler, runc, samba, sssd, thunderbird, and tomcat), and Ubuntu (cups-filters, linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime, linux-oem-6.14, and linux-realtime-6.14).

Linus has released 6.18-rc7, probably thelast -rc before the 6.18 release.

The Racket programming languageproject has released Racketversion 9.0. Racket is a descendant of Scheme, so it is part of the Lisp family of languages. The headline feature in the release is parallelthreads, which adds to the concurrency tools in the language: "WhileRacket has had green threads for some time, and supports parallelism viafutures and places, we feel parallel threads is a major addition."Other new features include the black-boxwrapper to prevent the compiler from optimizing calculations away, the decompile-linkletfunction to map linkletsback to an s-expression, theaddition of Weibulldistributions to the math library, and more.

The Oracle blog has alengthy article on enhancements to GCC to help detect overflows offlexible array members (FAMs) in C programs.

The call forcandidates for the 2025 election for the Linux Foundation TechnicalAdvisory Board has been posted.

Unpacking Python iterables of various sorts, such as dictionaries or lists,is useful in a number of contexts, including for function arguments, butthere has long been a call for extending that capability to comprehensions. PEP798 ("Unpacking inComprehensions") was first proposed in June 2025 to fill that gap. In earlyNovember, the steering council acceptedthe PEP, which means that the feature will be coming to Python3.15 inOctober2026. It may be something of a niche feature, but it is aninconsistency that has been apparent for a while-to the point that some Python programmersassume that it is already present in the language.

Version8.5.0 of the PHP language has been released. Changes include a new"|>" operator that, for some reason, makes these two linesequivalent:

Security updates have been issued by AlmaLinux (delve and golang), Debian (webkit2gtk), Oracle (expat and thunderbird), Red Hat (kernel), Slackware (openvpn), SUSE (chromium, grub2, and kernel), and Ubuntu (cups-filters, imagemagick, and libcupsfilters).

In July, Collabora announcedthe Rust-based TyrGPU driver for Arm MaliGPUs. Daniel Almeida has posted an updateon progress with a prototype of the driver running on a Rock 5B boardwith the Rockchip RK3588 system-on-chip:

BPF allows programs uploaded from user space to be run, safely, within thekernel. The io_uring subsystem, too, can be thought of as a way of loadingprograms in the kernel, though the programs in question are mostly asequence of I/O-related system calls. It has sometimes seemed inevitablethat io_uring would, like many other parts of the kernel, gain BPFcapabilities as a way of providing more flexibility to user space. Thathas not yet happened, but there are currently two patch sets underconsideration that take different approaches to the problem.

Security updates have been issued by AlmaLinux (bind, bind9.18, container-tools:rhel8, expat, grub2, haproxy, idm:DL1, kernel, kernel-rt, lasso, libsoup, libssh, libtiff, pcs, podman, python-kdcproxy, qt5-qt3d, redis, redis:7, runc, shadow-utils, sqlite, squid, vim, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), Debian (chromium), Oracle (lasso and postgresql), SUSE (erlang27, ghostscript, grub2, kernel, libIex-3_4-33, python312, and sbctl), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-6.8, linux-fips, linux-aws-fips, linux-gcp-fips, linux-oracle, and mysql-8.0, mysql-8.4).

Inside this week's LWN.net Weekly Edition:

The Linux kernelsupports a large number of architectures.Not all of those are supported by Linux distributions, but Debian does supportmany of them, officially or unofficially. On October 26, Bastian Blankopened a discussion about the minimum version of these architecturesthat Debian should support: in particular, raising the de-facto minimumversions in the next Debian release ("forky"). Thread participants were generally in favor ofkeeping support for older architecture variants, but didn't reach a firmconclusion.

In mid-October, the Xubuntudownload site was compromised and had directed users to a maliciouszip file instead of the Torrent file that users expected. ElizabethK. Joseph has publisheda postmortem of the incident, along with plans to avoid such a breachin the future:

Recordings from the GStreamerConference 2025, held in London in late October, are nowavailable on the GStreamer Conferences Archive site. Includes theGStreamerState of the Union talk by Tim-Philipp Muller, Stateof MPEG 2 Transport Stream (MPEG-TS) by Edward Hervey, and manyothers.

Security updates have been issued by Debian (pdfminer), Fedora (chromium and firefox), Mageia (bubblewrap, flatpak, cups-filters, and thunderbird), Oracle (container-tools:rhel8, kernel, and squid), Red Hat (kernel), Slackware (libarchive), SUSE (gimp, itextpdf, kernel, thunderbird, and unbound), and Ubuntu (lasso).

Version5.0 of the Blender animation system has been released. Notableimprovements include improved color management, HDR capabilities, anda new storyboarding template. See the releasenotes for a lengthy list of new features and changes, and the bugfixespage for the 588 commits that fixed bugs in Blender 4.5 or older.

There have been several recent announcements about Linux distributions changingthe list of architectures they support, or adjusting how they build binaries forsome versions of those architectures.Ubuntu introduced architecture variants, Fedoraconsidered dropping support for i686 butreversed course after some pushback, and Debian developershave discussed raising its architecture baseline for the upcomingDebian 14("forky").Linux supports a large number of architectures, and it's not alwaysclear where or by whom they are used. With increasing concerns about diminishing support for legacyarchitectures, it's a good time to look at the overall state of architecturesupport on Linux.

The Homebrew project is anopen-source package-management system that comes with a repository ofuseful packages for Linux and macOS. Even though Linux distributionshave their own package management and repositories, Homebrew is oftenused to obtain software that is not available in a distribution's repositoryor to install more current versions of projects than are availablefrom long-term-support (LTS) distributions. Homebrew 5.0.0,released on November 12, 2025, expanded Linux support to include64-bit Arm packages in addition to x86_64, and turned on concurrentdownloads by default to speed up package downloads.

Security updates have been issued by Debian (libwebsockets), Fedora (chromium and fvwm3), Mageia (apache, firefox, and postgresql13, postgresql15), Oracle (idm:DL1), Red Hat (bind, bind9.18, firefox, and openssl), SUSE (alloy, ghostscript, and openssl-1_0_0), and Ubuntu (ffmpeg and freeglut).

Version 2.52.0 of the Gitsource-code management system has been released. Changes include a newlast-modified command to find the closest ancestor commit thattouched one or more paths, a couple of git refs improvements, anew git repo command for obtaining information about therepository itself, and more. See the announcement and thisGitHub blog entry for more information.

For better or for worse, the NUMA node is the abstraction used by thekernel to keep track of different types of memory. How that abstraction isused, though, is still an active area of development. Two patch setsfocused on this problem are currently under review; one addresses theperennial problem of promoting heavily used folios from slower to fastermemory, while the other aims to improve the kernel's handling of nodescontaining special memory installed for a specific purpose.

Debian developer Simon Josefsson has announcedthe DebianLibre Live Images project, to allow installing Debian without anynon-free software:

Security updates have been issued by Debian (gst-plugins-base1.0, lasso, and thunderbird), Fedora (bind9-next, chromium, containerd, fvwm3, luksmeta, opentofu, python-pdfminer, python-uv-build, ruff, rust-get-size-derive2, rust-get-size2, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send-reqwest, suricata, uv, and xmedcon), Mageia (apache-commons-beanutils, apache-commons-fileupload, apache-commons-lang, botan2, python-django, spdlog, stardict, webkit2, and yelp-xsl), Slackware (xpdf), and SUSE (bind, chromedriver, firefox, kernel, libxml2, and openssh).

Linus has released 6.18-rc6 for testing."So we have a slightly larger rc6 than usual, but I think it's just therandom noise and a result of pull request timings rather than due to anyissues with the release. But I guess we have a couple of weeks remaining tofind out."

One of the many objectives of the LinuxKernel Self-Protection Project (KSPP), which just completed ten years ofwork, is to ensure that all array references can be bounds-checked,even in the case of flexible array members, the size of which is not knownat compile time. One of the most challenging flexible array members in thekernel is not even declared as such. Almost exactly one year ago, LWN looked at the effort to increase safety aroundthe networking subsystem's heavily used sockaddr structure. Oneyear later, Kees Cook is still looking for a way to bring this work to aclose.

Security updates have been issued by Debian (keystone and lxd), Fedora (docker-buildkit, firefox, gh, gitleaks, lasso, runc, and seamonkey), Mageia (perl-Authen-SASL, perl-Cpanel-JSON-XS, perl-Crypt-OpenSSL-RSA, perl-JSON-XS, python-flask-cors, python-py, python-setuptools, and ruby), Oracle (java-1.8.0-openjdk), SUSE (binutils, cargo-packaging, rust-bindgen, chromium, go-sendxmpp, helm, lasso, libxml2, openssh, openssh8.4, python-Django, python-Scrapy-doc, python311-Brotli, squid, tomcat10, and weblate), and Ubuntu (linux-nvidia-6.8, linux-oracle, linux-oracle-6.8 and linux-xilinx-zynqmp).

Greg Kroah-Hartman has announced the release of the 6.17.8 and 6.12.58 stable kernels. Each contains animportant set of fixes. Users are advised to upgrade.

The Google Security Blog has anew post on just how well the use of Rust is working out for theAndroid project.

The SUSE Security Team has published an in-deptharticle on its findings after reviewing a D-Bus service containedin LightDMGreeter by KDE (the lightdm-kde-greeter package)for addition to openSUSE Tumbleweed. The team found a privilegeescalation from the lightdm service user to root, aswell as other attack vectors in the service:

Version145 of the Thunderbird email client has been released. Notablechanges in this release include enabling DNS over HTTPS, support forMicrosoft Exchange via Exchange Web Services, and quite a few bugfixes. As of 145, the project is no longer shipping 32-bit binariesfor Linux on x86.

Many distributions provide support out of the proverbial box forFlatpak packages, but Fedora is unusual in that it also provides, anddefaults, to its own repository of Fedora-built Flatpaks. This has beena source of confusion for Fedora users, who expect to get the Flatpakbuilt by the original developers and hosted on Flathub. It has also been a sourceof conflict with upstream projects, because users complain of bugs inFlatpak packages they are not responsible for. The situation has also frustrated someFedora developers, who would prefer to put Flathub's offeringsfirst. A new complaint that Fedora has apparently used manifestsfrom Flathub to build the packages for Fedora-without giving credit tothe original authors-has spurred discussions about Fedora'sFlatpaks once again. While no concrete changes are on the table, yet,there may be some movement toward addressing persistent complaints.

Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, rubygem-rack, skopeo, and webkitgtk), Mageia (perl, perl-CPAN, perl-HTTP-Tiny, perl-Data-Entropy, perl-FCGI, perl-File-Find-Rule, perl-YAML-LibYAML, python-tornado, python-urllib3, python-pip, python3, and unbound), Oracle (ipa and kernel), Red Hat (container-tools:rhel8, krb5, openssl, pcs, podman, and runc), Slackware (mozilla), SUSE (binutils, kernel, netty, netty-tcnative, podman, python311-pdfminer, and tomcat11), and Ubuntu (bind9 and linux-aws-6.8).

Inside this week's LWN.net Weekly Edition:

Version5.0.0 of the Homebrew packagemanager for Linux and macOS has been released. Notable changes in thisrelease include download concurrency by default, official support for64-bit Arm on Linux, and more.

Longtime LWN readers will have encountered the concept of "stable pages"before; it was first covered here nearly15years ago. For the most part, the problem that stable pages weremeant to solve - preventing errors when user space modifies a buffer thatis under I/O - has been dealt with. Butrecent discussions show that there is one area where problems remain:direct I/O. There is some disagreement,though, over whether those problems are the result of user-space bugs andhow much of a performance price should be paid to address them.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and libtiff), Debian (kernel, libarchive, rust-sudo-rs, and squid), Fedora (chromium, dotnet8.0, forgejo, ruby, and webkitgtk), Oracle (bind, bind9.18, kernel, kernel-uek*, libtiff, and runc), Red Hat (firefox, kernel, and kernel-rt), Slackware (mozilla), SUSE (buildah, colord, containerd, kernel, lasso, libsoup, micropython, ongres-scram, openssh, proxy-helm, uyuni-tools, python-pdfminer.six, qatengine, qatlib, regclient, and runc), and Ubuntu (raptor and raptor2).

Firefox 145 has been released. Notablechanges in this release include note-takingfeatures for PDFs viewed in Firefox, enhancedprivacy protections, and the ability to access and manage passwords inthe sidebar. This release also drops support for 32-bit Linux systems.

Tails is an unusual Linuxdistribution developed by the Tor Project; itis designed to help users work around internet censorship and avoidsurveillance. It is a "portable" operating system that is meant to berun from a USB stick or ISO image and to leave no trace on thecomputer it was run on. Tails routes connections to the internet overthe Tornetwork and includes a selection of applications and toolssuited to working with sensitive documents, communicating securely,and preserving users' anonymity. The tradeoff, of course, is thatTails is less convenient and requires users to learn a new set oftools to avoid compromising their own security and anonymity. Tails7.1 wasreleased in October, and it seemed like as good a time as any to takeit for a spin.

Security updates have been issued by AlmaLinux (bind, expat, kernel, osbuild-composer, qt6-qtsvg, runc, valkey, and xorg-x11-server-Xwayland), Debian (incus), Fedora (cef and dotnet8.0), Mageia (strongswan), Red Hat (fence-agents and python-requests), SUSE (chromium, colord, erlang26, java-1_8_0-openjdk, libsoup, python-django, thunderbird, tiff, and warewulf4), and Ubuntu (intel-microcode and rust-sudo-rs).

Version 2.0.0 of public-inbox, the mail archiving system behindlore.kernel.org and LWN's email archive, has been released. "Thisrelease includes several new features and fixes; mostly around improvedintegration between inboxes and coderepos for solver. Portability andreliability is also improved, especially in the internal process managementof lei."

When programs written in BPF (the kernel's hot-loadable virtual-machine bytecode) call kernel functions (kfuncs), it may be usefulfor those functions to have additional information about the context in whichthose BPF programs are executing. Rather than requiring it to supplythat information, it would be convenient to let the BPF verifier pass thatinformation to the called function automatically. That is already possible, buta recent patch set from Ihor Solodrai would make it more ergonomic.It allows kerneldevelopers to specify that a kfunc should be passed additionalparameters inferred by the verifier, invisibly to the BPF program. Thediscussion included concerns that Solodrai's implementation was unnecessarily complex, however.