LWN.net

On January14, Nick Taitannounced the discovery of six vulnerabilities inrsync, the popular file-synchronization tool. While software vulnerabilities arenot uncommon, themost serious one he announced allows for remote code executionon servers that run rsyncd - and possibly other configurations.The bug itself is fairly simple, but this event provides a nice opportunity todig into it, show why it is so serious, and consider waysthe open-source community can prevent such mistakes in thefuture.

The series of singleton stable kernel updates continues with 6.6.73, which reverts three changes that werecausing problems for users of the overlayfs filesystem.

Security updates have been issued by AlmaLinux (grafana), Debian (libebml, poco, redis, sympa, tiff, and ucf), Fedora (rsync), Mageia (dcmtk, git, proftpd, and raptor2), Red Hat (grafana, iperf3, kernel, microcode_ctl, and redis), SUSE (chromium, dhcp, git, libqt5-qtwebkit, and pam_u2f), and Ubuntu (python3.10, python3.8 and python3.12).

The 6.13 development cycle ended on January19 with the releaseof the 6.13 kernel. This cycle was, on its surface, one of the slowest wehave seen in some time; the LWN merge-window summaries (part1, part2) and the KernelNewbies 6.13 pagecan be consulted for a refresher on all it contains. Here, instead, wewill take our usual look at where all of those changes came from.

Version3.2.0 of the Dilloweb browser has been released about a month after its 25thanniversary. Notable new features in 3.2.0 include SVG support formath formulas, optional support for WebP images, and more.

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp).

Linus has releasedthe 6.13 kernel. "So nothing horrible or unexpected happened lastweek, so I've tagged and pushed out the final 6.13 release."Significant features in this release includethe lazy preemption model for CPUscheduling, Arm64 GuardedControl Stack support,the PIDFD_GET_INFO() operation,multi-grainfile timestamps,beginning atomic write support for the ext4and XFS filesystems,the setxattrat(), getxattrat(), listxattrat(),and removexattrat() system calls,privatestacks for BPF programs,anew mechanism for adding guard pages to a memory mapping,the removal of the reiserfs filesystem,and more. See the LWN merge-window summaries (part1, part2) and the KernelNewbies 6.13 pagefor more information.

Version 16.1 of the GDB debugger is out. There are a lot of changes,including watchpoints for tagged data pointers, a new script to print thestack trace of a running process, better Intel Processor Trace support, andmore.

Greg Kroah-Hartman has released the 6.1.126 stable kernel to fix buildfailures with the 6.1.125 stablerelease.

A reminder has gone out that the deadline for proposals for the 2025 LinuxStorage, Filesystem, Memory Management and BPF Summit is February1;anybody wanting to attend will need to make themselves known before then.The reminder also says that there will be no remote participation option(or live streams) this year.

The idea of adding None-aware operators to Python has sprung up onceagain. These would make traversing structures with None values in themeasier, by short-circuiting lookups when a None is encountered. Almostexactly a year ago, LWN covered the previous attempt to bringthe operators to Python, but there have been periodic discussions stretching back to2015 and possibly before. This time Noah Kim has taken up the cause. After some debate, heeventually settled on redrafting the existing PEP to have a more limited scope,which might finally see it move past the cycle of debate, resurrection, and abandonment thatit has been stuck in for most of the last decade.

The6.12.10,6.6.72, and6.1.125 stable kernels have been released onthe expected schedule.

Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm).

The kernel is, on its face, a single large development project, butinternally it is better viewed as 100 or so semi-independent projects allcrammed into one big tent. Within those projects, there is a fair amountof latitude about how changes are managed, and some subsystems are usingthat freedom in the search for more efficient ways of working. In the end,though, all of these sub-projects have to work together and interface withkernel-wide efforts, including the stable-release and CVE-assignmentprocesses. For some time, there has been friction between the directrendering (DRM, or graphics) subsystem and the stable maintainers; thatfriction recently burst into view in a way that shows some of thelimitations of how the kernel community manages patches.

Security updates have been issued by AlmaLinux (fence-agents, raptor2, and rsync), Debian (chromium), Fedora (rsync and seamonkey), Mageia (openjpeg2), Red Hat (tuned), Slackware (git), SUSE (dcmtk, dnsmasq, govulncheck-vulndb, libQtWebKit4, libraptor-devel, opera, python311-Pillow, python311-translate-toolkit, rsync, and SDL2_sound-devel), and Ubuntu (linux-raspi-5.4, neomutt, and python2.7).

Inside this week's LWN.net Weekly Edition:

The Ghostty terminal emulatorproject has generated a surprising amount of interest, even beforecode was released to the public. This is in part due to the highprofile of its creator, HashiCorp founderMitchell Hashimoto. Its development was conducted behind closed doorsfor beta testing, until version1.0 was releasedon December 26 under the MITlicense. While far from finished, Ghostty is ready for day-to-dayuse and might be of interest to those who spend significant amounts oftime at the command line.

Version11.0.0 of the libvirt virtualizationAPI has been released. Notable changes in this release includethe ability to export virtiofs filesystems inread-only mode, the addition of support for vlan tagging and trunkingof network interfaces with the network, qemu, and lxc drivers, as wellas a number of bug fixes.

We have just now received word of the passingof Helen Borrie, a longtime contributor to the Firebird relationaldatabase project.

Linux Mint version22.1, a long-term-support (LTS) release with support until 2029, is nowavailable. Notable changes in this release include a transition to Aptkit for backgroundpackage management tasks, Captain to installDebian packages, and a new default theme with improved Waylandcompatibility. See the release notes forknown issues.

Nick Taitannounced on theoss-security mailing list thatrsync, the widely used file transfer program, had a number of serious vulnerabilities.Users can mitigate all six vulnerabilities by upgrading toversion 3.4.0, which was released on January 14. While all users should upgrade, servers that use rsyncd areespecially impacted:

Security updates have been issued by Arch Linux (rsync), Debian (rsync), Fedora (perl-Net-OAuth and redis), Red Hat (ipa, raptor2, rsync, and tuned), Slackware (rsync), SUSE (apache2-mod_jk, git, kernel, rclone, rsync, and webkit2gtk3), and Ubuntu (git, linux-azure-5.4, pdns, pdns-recursor, python-django, rlottie, and rsync).

The Mastodon project has announcedthat founder Eugen Rochko will be transferring "key Mastodonecosystem and platform components (including name and copyrights,among other assets)" to a new non-profit organization:

TuxFamily is aFrench free-software-hosting service that has been in operation since1999. It is a non-profit that accepts "any projectreleased under a free license", whether that is a software licenseor a free-content license, such as CC-BY-SA. It is also,unfortunately, slowly dying due to hardware failures and lack ofinterest. For example, the site's download servers are currentlyoffline with no plan to restore them.

The ptrace()system call allows a suitably privileged process to modify another in alarge number of ways. Among other things, ptrace() can interceptsystem calls and make changes to them, but such operations can be fiddlyand architecture-dependent. This patch series fromDmitry Levin seeks to improve that situation by adding a newptrace() operation to make changes to another process's systemcalls in an architecture-independent manner.

Security updates have been issued by AlmaLinux (kernel, NetworkManager, and thunderbird), Fedora (golang-github-aws-sdk-2, golang-github-aws-smithy, golang-github-ncw-swift-2, rclone, and thunderbird), Mageia (ceph, firefox, and thunderbird), Oracle (kernel, NetworkManager, and thunderbird), Red Hat (fence-agents and raptor2), SUSE (dpdk, firefox, frr, grafana, operator-sdk, perl-Module-ScanDeps, proftpd, python311-mistune, redis, thunderbird, valkey, and yq), and Ubuntu (hplip and webkit2gtk).

Hans de Goede has posted anupdate about his work to support IPU6 cameras on Fedora andsubmitting fixes upstream.

Chimera Linux is a new distributiondesigned to be "simple, transparent, and easy to pick up". Thedistribution is built from scratch, andrecently announced its first beta release. While the documentation andinstallation process are both a bit rough, the project already provides ausable desktop with plenty of useful software - one built primarily ontools adopted from BSD.

The blog of the SeaMonkeyproject, which develops an all-in-one internet application suite basedon Mozilla code, has reported the sad news of the suddenpassing of Bill Gianopoulos ("WG9s")on January 6 (obituary). He was a core developer andrelease engineer for the project.

Security updates have been issued by AlmaLinux (dpdk, firefox, iperf3, thunderbird, and webkit2gtk3), Debian (firefox-esr, gnuchess, node-mocha, openafs, python-django, and thunderbird), Fedora (libxmp, python-jinja2, suricata, thunderbird, and xen), Mageia (avahi, libjxl, opencontainers-runc, radare2, rizin, and tinyproxy), Oracle (cups, dpdk, firefox, iperf3, kernel, thunderbird, and webkit2gtk3), SUSE (apptainer, chromedriver, dnsmasq, govulncheck-vulndb, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, logback, and python311-slixmpp), and Ubuntu (libxmltok, linux-realtime, roundcube, and snapd).

Linus has released 6.13-rc7 for testing."So unless something odd happens the upcoming week, I expect to releasea final 6.13 next week as per the normal schedule". Read the fullannouncement for your details on how to get a free guitar pedal assembledby Linus himself.

Version2.48.0 of the Git source-code management system has beenreleased. There is a long list of incremental improvements and bugfixes; see the announcement and the highlightsblog from GitHub for details.

We have just now received word of thepassing of Paolo Mantegazza, the driving force behind the Real Time Application Interface projectand a key figure in the development of realtime Linux.

The death of Bram Moolenaar, Vimfounder and benevolent dictator for life (BDFL), in 2023 sent a shockthrough the community, and raised concern about the future of theproject. At VimConf 2024 inNovember, current Vim maintainer Christian Brabandt delivered akeynote on "the new Vim project" that detailed how thecommunity has reorganized itself to continue maintaining Vim and whatthe future looks like.

Automattic has announcedthat it is reallocating its resources away from contributing to theWordPress project as a response to the WPEngine lawsuit:

After yesterday's stable kernel releases, ChrisClayton reported a build problem with 6.6.70, which prompted Greg Kroah-Hartmanto release 6.6.71 to fix it.

Security updates have been issued by Fedora (chromium and mingw-poppler), Red Hat (dpdk, thunderbird, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, libmfx, openjpeg2, python310, python312, python39, tomcat, and webkit2gtk3), and Ubuntu (golang-golang-x-net).

Version1.84.0 of the Rust language has been released. Changes includeimproved version selection for dependencies in Cargo, the beginning of themigration to a new trait solver, and some updated pointer-provenance APIs.

The Software Freedom Conservancy is reportingthat AVM has released the full source and installation scripts for itsrouters in response to a lawsuit, filed by Sebastian Steck, based on LesserGNU Public License rights.

Attacks on the kernel can take many forms; one popular exploitation path isto find a way to overwrite some memory with attacker-supplied data. If theright memory can be targeted, one well-targeted stray write is all that isneeded to take control of the system. Since the system's page tablesregulate access to memory, they are an attractive target for this type ofattack. This patch set from Kevin Brodsky is an attempt to protect page tables (and,eventually, other data structures) using the "memory protection keys"feature provided by a number of CPU architectures.

The 6.12.9, 6.6.70, 6.1.124, 5.15.176, 5.10.233, and 5.4.289 stable kernels have been released.As usual, they contain important fixes all over the kernel tree.

Security updates have been issued by AlmaLinux (cups, kernel, and kernel-rt), Debian (chromium, firefox-esr, and webkit2gtk), Fedora (curl, firefox, gimp, mupdf, openjpeg2, and valkey), Red Hat (389-ds-base, cups, firefox, iperf3, kernel, kernel-rt, libreswan, python3.11-urllib3, thunderbird, and webkit2gtk3), Slackware (firefox, seamonkey, and thunderbird), SUSE (apptainer, firefox-esr, libopenjp2-7, libruby3_4-3_4, openjpeg2, and tomcat10), and Ubuntu (firefox, linux-azure, linux-azure, linux-azure-4.15, linux-azure, linux-azure-6.8, linux-azure, linux-intel-iotg-5.15, linux-azure-5.15, python2.7, thunderbird, and xfpt).

Inside this week's LWN.net Weekly Edition:

TheSequoia OpenPGP library has been in development for some time. LWNcovered the library in 2020. Now the project'scommand-line interface hasbeen released. The sq tool offers apromising alternative to the venerableGNU Privacy Guard (GPG) tool - albeit one with adifferent interface, set of terminology, and approach to the web oftrust. Several distributions are making increasing use of the toolbehind the scenes.

The Tor Project has published areview of major milestones from 2024, including merging withthe Tails project, work to enable human-friendly .onionaddresses, and the launch of WebTunnel:

The pkgsrc developers haveannounced the 2024Q4 branch of the pkgsrc cross-platformpackaging system. It is the default package manager for NetBSD, SmartOS, and is available forLinux as well. This marks the 85th quarterly release of pkgsrc:

Security updates have been issued by Fedora (firefox, mupdf, and php-tcpdf), SUSE (etcd, file-roller, gtk3, kernel, python-django-ckeditor, rubygem-json-jwt, and tomcat10), and Ubuntu (ffmpeg, HTMLDOC, linux-aws, linux-raspi, linux-gke, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, and tinyproxy).

Kernel networking maintainer Jakub Kicinski reviews progress inthe networking subsystem in 2024.

Gentoo Linux has published a projectretrospective that looks at the major improvements and news from2024, the Gentoo Foundation's finances, and contributions to Gentoo bythe numbers.

In the past, LWN had a tradition of publishing a timeline ofnotable events from the previous year in early January. We thought wemight try reviving that tradition in 2025 to see if our readers findit useful. While we have covered these events as theyhappened, it's interesting to see how much has taken place in just12 months.