LWN.net

Security updates have been issued by Debian (php7.4, python-django, and python3.9), Fedora (bluez, iwd, libell, and radare2), Mageia (chromium-browser-stable, mosquitto, tomcat, tomcat packages, and vim), Oracle (firefox, grub2, python3, thunderbird, and webkit2gtk3), Red Hat (fence-agents, php:7.4, and python-jinja2), SUSE (assimp-devel, crane, ffmpeg-4, freetype2, helm, kernel, kured, python-Django, python-Jinja2, python311-Django4, and tomcat), and Ubuntu (alpine, djoser, libxslt, postgresql-9.5, and valkey).

Inside this week's LWN.net Weekly Edition:

GNOME 48 ("Bengaluru")has been released. As usual, this release includes a number of newfeatures and enhancements including support for shortcuts in the Orcascreen reader on Wayland, new fonts, addition of image editing toImageViewer, and more.

Modern CPUs all have multiple hardware vulnerabilities that the kernel needs to mitigate;the 6.13 kernel has workarounds for 14 security-sensitive CPU bugs just on x86_64.Several of those have multiple variants,or multiple mitigations that apply on different microarchitectures. There aredifferent kernel command-line options for each of these mitigations, which leadsto a confusing situation for users trying to figure out how to configure theirsystems. David Kaplan recently posteda patch set that adds a single, unified command-line option for controllingmitigations andsimplifies the logic for detecting, configuring, andapplying them as well.If it is merged, the patch set couldmake it much easier for users to navigate the complicated web of CPUvulnerabilities and their mitigations.

Version 7.1of PeerTube, a tool forsharing videos online, has been released. Notable features in thisrelease include improved support for the Podcast 2.0 standard, betterplayback stability, and a new view protocol enabled by default toallow PeerTube to handle more simultaneous viewers. See the releasenotes for more details.

/e/OS is aprivacy-centric, open-source mobile operating system thathas primarily been targeted at mobile phones, with only a fewcommunity supported images available for tablet devices. In December,Murena-a company that sells devices with /e/OSpreinstalled-announcedthat /e/OS now officially supports tablets as well, starting with thePixel tablet. The user experience is close enough tomainstream alternatives to make it attractive, but there are someunder-the-hood problems that may give users pause.

A security company called Fenrisk has posted an overview of a pairof claimed successful supply-chain attacks on the Fedora and openSUSEdistributions.

Security updates have been issued by Debian (tzdata), Fedora (expat and tigervnc), Red Hat (kernel, kernel-rt, thunderbird, and webkit2gtk3), SUSE (dcmtk), and Ubuntu (restrictedpython and uriparser).

If all goes according to plan, the Ubuntu project will soon bereplacing many of the traditional GNU utilities with implementationswritten in Rust, such as those created by the uutils project, which we covered inFebruary. Wholesale replacement of core utilities at the heart of aLinux distribution is no small matter, which is why Canonical's VP ofengineering, Jon Seager, has released oxidizr. Itis a command-line utility that helps users easily enable or disablethe Rust-based utilities to test their suitability. Seager is callingfor help with testing and for users to provide feedback with theirexperiences ahead of a possible switch for Ubuntu25.10, an interim releasescheduled for October2025. So far, responses from the Ubuntucommunity seem positive if slightly skeptical of such a majorchange.

Security updates have been issued by Debian (freetype and rails), Fedora (mosquitto and python-django4.2), Mageia (libarchive, libreoffice, php, and quictls), Red Hat (webkit2gtk3), SUSE (erlang, nethack, python312, and wpa_supplicant), and Ubuntu (freetype and plantuml).

The long-awaited GIMP3.0 release is now available. Major changes in 3.0 include nondestructiveediting for most commonlyused filters, improved text creation,better colorspace management, and an update to GTK3.

Version12.00 of the SystemRescue live Linuxsystem has been released. SystemRescue is an Arch Linux based bootable toolkit for repairing systems in the event of acrash. Notable changes in this release include an update to Linux6.12.19, support for bcachefs, and a number of updated diskutilities. See the packagelist for a complete list of software included in this release.

One of the many important tasks that the kernel's memory-managementsubsystem must handle is keeping track of how pages of memory are mappedinto the address spaces of the processes running on the system. As long asmappings to a given page exist, that page must be kept in place. As itturns out, tracking these mappings is harder than it seems it should be,and the move to folios within the memory-management subsystem is addingsome complexities of its own. As a follow-up to the "mapcount madness" session that he ran atthe 2024 Linux Storage, Filesystem,Memory-Management, and BPF summit, David Hildenbrand has posted a patch seriesintended to improve the handling of mapping counts for folios - but exactaccounting remains elusive in some situations.

Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), Oracle (kernel and krb5), Red Hat (grub2, libreoffice, mysql:8.0, pcs, thunderbird, tigervnc, webkit2gtk3, and xorg-x11-server), Slackware (expat, freetype, and php), SUSE (amazon-ssm-agent, chromedriver, ed25519-java, google-cloud-sap-agent, google-guest-agent, govulncheck-vulndb, libexslt0, libzvbi-chains0, php8, restic, rubygem-rack, subversion, tomcat, and tomcat10), and Ubuntu (freetype, resteasy, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

Linus has released the seventh (andprobably last) prepatch for the 6.14 release. "Things continue to lookquite calm, and I expect to release the final 6.14 next weekend unlesssomething very surprising happens".

Version2.49.0 of the Git source-code management system has beenreleased. This release comprises 460 non-merge commits since 2.48.0,with contributions from 89 people, including 24 newcontributors. There is a long list of improvements and bug fixes; seethe highlightsblog from GitHub's Taylor Blau for some of the more interestingfeatures.

Organizations relying on open-source software have a wide range oftools, scorecards, and methodologies to try to assess security, legal,and other risks inherent intheir so-called supply chain. However, Max Mehl arguedrecently in a short talk at FOSS Backstage in Berlin (andonline) that all ofthis objective information and data is insufficient to trulyunderstand and address risk. Worse, this information doesn't provideoptions to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at DBSystel, encouraged better risk assessment usingqualitative data and direct participation in open source.

Security updates have been issued by Fedora (iniparser, thunderbird, trafficserver, and xorg-x11-server), Mageia (opensc), Oracle (.NET 8.0, .NET 9.0, gcc, kernel, and libxml2), Red Hat (firefox, grub2, and krb5), Slackware (libxslt), SUSE (amazon-ssm-agent, bsdtar, build, ffmpeg-4, forgejo-runner, kernel, python, python3, python313, rubygem-rack-1_6, and tailscale), and Ubuntu (linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15).

Charles Choi has announcedthe release of the CasualMake: a menu-driven interface, implemented as part of the Casualsuite of tools, for MakefileMode in GNU Emacs.

When the 6.14 kernel is released later this month, it will include theusual set of internal changes that users should never notice, with thepossible exception of changes that bring performance improvements. One ofthose changes is frozen pages, amemory-management optimization that should fly mostly under the radar.When Hannes Reinecke reported acrash in 6.14, though, frozen pages suddenly came into view. There is aworkaround for this problem, but it seems there is a fairamount of work to be done that nobody had counted on to solve the problemproperly.

Greg Kroah-Hartman has announced the release of the 6.13.7, 6.12.19, 6.6.83, 6.1.131, 5.15.179, 5.10.235, and 5.4.291 stable kernels. They all contain arelatively large number of important fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, netatalk, python3.5, python3.8, rar, unrar-nonfree, and xorg-server, xwayland).

Inside this week's LWN.net Weekly Edition:

On February 25, the PythonSoftware Foundation (PSF), which runs the Python Package Index (PyPI), announcednew termsof service (ToS) for the repository. That has led to some questionsabout the new ToS, and the process of coming up with them. For one thing, the previous termsof use for the service were shorter and simpler, but there are otherconcerns with specific wording in the new agreement.

Damien Neil has written an article for the Go Blog about pathtraversal vulnerabilities and the os.Root API added in Go 1.24 to help preventthem.

The Zig project hasannounced the release of the 0.14 version of the language,including changes from more than 250 contributors. Zig is a low-level,memory-unsafe programming language that aims to compete with C instead ofdepending on it. Even though the language has not yet had a stable release,there are a number of projects using it as an alternative to C with bettermetaprogramming.While the project's releaseschedule has been a bit inconsistent, with the release of version 0.14 beingdelayedseveral times, the release contains a number of new convenience features,broader architecture support, and the next steps toward removing Zig'sdependency on LLVM.

The SUSE Security Team blog has a post with adetailed analysis of a vulnerability (CVE-2025-27591)in the belowtool for recording and displaying system data.

The LLVM project's Fortran compiler, which has for many years gone by the name "flang-new", will now simply be "flang", starting from LLVM's 20.1.0 release on March 4. Theannouncement, which includes details about the history of flang, comes after a long period of development and discussion. The community has considered renaming flang several times before now, but has always held off out of a feeling that the compiler was not yet ready. Now, the members of the project believe that flang has become stable and complete enough to earn its name.

Version1.26.0 of the GStreamer cross-platform multimedia framework hasbeen released. Notable changes in this release include support for theH.266Versatile Video Coding (VVC) codec, Low Complexity EnhancementVideo Coding (LCEVC) support, closed caption improvements, and JPEG XS image codecsupport.

Security updates have been issued by Debian (libmodbus), Fedora (thunderbird and vyper), Mageia (firefox, nss, python-django, python-jinja2, and thunderbird, thunderbird-l10n), Oracle (bind, kernel, rsync, and tigervnc), Red Hat (.NET 8.0, .NET 9.0, and libxml2), SUSE (iniparser and kernel), and Ubuntu (dotnet8, dotnet9, freerdp2, jinja2, libreoffice, linux, linux-hwe, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-kvm, linux-oracle, linux-kvm, and opensc).

Matrixprovides an open network for secure, decentralized communication. Ithas enjoyed some success over the last few years as an IRC replacementand real-time chat for a number of open-source projects. But adoptionby a subset of open-source developers is a far cry from the mainstreamadoption that Matthew Hodgson, Matrix project lead and CEO of Element (the company that createdMatrix), would like to see. At FOSDEM2025, he discussed thehistory of Matrix, its missteps in chasing mainstream adoption, itscurrent status, as well as some of the wishlist features for takingMatrix into the mainstream.

Version 6.14.0 of FrameworkMono has been announced.

Security updates have been issued by Debian (libaws, ruby2.7, and squid), Fedora (bigloo, emacs, neovim, python-jinja2, rizin, and tree-sitter), Oracle (kernel), Red Hat (grub2, kernel, kernel-rt, and libxml2), SUSE (iniparser, kernel, krb5, libxkbfile, and u-boot), and Ubuntu (gnuchess, openjdk-17-crac, openjdk-21-crac, and openvpn).

The Python project's recent switch to a tail-calling interpreter may not provide as large a speed advantage as initially thought. A blog post from Nelson Elhage gives the details. In short, switching to a tail-call-based interpreter accidentally works around an unfixed regression in LLVM 19. On other compilers, the performance benefit (while still present) is more moderate.

One of the advantages of the Rust type system is its ability to encapsulaterequirements about the state of the program in the type system;often, this state includes which locks must be held to be able to carry outspecific operations. Clacks the ability to express theserequirements, but there would be obvious benefits if that kind of featurecould be grafted onto the language. The Clang compiler has made somestrides in that direction with its thread-safetyanalysis feature; two developers have been independently working totake advantage of that work for the kernel.

Security updates have been issued by Debian (openvpn and thunderbird), Fedora (buildah, chromium, podman-tui, python-spotipy, qt6-qtwebengine, and vim), Mageia (chromium-browser-stable and gpac), Oracle (krb5), Red Hat (firefox, kernel, kernel-rt, libxml2, and pcs), SUSE (buildah, chromedriver, chromium, firefox, go1.23, go1.24, grype, python, python311-GitPython, ruby3.4-rubygem-rack, thunderbird, and xen), and Ubuntu (xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

Linus has released 6.14-rc6 for testing."This release remains on track, nothing special to report".

The 6.6.82 stable kernel has beenreleased. "All i386 users of the 6.6 kernel series must upgrade (asthey skipped the last release.) All other arches can skip this one as itshould not affect them."

Greg Kroah-Hartman has announced the release of four more stable kernels:6.13.6,6.12.18,6.6.81, and6.1.130.Unlike a normal release, Kroah-Hartman did not call for all users toupdate their kernels. Specifically, the 6.6.81 kernel is currently broken oni386 systems, and users should wait for 6.6.82.

Matthieu Clemenceau has publisheda status update from the Foundations Team on Ubuntu25.04 (Plucky Puffin) development to the UbuntuDiscourse forum. This includes updates on Ubuntu's adoptionof Dracut as an alternative to initramfs-tools, a move toa single ISO for arm64 devices rather than device-specific images, andreverting the planned O3 optimization flags for Plucky Puffin.

On January 20, Thomas Weischuh shared a newpatch set implementing an alternate method for checking the integrity ofloadable kernel modules. This mechanism, which checks module integrity basedon hashes computed at build time instead of using cryptographic signatures,could enable reproducible kernel builds in more contexts. Several distributionshave already expressed interest in the patch set if Weischuh can get itinto the kernel.

Security updates have been issued by Debian (chromium), Fedora (firefox and man2html), Mageia (erlang, ffmpeg, and vim), Oracle (doxygen, firefox, python-jinja2, squid, and webkit2gtk3), Red Hat (nodejs:18), SUSE (emacs, go1.23, go1.24, and pcp), and Ubuntu (ansible, firefox, linux-azure, linux-nvidia, and python-django).

The kernel project has usually been willing to make fundamental internalchanges if they lead to a better kernel in the end. The project also,though, goes out of its way to avoid breaking interfaces that have beenexposed to user space, even if programs come to rely on behavior that wasnever documented. Sometimes, those two principles come into conflict,leading to a situation where fixing problems within the kernel is eitherdifficult or impossible. This sort of situation has been impedingperformance improvements in the kernel's POSIX timers implementation forsome time, but it appears that a solution has been found.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis).

Inside this week's LWN.net Weekly Edition:

The Google Bug Hunters blog has adetailed description of how a vulnerability in AMD's microcode-patchingfunctionality was discovered and exploited; the authors have also releaseda set of tools to assist with this kind of research in the future.

Version2.0.0 of FerretDB has beenreleased. FerretDBis an open-source alternative to MongoDB, which switched to a non-openlicense in 2018, built on top of PostgreSQL. This releaseutilizes the DocumentDBPostgreSQL extension for better performance, adds vectorsearch, and replication.

Functional programming languages have a long association with graphs. In the1990s, it was even thought that parallel graph-reductionarchitectures could make functional programming languages much faster than theirimperative counterparts. Alas, that prediction mostly failed to materialize.Even though graphs are still used as a theoretical formalism in order to defineand optimize functional languages (such as Haskell'sspineless tagless graph-machine), they are still mostly compiled down to the same oldnon-parallel assembly code that every other language uses. Now, twoprojects -Bend andVine - have sprung up attempting to change that, and prove thatparallel graph reduction can be a useful technique for real programs.

The Xen Project has announcedthe release of Xen 4.20. This release adds support forAMDZen5 CPUs, improved compliance with the MISRA C standard,work on PCI-passthrough on Arm, and more. Xen4.20 also removessupport for XeonPhi CPUs, which were discontinuedin 2018. See the featurelist and releasenotes for more information.

Version136.0 of the Thunderbird Desktop mail client has beenreleased. The release includes a quick toggle for adapting messages todark mode, and a new "Appearance" setting to control message threadingand sorting order globally, as well as a number of bug fixes. See thesecurityadvisory for a full list of security vulnerabilities addressed inThunderbird 136.0.