Post Syndicated from jzb original https://lwn.net/Articles/1018082/

The Fedora Project is looking for solutions to an interesting
problem with its image-based editions and spins, such as the Atomic Desktops
or CoreOS, that are
created with rpm-ostree or bootc. If a package that
is part of a image-based version has a user or group created
dynamically on installation, and it owns files installed on the
system, the system may be subject to user ID (UID) and group ID (GID) “drift”
on updates. This “UID/GID drift” may come about when a new image with
updates is generated, and therefore files may have the wrong
ownership. This can have side-effects ranging from mildly inconvenient to
serious. No solutions have been adopted just yet, but there are a few
ideas on how to deal with the problem.

Post Syndicated from jzb original https://lwn.net/Articles/1018621/

The NLnet Foundation has announced
the projects that have received funding from its October call
for grant proposals from the Next
Generation Internet (NGI) Zero Commons Fund.

The selected projects all contribute, one way or another, to the
mission of the Commons Fund: reclaiming the public nature of the
internet. For example, there are people working on interesting open
hardware projects such as the tablet MNT Reform Touch
and the Solar
FemtoTX motherboard — a collaborative effort to create an
ultra-low power motherboard that can run on solar power. LLM2FPGA aims to enable
running open source LLMs locally on programmable chips (“FPGAs”) using
a fully open-source toolchain. bcachefs
readies itself as the next generation filesystem for Linux, improving
performance, scalability and reliability when compared to legacy
filesystems.

In all, 42 projects have been selected for the NGI grants which are
between €5,000 and €50,000. See the announcement for the
full list of selected projects, and the current projects page
for other recent projects funded by NLnet.

Post Syndicated from jzb original https://lwn.net/Articles/1018589/

Security updates have been issued by AlmaLinux (bluez, expat, and postgresql:12), Fedora (chromium, golang, LibRaw, moodle, openiked, ruby, and trafficserver), Red Hat (bluez, expat, gnutls, libtasn1, libxslt, mod_auth_openidc, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), and Ubuntu (linux, linux-aws, linux-gcp, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oracle, linux-raspi, linux-realtime, linux-azure, linux-azure-6.11, linux-gcp-6.8, and matrix-synapse).

Post Syndicated from jzb original https://lwn.net/Articles/1018322/

The Fedora Project’s RISC-V
special-interest group (SIG) has announced
the availability of Fedora Linux 42 images for supported
RISC-V boards, as well as QEMU
and container images. The SIG is working toward making RISC-V a
primary architecture for Fedora, and has made significant progress in
the past year.

Our upstreaming work continues apace, and we want to acknowledge
that none of this progress would be possible without the incredible
collaboration from maintainers across the Fedora Project and
beyond. Thank you to everyone who reviewed, accepted, merged, and
built our patches. Your support makes this architecture possible.

We’re also excited about just how many packages build cleanly
without special treatment or overlay repositories that need to be
cared for. RISC-V is becoming just another architecture, and that’s
exactly how it should be.

Post Syndicated from jzb original https://lwn.net/Articles/1017846/

Ask a Linux enthusiast who created the Linux kernel, and odds are they will have
no trouble naming Linus Torvalds—but many would be stumped if asked what the
first Linux distribution was, and who created it. Some might guess Slackware, or its predecessor, Softlanding Linux
System (SLS); both were arguably more influential but arrived just a bit
later. The first honest-to-goodness distribution with a proper installer was MCC Interim Linux,
created by Owen Le Blanc, released publicly in early 1992. I recently
reached out to Le Blanc to learn more about his work on the distribution, what
he has been doing since, and his thoughts on Linux in 2025.

Post Syndicated from jzb original https://lwn.net/Articles/1017930/

Version
25.04 (“Plucky Puffin”) of the Ubuntu Linux distribution has been
released. This release includes Linux 6.14, GNOME 48, APT 3.0, and introduces a
Arm64
desktop ISO to install Ubuntu Desktop on Arm64 systems. This is an
interim release, with support through January 2026. See the release
notes for a detailed list of new features and changes.

Post Syndicated from jzb original https://lwn.net/Articles/1017923/

Version
14.5 of the Tor
Browser has been released. Notable features in this release
include the addition of Connection Assist for the Android version of
the Tor Browser, and language support for Belarusian, Bulgarian, and
Portuguese for all versions of the browser.

Should Tor Browser fail to establish a direct connection to the Tor
network, Connection Assist will offer to find and try bridges for
you. But before this feature could be made available on Android, we
had to embark on a multi-year effort to refactor our tor integration
across each platform first. This project has now reached an important
milestone, and we’re proud to announce the release of Connection
Assist for Android today.

See the full
changelog for all changes in this release, and the issues
page for known problems.

Post Syndicated from jzb original https://lwn.net/Articles/1017315/

Debian’s Advanced Package Tool (APT) is the suite of utilities that handle package
management on Debian and Debian-derived operating systems. APT recently received a
major upgrade to 3.0 just in time for inclusion in Debian 13
(“trixie”), which is planned for release sometime in 2025. The version bump is
warranted; the latest APT has user-interface improvements, switches to Sequoia to verify package
signatures, and includes solver3—a new solver that is designed to improve
how it evaluates and resolves package dependencies.

Post Syndicated from jzb original https://lwn.net/Articles/1017727/

GNOME contributor Michael Catanzaro has written a blog
post about a noteworthy vulnerability in GNOME’s help browser, Yelp.

I don’t normally blog about particular CVEs, but Yelp CVE-2025-3155 is
noteworthy because it is quite severe, public for several weeks now,
and not yet fixed upstream. In short, help files can read your
filesystem and execute arbitrary JavaScript code, allowing an attacker
to exfiltrate any files your Unix user has access to.

The vulnerability was first reported on December 25, and it
was made public on March 26 after the 90-day-disclosure deadline
was reached. Patches
have been proposed to fix the issue. The bug reporter has published a writeup
demonstrating the attack. Catanzaro asks that Linux vendors
“please consider applying the provided patches even though they
have not yet been accepted upstream“.

Post Syndicated from jzb original https://lwn.net/Articles/1017704/

Sergiu Gatlan reports
that the US government has extended funding for the Common
Vulnerabilities and Exposures (CVE) program, following yesterday’s reports that funding
would run out as of April 16.

“The CVE Program is invaluable to cyber community and a priority of
CISA,” the U.S. cybersecurity agency told BleepingComputer. “Last
night, CISA executed the option period on the contract to ensure there
will be no lapse in critical CVE services. We appreciate our partners’
and stakeholders’ patience.”

The article also mentions the launch of a CVE Foundation, to
transition the CVE program to a dedicated foundation and eliminate
“a single point of failure in the vulnerability management
ecosystem“, as well as a European vulnerability
database (EUVD) backed by the European Union Agency for
Cybersecurity (ENISA). Details on these initiatives are scant at the
moment, and it is unclear whether restoration of funding will have any
impact on these efforts.

Post Syndicated from jzb original https://lwn.net/Articles/1017670/

Security updates have been issued by AlmaLinux (gvisor-tap-vsock, kernel, and kernel-rt), Fedora (chromium, dnf, dotnet9.0, golang, lemonldap-ng, mariadb10.11, perl-Crypt-URandom-Token, perl-DBIx-Class-EncodedColumn, php-tcpdf, podman-tui, and trunk), Red Hat (java-17-openjdk and kernel), Slackware (mozilla), SUSE (apache2-mod_auth_openidc, cosign, etcd, expat, flannel, kernel, libsqlite3-0, libvarnishapi3, mozjs52, Multi-Linux Manager 4.3: Server, Multi-Linux Manager 5.0: Server, Proxy and Retail Server, pgadmin4, rekor, rsync, rubygem-bundler, and webkit2gtk3), and Ubuntu (7zip, Docker, and quickjs).

Post Syndicated from jzb original https://lwn.net/Articles/1017538/

Version
25.0 (“Zetar”) of the Arch-based Manjaro Linux
distribution is now available. This release includes Linux kernel 6.12,
GNOME 48, KDE 6.3, Xfce 4.18, and more.

Post Syndicated from jzb original https://lwn.net/Articles/1017537/

The Fedora Project has announced
the release of Fedora Linux 42, with “what’s new” articles for Fedora Workstation
and Fedora KDE Plasma Desktop. There
is also a last-minute warning about the live media for the release:

We discovered a problem with the Live boot media at the last
minute, and since the release was already out of the airlock, we can’t
do much about it. It doesn’t damage anything, but is annoying: just
booting the Live media adds an unexpected entry to the UEFI boot
loader even when Fedora Linux 42 is not installed to the local
system.

This is primarily a concern when you are dual-booting with a
different operating system, or if you’re just running the Live image
and not intending to actually install.

See the release
notes for more information, and LWN’s coverage of
Fedora 42.

Post Syndicated from jzb original https://lwn.net/Articles/1016845/

Fedora Linux 42 has been released with many
incremental improvements and updates. In this development cycle, the KDE Plasma Desktop
has finally gotten a promotion from a spin to an
edition, the new web-based
user interface for the Anaconda installer makes its debut, and the
Wayland-ification of Fedora continues apace. In all it is a solid
release with lots of polish.

Post Syndicated from jzb original https://lwn.net/Articles/1017438/

Version
3.0 of the Pinta
image editor has been released. The most notable change in this
release is that Pinta has been ported to GTK 4.0 and libadwaita. It
also includes a number of improvements, new effects, and bug fixes.

Post Syndicated from jzb original https://lwn.net/Articles/1016978/

Tom Schuster, Frederik Braun, and Christoph Kerschbaumer have
published an article
on the Firefox Security team’s Attack & Defense
blog that explains recent work to harden Firefox’s frontend code.

We have rewritten over 600 JavaScript event handlers to mitigate XSS
and other injection attacks in the main Firefox user interface. This
mitigation will ship in Firefox 138. However, blocking the execution
of scripts in the parent process is not the end – we will expand this
technique to other contexts in the near future. There is still more
work to do as the UI requires JavaScript APIs with a high level of
privileges. However: We still eliminated a whole class of attacks,
significantly raising the bar for attackers to exploit Firefox.

Post Syndicated from jzb original https://lwn.net/Articles/1016107/

Four candidates have stepped up to run in the 2025 Debian Project
Leader (DPL) election. Andreas
Tille, who is in his first term as DPL, is running again. Sruthi
Chandran, Gianfranco
Costamagna, and Julian Andres
Klode are the other candidates running for a chance to serve a
term as DPL. The campaigning phase ended on April 5, and Debian
members began voting on April 6. Voting ends on
April 19. This year, the campaign period has been lively and
sometimes contentious, touching on problems with Debian team
delegations and finances.

Post Syndicated from jzb original https://lwn.net/Articles/1016924/

OpenSSH
10.0 has been released. Support for the DSA signature algorithm,
which was disabled by default beginning in 2015, has been
removed. Other notable changes include using the post-quantum algorithm mlkem768x25519-sha256
for key agreement by default, support for systemd-style socket
activation in Portable OpenSSH, and moving code for user
authentication from the sshd-session binary to the new
ssh-auth binary:

Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after the authentication phase completes. This change
should be largely invisible to users, though some log messages may now
come from “sshd-auth” instead of “sshd-session”. Downstream
distributors of OpenSSH will need to package the sshd-auth binary.

The release notes also warn that “software that naively matches
versions using patterns like “OpenSSH_1*”” may be confused by the
new version number.

Post Syndicated from jzb original https://lwn.net/Articles/1016923/

Security updates have been issued by Debian (lemonldap-ng, libbssolv-perl, and phpmyadmin), Fedora (augeas, mariadb10.11, and thunderbird), Oracle (gimp, libxslt, python3.11, python3.12, tomcat, and xorg-x11-server), Red Hat (expat, grafana, opentelemetry-collector, and webkit2gtk3), SUSE (azure-cli-core, doomsday, kernel, and poppler), and Ubuntu (dotnet8, dotnet9, erlang, and poppler).

Post Syndicated from jzb original https://lwn.net/Articles/1016851/

Version
3.5.0 of OpenSSL has been released. This release adds support for
server-side QUIC (RFC 9000), a
new configuration option (no-tls-deprecated-ec) that disables
support for TLS groups deprecated in RFC 8422, and more.