Post Syndicated from jzb original https://lwn.net/Articles/993203/

OpenBSD 7.6 has been released. Notable new
features include work to improve suspend/resume on modern hardware,
support for the arm64 Qualcomm Snapdragon X Elite laptops, as well as many
improvements in hardware support and driver bug fixes.

With this release all files that existed in the first commit
in the OpenBSD source repository have been updated,
modified or replaced at some point in time, reaching OpenBSD of Theseus.

See the changelog
for all changes between OpenBSD 7.5 and 7.6.

Post Syndicated from jzb original https://lwn.net/Articles/992219/

The recent WordPress
controversy is not the first time there’s been tension between the
WordPress community, the interests of Automattic as a business, and Matt
Mullenweg’s leadership as WordPress’s benevolent dictator for
life (BDFL). In particular, Mullenweg’s focus on pushing WordPress to use a new
“editing experience” called Gutenberg caused significant
friction—and led to the ClassicPress fork. Users who
want to preserve the “classic” WordPress experience without straying
too far from the WordPress fold may want to look into ClassicPress.

Post Syndicated from jzb original https://lwn.net/Articles/993191/

Version 3.13 of the Python programming language has been released. The
“What’s New
In Python 3.13” page has a summary of all the new features and
changes. Highlights of the release include a basic JIT compiler,
experimental support for free-threading, and much
more. See the changelog
for even more details.

Post Syndicated from jzb original https://lwn.net/Articles/993161/

Version 4.20 of
the RPM Package Manager (RPM) has been released. Major changes in this
release include a new plugin to prevent filesystem and network access
by scriptlets, the BuildSystem directive for declaring the
build system to be used by packaged software, and more. LWN covered the development of
RPM 4.20 in September.

Post Syndicated from jzb original https://lwn.net/Articles/992948/

The SUSE Security Team Blog has a detailed
report on its discovery of a privilege escalation in the
oath-toolkit,
which provides libraries and utilities for managing one-time password
(OTP) authentication.

Fellow SUSE engineer Fabian Vogt approached our Security Team about
the project’s PAM module. A couple of years ago, the module gained a
feature which allows to place the OTP state file (called usersfile) in
the home directory of the to-be-authenticated user. Fabian noticed
that the PAM module performs unsafe file operations in users’ home
directories. Since PAM stacks typically run as root, this can easily
cause security issues.

Post Syndicated from jzb original https://lwn.net/Articles/992660/

Version
24.1 of the Arch-based Manjaro
distribution is now available with the 6.10 Linux kernel,
GNOME 46.5, KDE Plasma 6.1 and KDE Gear 24.08:

Plasma 6.1 on Wayland now has a feature that “remembers” what you were
doing in your last session like it did under X11. Although this is
still work in progress, If you log off and shut down your computer
with a dozen open windows, Plasma will now open them for you the next
time you power up your desktop, making it faster and easier to get
back to what you were doing. At Manjaro we are still defaulting to
X11, however switching to Wayland can be done easily by selecting the
wanted session in your display manager.

The project also offers minimal install images with the 6.6 LTS and
6.1 LTS kernels to support older hardware as needed.

Post Syndicated from jzb original https://lwn.net/Articles/992650/

Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim).

Post Syndicated from jzb original https://lwn.net/Articles/992496/

Version 7.1 of
the FFmpeg audio/video toolkit has been released. Important changes in
this release include the VVC decoder reaching stable status, and
inclusion of support for MV-HEVC decoding (which is generated by
recent phones and VR headsets), as well as support for Vulkan encoding
with H264 and HEVC. See the announcement and changelog
for full details.

Post Syndicated from jzb original https://lwn.net/Articles/991906/

WordPress is the world’s most
popular open‑source blogging and content‑management platform. In its
20‑plus years of existence, WordPress has been something of a poster
child for open source, similar to Linux and Firefox. It introduced the
concept of open source to millions of bloggers, small‑business owners,
and others who have deployed WordPress to support their web‑publishing
needs. Unfortunately, it is now in the spotlight due to an increasingly
ugly dispute between two companies, Automattic and WP Engine, that has spilled over into
the WordPress community.

Post Syndicated from jzb original https://lwn.net/Articles/991088/

In the wake of the XZ
backdoor, the Debian project has revisited some of the
patches included in its OpenSSH
packages to improve security. The outcome of this is that the project
will be splitting out support for Kerberos key exchange into a
separate set of packages, though not until after the Debian 13
(“trixie”) release expected next year. The impact on Debian users
should be minimal, but it is an interesting look into the changes
Linux distributions make to upstream software as well as some of the
long-term consequences of those choices.

Post Syndicated from jzb original https://lwn.net/Articles/991904/

Version
17 of the PostgreSQL database has been released.

This release of PostgreSQL adds significant overall performance gains,
including an overhauled memory management implementation for vacuum,
optimizations to storage access and improvements for high concurrency
workloads, speedups in bulk loading and exports, and query execution
improvements for indexes. PostgreSQL 17 has features that benefit
brand new workloads and critical systems alike, such as additions to
the developer experience with the SQL/JSON JSON_TABLE command, and
enhancements to logical replication that simplify management of high
availability workloads and major version upgrades.

LWN recently covered
some of the interesting new features and security enhancements in
PostgreSQL 17.

Post Syndicated from jzb original https://lwn.net/Articles/991722/

The Vanilla OS project has
published a
blog post to answer questions that users have raised since the release of Vanilla OS 2. The post has information about the update strategy for the distribution,
an enterprise
version with support, and plans for an experimental version called
Vanilla OS Vision.

We are not planning for a potential Vanilla OS 3 because it is not
yet necessary. As previously explained, our focus right now is on bug
fixing and making the system as solid as possible, especially in light
of collaborations with OEMs. We’re all excited about laying the
foundation for a third version of Vanilla OS, but we have
responsibilities to attend to first.

This does not mean that there will never be one, nor does it mean
that Orchid will become stagnant. On the contrary, as previously
mentioned, our updates not only bring fixes but also updates to system
components, improvements to existing features, and updates to
components like GNOME (we are planning the release of GNOME 47 soon,
for example).

Post Syndicated from jzb original https://lwn.net/Articles/991701/

Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).

Post Syndicated from jzb original https://lwn.net/Articles/990604/

Almost a decade ago KDE e.V.,
the non-profit organization that supports KDE, started a process for
selecting goals to help the community unite behind a common vision for where the
project should go in the near future. KDE
recently wrapped up its 2022-2024 cycle and announced the goals for 2024-2026 at Akademy on September 7, in Würzburg,
Germany. This time around, KDE will be looking to streamline its
application-development experience, improve support for input devices,
and bring in new contributors.

Post Syndicated from jzb original https://lwn.net/Articles/991529/

Version
10.0.0 of the HarfBuzz
text-shaping engine has been released. Notable changes in this release
include Unicode
16.0.0 support, adding Cairo script as an output format for
hb-view, and a number of bug fixes.

Post Syndicated from jzb original https://lwn.net/Articles/991401/

Version 1.0.0 of Hy, a Lisp dialect that is embedded in Python, has been released
after nearly 12 years in development. This is the first stable release of the project:

Henceforth, breaking changes to documented parts of the language
(other than dropping support for versions of Python that are
themselves no longer supported by the CPython developers) will
increase the major version number, and my intention is for that not to
happen often, if at all.

The 1.0.0 release supports Python 3.8 through 3.13. See the documentation and the “Why Hy?” page for why
one might want to use it.

Post Syndicated from jzb original https://lwn.net/Articles/991091/

The SUSE Security Team Blog has a detailed review of the Performance Co-Pilot (PCP) 6.2.1 release:

The rather complex PCP software suite was difficult to judge just from
a cursory look, so we decided to take a closer look especially at
PCP’s networking logic at a later time. This report contains two CVEs
and some non-CVE related findings we also gathered during the
follow-up review.

CVE-2024-45769,
a flaw that could allow an attacker to send crafted data to crash
pcmd, and CVE-2024-45770,
which could allow a full local root exploit from the pcp user to root,
have been addressed in the 6.3.1
release of PCP.

Post Syndicated from jzb original https://lwn.net/Articles/988927/

The RPM Package Manager (RPM) project is
nearing the release of RPM 4.20, the last major planned update for the RPM 4.x
series. It has few user-facing changes, but
several additions and enhancements for developers—as well as
some small incompatibilities that will likely require RPM packagers to
revise their spec
files. 4.20 will be rolling out to many users soon, in
Fedora 41, which is scheduled for October. RPM 6.0 is
already in the works, with a new package format and opening the door
to enabling C++ use in the RPM codebase.

Post Syndicated from jzb original https://lwn.net/Articles/990766/

The 6.10.11, 6.6.52, and 6.1.111 stable kernel updates have all
been released. As usual, they contain important fixes throughout the
tree. Users of those kernels should upgrade.

Post Syndicated from jzb original https://lwn.net/Articles/990753/

Version
6.0 of the Swift programming language has been released. Notable
changes include new low-level programming features,
expanded Linux support, and a preview release of the Embedded
Swift language subset for embedded software development with a
toolchain for Arm and RISC-V targets. See the CHANGELOG
for full details of changes in 6.0.