Linux Weekly News

Version 3.13 of the Python programming language has been released. The "What's New In Python 3.13" page has a summary of all the new features and changes. Highlights of the release include a basic JIT compiler, experimental support for free-threading, and much more. See the changelog for even more details.

The core of the Android operating system, as represented by the Android Open Source Project (AOSP), can only be considered one of the most successful open-source initiatives ever created; its user count is measured in the billions. But few would consider it to be a truly community-oriented project. At the 2024 Linux Plumbers Conference, Chris Simmonds asked why the AOSP community is so hard to find, and what might be done about the situation.

Version 2.47.0 of the Git source-code management system has been released. The changes include a long list of incremental improvements; see the announcement and this GitHub blog post for details.

Version 4.20 of the RPM Package Manager (RPM) has been released. Major changes in this release include a new plugin to prevent filesystem and network access by scriptlets, the BuildSystem directive for declaring the build system to be used by packaged software, and more. LWN covered the development of RPM 4.20 in September.

Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), Oracle (kernel, oVirt 4.4 ovirt-engine, and thunderbird), SUSE (chromedriver, chromium, cups-filters, ffmpeg-7, frr, Mesa, openssl-3, openvpn, pcp, and redis), and Ubuntu (firefox and ruby-webrick).

Linus has released 6.12-rc2 for testing.

Anyway, this isn't one of the small rc2's. But looking at historical trends, being a bigger rc2 isn't _that_ unusual, and nothing in here looks all that odd. Yes, the diffstat may look a bit unusual, in that we had a global header renaming (asm/unaligned.h -> linux/unaligned.h) and we had a couple of reverts that stand out as spikes in the stats, but everything else looks nice and small.

Akamai released a report pointing out that the recently-reported CUPS vulnerability (original disclosure) could be used to drive distributed denial-of-service (DDoS) attacks as well. Even if an attacker cannot gain remote control over a computer, they can still cause it to fetch a URL of their choice — potentially getting free DDoS amplification.

The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+).

Rust has a plethora of smart-pointer types, including reference-counted pointers, which have special support in the compiler to make them easier to use. The Rust-for-Linux project would like to reap those same benefits for its smart pointers, which need to be written by hand to conform to the Linux kernel memory model. Xiangfei Ding presented at Kangrejos about the work to enable custom smart pointers to function the same as built-in smart pointers.

The 6.11.2, 6.10.13, and 6.6.54 stable kernels have been released. They contain important fixes, and upgrading is, as always, recommended.

The SUSE Security Team Blog has a detailed report on its discovery of a privilege escalation in the oath-toolkit, which provides libraries and utilities for managing one-time password (OTP) authentication.

Fellow SUSE engineer Fabian Vogt approached our Security Team about the project's PAM module. A couple of years ago, the module gained a feature which allows to place the OTP state file (called usersfile) in the home directory of the to-be-authenticated user. Fabian noticed that the PAM module performs unsafe file operations in users' home directories. Since PAM stacks typically run as root, this can easily cause security issues.

Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip).

Cameras were never the simplest of devices for Linux to support; they have a wide range of operating parameters and can generate high rates of data. In recent years, though, they have become increasingly complex, stressing the ability of the kernel's media subsystem to manage them. At the 2024 Linux Plumbers Conference, developers from that subsystem and beyond gathered to discuss the state of affairs and how complex camera devices should be supported in the future.

Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15).

The LWN.net Weekly Edition for October 3, 2024 is available.

The open-source vector-graphics editor, Inkscape, is expected to release version 1.4 in October. The release represents an evolutionary step for the program, which brings new features, user-interface improvements, new and improved file-format support, and important changes to the code base. The changes in this release should improve the user experience for both casual and professional designers, and make Inkscape more compatible with proprietary vector-graphics software, including Adobe Illustrator and Affinity Designer.

BPF Type Format (BTF), BPF's debugging information format, has undergone rapid evolution to match the evolving needs of BPF programs. José Marchesi spoke at Kangrejos about some of that work — and how it could impact Rust, specifically. He discussed debug information, kernel-specific relocations, and the planned changes to kernel stack unwinding. Each of these will require some amount of work to fully support in Rust, but preliminary signs look promising.

Version 24.1 of the Arch-based Manjaro distribution is now available with the 6.10 Linux kernel, GNOME 46.5, KDE Plasma 6.1 and KDE Gear 24.08:

Plasma 6.1 on Wayland now has a feature that "remembers" what you were doing in your last session like it did under X11. Although this is still work in progress, If you log off and shut down your computer with a dozen open windows, Plasma will now open them for you the next time you power up your desktop, making it faster and easier to get back to what you were doing. At Manjaro we are still defaulting to X11, however switching to Wayland can be done easily by selecting the wanted session in your display manager.

The project also offers minimal install images with the 6.6 LTS and 6.1 LTS kernels to support older hardware as needed.

Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim).

Version 7.1 of the FFmpeg audio/video toolkit has been released. Important changes in this release include the VVC decoder reaching stable status, and inclusion of support for MV-HEVC decoding (which is generated by recent phones and VR headsets), as well as support for Vulkan encoding with H264 and HEVC. See the announcement and changelog for full details.

Version 131.0 of the Firefox browser has been released. Changes include the ability to temporarily grant permissions to sites and a preview that pops up when hovering over tabs.