Linux Weekly News

Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3).

Konstantin Ryabitsev has put up a blog post about korgalore, a tool he has written to circumvent delivery problems experienced by kernel developers using the large, centralized email systems.

We cannot fix email delivery, but we can sidestep it entirely. Public-inbox archives like lore.kernel.org store all mailing list traffic in git repositories. In its simplest configuration, korgalore can shallow-clone these repositories directly and upload any new messages straight to your mailbox using the provider's API.

One would assume that most LWN readers stopped running network-accessible telnet services some number of decades ago. For the rest of you, this security advisory from Simon Josefsson is worthy of note:

The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supplies a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.

Mozilla has announced a repository with Firefox Nightly channel packages for RPM-based Linux distributions such as CentOS Stream, Fedora, and openSUSE. Mozilla has provided a Debian repository since 2023.

Note that this repository only includes the nightly builds of The firefox-nightly package. Mozilla is not providing stable builds as RPMs at this time. However, the package will not conflict with a distribution's regular firefox package; both packages can be installed at the same time for those who wish to test the nightly builds. See the blog post for instructions on setting up the repository.

LWN has had a number of articles on immutable distributions, such as Bluefin and Bazzite, in recent years. These distributions have taken a variety of approaches, including using rpm-ostree, filesystem snapshots, and bootable container (bootc) images. But those approaches, especially the latter, lead to extra complexity for a user attempting to install new software, instead of just using the existing package manager. AshOS (Any Snapshot Hierarchical OS) is an experimental AGPL-3-licensed "meta-distribution" that tried a different approach more in line with traditional package management. Although the project is no longer updated, it remains usable, and can still shed some light on a potential alternate path for users worried about adopting bootc-based approaches.

Security updates have been issued by AlmaLinux (gpsd-minimal, jmc, kernel, kernel-rt, and net-snmp), Debian (apache-log4j2 and dcmtk), Fedora (exim, gpsd, mysql8.0, mysql8.4, python-biopython, and rust-lru), Mageia (firefox, nss and thunderbird), Oracle (container-tools:rhel8, gpsd-minimal, jmc, kernel, net-snmp, and uek-kernel), Red Hat (net-snmp), SUSE (chromium, go, harfbuzz-devel, kernel, libsoup, rust1.91, rust1.92, and thunderbird), and Ubuntu (apache2, avahi, and python-urllib3).

OzLabs is a collection of Australian free-software developers that was, for most of its history, associated with IBM. Members of OzLabs have included Hugh Blemings, Michael Ellerman, Ben Herrenschmidt, Greg Lehey, Paul Mackerras, Martin Pool, Stephen Rothwell, Rusty Russell, and Andrew Tridgell, among others. The OzLabs "about" page notes that, as of January 2026, the last remaining OzLabs members have departed IBM. "This brought to a close the Ozlabs association with IBM". Thus ends a quarter-century of development history.

(Thanks to Jon Masters).

PostgreSQL contributor Robert Haas has published a blog post that breaks down code contributions to PostgreSQL in 2025.

I calculate that, in 2025, there were 266 people who were the principal author of at least one PostgreSQL commit. 66% of the new lines of code where contributed by one of 26 people, and 90% of the lines of new code were contributed by one of 67 people.

Contributions to the project seem to be on the upswing; in his analysis of development in 2024, there were 229 people who were the primary authors of a commit, and 66% of new lines of code were contributed by one of 18 people. The raw data is also available.

The io_uring subsystem is more than an asynchronous I/O interface for Linux; it is, for all practical purposes, an independent system-call API. It has enabled high-performance applications, but it also brings challenges for code built around classic, Unix-style system calls. For example, the seccomp() sandboxing mechanism does not work with it, causing applications using seccomp() to disable io_uring outright. Io_uring maintainer Jens Axboe is seeking to improve that situation with a rapidly evolving patch series adding a new restrictive mechanism to that subsystem.

Version 11.0 of the Wine Windows compatibility layer is out. "This release represents a year of development effort, around 6,300 individual changes, and more than 600 bug fixes." The most notable changes in this release are support for the NTSync Linux kernel module (when available), and the completion of the Windows 32-bit on Windows 64-bit (WoW64) architecture that was announced as experimental in Wine 9.0.

Greg Kroah-Hartman has released the 5.15.198, and 5.10.248 stable kernels. As usual, each contains important fixes throughout the tree; users are advised to upgrade.

Security updates have been issued by AlmaLinux (cups, libpq, libsoup3, podman, and postgresql16), Debian (ffmpeg, gpsd, python-urllib3, and thunderbird), Fedora (chromium, foomuuri, forgejo, freerdp, harfbuzz, libtpms, musescore, python-biopython, and python3.12), Mageia (gimp, libpng, nodejs, and python-urllib3), and SUSE (alloy, avahi, bind, chromedriver, chromium, cpp-httplib, docker, erlang, fluidsynth, freerdp, go-sendxmpp, govulncheck-vulndb, kernel, libwireshark19, NetworkManager-applet-l2tp, python, python311-virtualenv, thunderbird, and zk).

Linus has released 6.19-rc6 for testing. "So we finally ended up with a slightly bigger rc than usual for this stage in the release cycle, but it's not _that_ big, and things still seem quite stable and civilized."

Greg Kroah-Hartman has released the 6.18.6, 6.12.66, 6.6.121, and 6.1.161 stable kernels. As usual, each has important fixes throughout the tree; users are advised to upgrade.

While there are several rootkits that target Linux, they have so far not fully embraced the open-source ethos typical of Linux software. Luckily, Matheus Alves has been working to remedy this lack by creating an open-source rootkit called Singularity for Linux systems. Users who feel their computers are too secure can install the Singularity kernel module in order to allow remote code execution, disable security features, and hide files and processes from normal administrative tools. Despite its many features, Singularity is not currently known to be in use in the wild — instead, it provides security researchers with a testbed to investigate new detection and evasion techniques.

Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).

The Project Zero blog has a three-part series describing a working, zero-click exploit for Pixel 9 devices.

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.

The blog entry does not question the wisdom of directly exposing audio decoders to external attackers, but it does provide a lot of detail showing how it can go wrong. The first part looks at compromising the codec; part two extends the exploit to the kernel, and part three looks at the implications:

It is alarming that it took 139 days for a vulnerability exploitable in a 0-click context to get patched on any Android device, and it took Pixel 54 days longer. The vulnerability was public for 82 days before it was patched by Pixel.

Sjoerd Simons has published a blog post about running Debian on the OpenWrt One router hardware:

With openwrt-one-debian, you can now install and run a full Debian system leveraging the OpenWrt One's NVMe storage, enabling everything from custom services and containers to development tools and lightweight server workloads, all on open hardware.

This project provides a rust-based flasher to install Debian on the OpenWrt One, opening the door to standard Debian tooling, packages, and workflows. For developers and power users, it transforms the OpenWrt One from a network appliance into a compact, general-purpose Linux system.

See the GitHub repository for the code and latest build. LWN reviewed the device in November 2024, and covered Denver Gingerich's talk at SCALE 22x about the making of the router in March 2025.

Version 14.0 of the Forgejo software forge has been released. Notable changes in this release include several database improvements, new options for approving actions execution from pull requests, a new file editor, and progress toward making Forgejo's web UI work without JavaScript.

Al Viro does not often stray outside of the core virtual filesystem area; when he does, it is usually worthy of note. Recently, he wandered into memory management with this patch series to the slab allocator and some of its users. Kernel developers will often put considerable effort into small optimizations, but it is still interesting to look at just how much effort has gone toward the purpose of avoiding a single pointer dereference in some memory-allocation hot paths.