Feed aggregator

Qualys has sent out a somewhat breathless advisory describing a number of vulnerabilities in the AppArmor security module, which is used in a number of Debian-based distributions (among others).

This "CrackArmor" advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel. These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads.

In 2019, researchers published a way to identify which file-backed pages were being accessed on a system using timing information from the page cache, leading to a handful of unpleasant consequences and a change to the design of the mincore() system call. Discussion at the time led to a number of ad-hoc patches to address the problem. The lack of new page-cache attacks suggested that attempts to fix things in a piecemeal fashion had succeeded. Now, however, Sudheendra Raghav Neela, Jonas Juffinger, Lukas Maar, and Daniel Gruss have found a new set of holes in the Linux kernel's page-cache-timing protections that allow the same general class of attack.

MODICIA O.S. is a Linux multimedia distribution designed primarily for musicians, graphic designers and video makers. It is based on Debian's "stable" branch, but uses the Cinnamon desktop and a recent Linux kernel. MODICIA O.S. comes with a set of carefully-selected, open-source multimedia software and tools, such as Audacity (audio editor), Brasero (disc-burning utility), Cheese (webcam application), Curlew (multimedia converter), GIMP (graphics editor), HandBrake (video transcoder), Kdenlive (video editor), MediaInfo (tool that provides technical data about media files), mpv (media player), Peek (animated GIF recorder), RawTherapee (photo processor), XnView (image viewer), and many others. The distribution also integrates the OnlyOffice software suite for general office tasks.

Security updates have been issued by Debian (chromium, kernel, and multipart), Fedora (dnf5, dr_libs, easyrpg-player, libmaxminddb, python3.12, strongswan, task, and udisks2), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, gnutls, ImageMagick, kernel, libvpx, mingw-libpng, nginx:1.26, python3.11, and uek-kernel), Red Hat (delve, git-lfs, mingw-libpng, osbuild-composer, and rhc-worker-playbook), SUSE (cjson, curl, dnsdist, libsoup2, postgresql16, postgresql17, postgresql18, python-lxml_html_clean, python-pypdf2, python36, and thunderbird), and Ubuntu (dotnet8, dotnet9, dotnet10, freetype, golang-github-go-git-go-git, golang-golang-x-net, openssh, python-cryptography, sudo, and util-linux).

GParted Live is a live distribution with a single purpose - to provide tools for partitioning hard disks in an intuitive, graphical environment. The distribution uses X.Org, the light-weight Fluxbox window manager, and the latest 4.x Linux kernel. GParted Live runs on most x86 machines with a Pentium II or better.

Noid Linux is a Void-based minimalist Linux distribution with Xfce as the preferred desktop. It includes a long-term supported Linux kernel, the Calamares system installer, the Brave web browser, support for Flatpak packages, and a custom Welcome screen. The project also provides its own repository for Void's XBPS packages with additional software.

Mariposa Rescue Disk is a live Linux image based on Debian's "Stable" branch. By default it boots into a command-line interface, but a full graphical desktop with Xfce is also available. The image contains a large number of troubleshooting, system rescue and data backup tools and the project also provides documentation and tutorials for common rescue tasks.

Founded in 2014 by Oliver Pinter and Shawn Webb, HardenedBSD is a security-enhanced fork of FreeBSD. The HardenedBSD Project is implementing many exploit mitigation and security technologies on top of FreeBSD. The project started with Address Space Layout Randomization (ASLR) as an initial focal point and is now implementing further exploit mitigation techniques.

SolydX and SolydK are Debian-based distributions with the Xfce and KDE desktops respectively. SolydXK aims to be simple to use, providing an environment that is both stable and secure. SolydXK is an open-source alternative for small businesses, non-profit organisations and home users. The project started as an unofficial variant of Linux Mint's "Debian" edition with KDE as the default desktop, but it was later given its own identity as SolydK. SolydX was added after Linux Mint dropped its Debian-based flavour that used the Xfce desktop. The project also has a rolling release branch, called Enthusiast's Editions, which used Debian Testing as a base.

Version:next-20260312 (linux-next) Released:2026-03-12

One of the first changes merged for the upcoming 7.0 release was nullfs, an empty filesystem that cannot actually contain any files. One might logically wonder why the kernel would need such a thing. It turns out, though, that there are places where a null filesystem can come in handy. For 7.0, nullfs will be used to make life a bit easier for init programs; future releases will likely use nullfs to increase the isolation of kernel threads from the init process.

Sasha Levin has announced the release of the 6.19.7 and 6.18.17 stable kernels. As usual, each contains important fixes throughout the tree; users are advised to upgrade.

Security updates have been issued by AlmaLinux (gimp, git-lfs, grafana-pcp, kernel, mysql8.4, nfs-utils, opentelemetry-collector, osbuild-composer, postgresql:16, and python3.12), Debian (imagemagick and netty), Fedora (dr_libs and python-lxml-html-clean), Slackware (libarchive and libxml2), SUSE (busybox, coredns, firefox, freerdp, ghostty, gnutls, go1.25, go1.26, GraphicsMagick, grype, helm, helm3, ImageMagick, perl-Compress-Raw-Zlib, python, python311-lxml_html_clean, python311-PyPDF2, tomcat11, and traefik), and Ubuntu (curl, gimp, and libpng).

KDE neon is a Ubuntu-based Linux distribution and live DVD featuring the latest KDE Plasma desktop and other KDE community software. Besides the installable DVD image, the project provides a rapidly-evolving software repository with all the latest KDE software. Two editions of the product are available - a "User" edition, designed for those interested in checking out the latest KDE software as it gets released, and a "Developer's" edition, created as a platform for testing cutting-edge KDE applications.

Version:6.19.7 (stable) Released:2026-03-12 Source:linux-6.19.7.tar.xz PGP Signature:linux-6.19.7.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.19.7

Version:6.18.17 (longterm) Released:2026-03-12 Source:linux-6.18.17.tar.xz PGP Signature:linux-6.18.17.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.18.17

pearOS is an Arch-based desktop Linux distribution which features a macOS-like theme and icons on top of the KDE Plasma desktop. Some of the distribution's features include a custom system installer called pearOS Installer, a pearOS welcome application, and the GNOME Files file manager. pearOS comes with various popular desktop, web and multimedia applications, such as the Gwenview image viewer, Firefox web browser, Elisa music player and Kate text editor.

EndeavourOS is a rolling-release Linux distribution based on Arch Linux. The project aims to be a spiritual successor to Antergos, providing an easy setup and a pre-configured desktop environment on an Arch base. EndeavourOS offers both off-line and on-line install options. The off-line installer, Calamares, uses the KDE Plasma desktop by default. The on-line installer can install optional software components, including most popular desktop environments.

Inside this week's LWN.net Weekly Edition:

• Front: Chardet; Linux and age verification; Debian AI; Python lazy imports; Python type-system PEP; PQC HTTPS certificates; MGLRU; Fedora strategy.
• Briefs: LLM vulnerability; NTP security; OpenWrt 25.12.0; SUSE sale; Buildroot 2026.02; digiKam 9.0.0; Rust 1.94.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

A recently enacted law in California imposes an age-verification requirement on operating-system providers beginning next year. The language of the Digital Age Assurance Act does not restrict its requirements to proprietary or commercial operating systems; projects like Debian, FreeBSD, Fedora, and others seem to be on the hook just as much as Apple or Microsoft. There is some hope that the law will be amended, but there is no guarantee that it will be. This means that the developer communities behind Linux distributions are having to discuss whether and how to comply with the law with little time and even less legal guidance.