Feed aggregator

The Project Zero blog has a three-part series describing a working, zero-click exploit for Pixel 9 devices.

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.

The blog entry does not question the wisdom of directly exposing audio decoders to external attackers, but it does provide a lot of detail showing how it can go wrong. The first part looks at compromising the codec; part two extends the exploit to the kernel, and part three looks at the implications:

It is alarming that it took 139 days for a vulnerability exploitable in a 0-click context to get patched on any Android device, and it took Pixel 54 days longer. The vulnerability was public for 82 days before it was patched by Pixel.

Security Onion is a specialist, security-oriented Linux distribution based on Oracle Linux. It is a free and open platform for threat hunting, enterprise security monitoring and log management. It includes custom interfaces for alerting, dashboards, hunting, PCAP, detections and case management. It also includes other tools, such as osquery (a tool for exploring and monitoring operating system data with SQL queries), CyberChef (a web application for encryption, encoding, compression and data analysis), Elasticsearch (a data search engine), Logstash (a data collection and processing engine), Kibana (a data visualization plugin for Elasticsearch), Suricata (an intrusion detection and prevention system) and Zeek (a software network analysis framework).

Sjoerd Simons has published a blog post about running Debian on the OpenWrt One router hardware:

With openwrt-one-debian, you can now install and run a full Debian system leveraging the OpenWrt One's NVMe storage, enabling everything from custom services and containers to development tools and lightweight server workloads, all on open hardware.

This project provides a rust-based flasher to install Debian on the OpenWrt One, opening the door to standard Debian tooling, packages, and workflows. For developers and power users, it transforms the OpenWrt One from a network appliance into a compact, general-purpose Linux system.

See the GitHub repository for the code and latest build. LWN reviewed the device in November 2024, and covered Denver Gingerich's talk at SCALE 22x about the making of the router in March 2025.

Garuda Linux is a rolling distribution based on the Arch Linux operating system. Unlike Arch Linux, Garuda Linux comes with a graphical installer (Calamares) for easy installation, and other advanced graphical tools for managing your system. Garuda is a performance-oriented distro with many performance enhancing tweaks. Some of the many tweaks include using zram, a performance CPU governor, along with custom memory management software. Garuda Linux has striven to provide system stability by including the Timeshift backup utility.

Version 14.0 of the Forgejo software forge has been released. Notable changes in this release include several database improvements, new options for approving actions execution from pull requests, a new file editor, and progress toward making Forgejo's web UI work without JavaScript.

Al Viro does not often stray outside of the core virtual filesystem area; when he does, it is usually worthy of note. Recently, he wandered into memory management with this patch series to the slab allocator and some of its users. Kernel developers will often put considerable effort into small optimizations, but it is still interesting to look at just how much effort has gone toward the purpose of avoiding a single pointer dereference in some memory-allocation hot paths.

We have recently noticed that email from LWN.net seems to be blocked by MXroute. Unfortunately, the company also does not seem to have a way for non-customers to report problems in mail delivery, so we have no good way to get ourselves unblocked.

As a result, readers who have subscribed to an LWN mailing list from a domain hosted with MXroute will probably not receive our mailings. We have not yet unsubscribed addresses that are being blocked by MXroute, but will soon if the problem persists. Please accept our apologies for the inconvenience; it is unfortunate that it is becoming so difficult to send legitimate email as a small business.

Security updates have been issued by Debian (chromium, gnupg2, and mongo-c-driver), Fedora (firefox, gpsd, linux-firmware, and seamonkey), Mageia (net-snmp), Oracle (kernel, podman, postgresql16, postgresql:13, postgresql:15, postgresql:16, and uek-kernel), Red Hat (libpq, net-snmp, and transfig), Slackware (libpng and mozilla), SUSE (avahi, bluez, capstone, curl, dpdk, firefox, firefox-esr, fluidsynth, glib2, kernel, kernel-devel, libmicrohttpd, libpcap, libpng16, libsoup, libsoup-3_0-0, libtasn1, libvirt, mcphost, openvswitch, ovmf, podman, poppler, python-tornado6, python311, qemu, rsync, and valkey), and Ubuntu (erlang, klibc, libpng1.6, and ruby-rack).

EndeavourOS is a rolling-release Linux distribution based on Arch Linux. The project aims to be a spiritual successor to Antergos, providing an easy setup and a pre-configured desktop environment on an Arch base. EndeavourOS offers both off-line and on-line install options. The off-line installer, Calamares, uses the KDE Plasma desktop by default. The on-line installer can install optional software components, including most popular desktop environments.

KDE neon is a Ubuntu-based Linux distribution and live DVD featuring the latest KDE Plasma desktop and other KDE community software. Besides the installable DVD image, the project provides a rapidly-evolving software repository with all the latest KDE software. Two editions of the product are available - a "User" edition, designed for those interested in checking out the latest KDE software as it gets released, and a "Developer's" edition, created as a platform for testing cutting-edge KDE applications.

The Amnesic Incognito Live System (Tails) is a Debian-based live DVD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pre-configured with security in mind and with all traffic anonymised. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace.

Version:next-20260115 (linux-next) Released:2026-01-15

Inside this week's LWN.net Weekly Edition:

• Front: SFC v. VIZIO; GPLv2 requirements; Debian and GTK 2; OpenZL; kernel scheduler QoS; Rust concurrent data access; Asciinema.
• Briefs: OpenSSL and Python; LSFMM+BPF 2026; Fedora elections; Gentoo retrospective; EU lawmaking; Git data model; Firefox 147; Radicle 1.6.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some strongly worded criticism of OpenSSL. It comes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). The post goes into a lot of detail about the problems with the OpenSSL code base and testing, which has led the cryptography team to reconsider using the library. "The mistakes we see in OpenSSL's development have become so significant that we believe substantial changes are required — either to OpenSSL, or to our reliance on it." They go further in the conclusion: First, we will no longer require OpenSSL implementations for new functionality. Where we deem it desirable, we will add new APIs that are only on LibreSSL/BoringSSL/AWS-LC. Concretely, we expect to add ML-KEM and ML-DSA APIs that are only available with LibreSSL/BoringSSL/AWS-LC, and not with OpenSSL.

Second, we currently statically link a copy of OpenSSL in our wheels (binary artifacts). We are beginning the process of looking into what would be required to change our wheels to link against one of the OpenSSL forks.

If we are able to successfully switch to one of OpenSSL's forks for our binary wheels, we will begin considering the circumstances under which we would drop support for OpenSSL entirely.

CentOS as a group is a community of open source contributors and users which started in 2003 and has been sponsored by Red Hat since 2014. CentOS Linux versions up to CentOS Linux 8 are 100% compatible rebuilds of Red Hat Enterprise Linux, in full compliance with Red Hat's redistribution requirements. In 2020 it was announced CentOS Linux is being discontinued and replaced with CentOS Stream, a developer-focused distribution which acts as a middle-stream between Fedora and Red Hat Enterprise Linux.

Mabox Linux is a Manjaro-based rolling-release distribution. It features the Openbox window manager as its default user interface and provides a welcome screen with access to utilities which add additional software to the operating system.

Lossless data compression is an important tool for reducing the storage requirements of the world's ever-growing data sets. Yann Collet developed the LZ4 algorithm and designed the Zstandard (or Zstd) algorithm; he came to the 2025 Open Source Summit Japan in Tokyo to talk about where data compression goes from here. It turns out that we have reached a point where general-purpose algorithms are only going to provide limited improvement; for significant increases in compression, while keeping computation costs within reason for data-center use, turning to format-specific techniques will be needed.

The Debian GNOME team would like to remove the GTK 2 graphics toolkit, which has been unmaintained upstream for more than five years, and ship Debian 14 ("forky") without it. As one might expect, however, there are those who would like to find a way to keep it. Despite its age and declared obsolescence, quite a few Debian packages still depend on GTK 2. Many of those applications are unlikely to be updated, and users are not eager to give them up. Discussion about how to handle this is ongoing; it seems likely that Debian developers will find some way to continue supporting applications that require GTK 2, but users may have to look outside official Debian repositories.

Version 1.6.0 of the Radicle peer-to-peer, local-first code collaboration stack has been released. Notable changes in this release include support for systemd credentials, use of Rust's clap crate for parsing command-line arguments, and more. LWN covered the project in March 2024.

Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).