|
Fri, 08 May 2026 16:30:46 +0000 |
|
An unusual, some might say hostile, approach to disclosing an alleged
remote-code-execution (RCE) flaw in the Forgejo software-collaboration platform has
sparked a multifaceted conversation. A so-called
"carrot disclosure " in April has raised questions about the
researcher's methods of unveiling a security problem, Forgejo's
security policies, and the project's overall security posture.
|
|
Fri, 08 May 2026 13:36:05 +0000 |
|
It seems that we are in for an extended period of the disclosure of
vulnerabilities before fixes become available. One possible way of coping
with this flood might be the killswitch
proposal from Sasha Levin. In short, killswitch can immediately disable
access to specific functionality in a running kernel, essentially blasting
a vulnerable path (and its associated functionality) out of existence until
a fix can be installed. "For most users, the cost of 'this socket
family stops working for the day' is much smaller than the cost of running
a known vulnerable kernel until the fix land. "
|
|
Fri, 08 May 2026 13:20:57 +0000 |
|
The kernel's DAMON subsystem
provides user-space monitoring and management of system memory. DAMON is
developing rapidly, so an update on its progress has become a regular
feature of the annual Linux Storage,
Filesystem, Memory Management, and BPF Summit. This tradition
continued at the 2026 gathering with an update from DAMON creator SeongJae
Park covering a long list of new capabilities — tiering, data attributes
monitoring, transparent huge pages, and more — being added to this subsystem.
|
|
Fri, 08 May 2026 13:13:53 +0000 |
|
Security updates have been issued by AlmaLinux (libsoup and mingw-libtiff), Debian (apache2, chromium, lcms2, libreoffice, and prosody), Fedora (openssl and perl-Starman), Oracle (git-lfs, libsoup, and perl-XML-Parser), Slackware (libgpg, mozilla, and php), SUSE (389-ds, cairo, cf-cli, chromedriver, cri-tools, freeipmi, gnutls, grafana, java-11-openjdk, java-17-openjdk, jetty-minimal, libmariadbd-devel, librsvg, mesa, mozjs52, mutt, nix, opencryptoki, python-Django, python-django, python-pytest, rmt-server, thunderbird, traefik, webkit2gtk3, wireshark, and xen), and Ubuntu (civicrm, dpkg, htmlunit, lcms2, libpng1.6, linux, linux-*, linux-azure, linux-azure-fips, linux-raspi, linux-xilinx, lua5.1, nasm, opam, openexr, openjpeg2, owslib, postfix, postfixadmin, and vim).
|
|
Fri, 08 May 2026 09:49:05 +0000 |
|
Greg Kroah-Hartman has announced the release of the 7.0.5, 6.18.28, 6.12.87, and 6.6.138 stable kernels. These kernels
contain a partial fix for the Dirty
Frag and Copy Fail 2
security flaws. Kroah-Hartman has confirmed
that a second patch is required, but it is still in development and has not yet been merged.
|
|
Thu, 07 May 2026 20:25:43 +0000 |
|
Hyunwoo Kim has announced
the Dirty
Frag security flaw, a
local-privilege-escalation (LPE) vulnerability similar to the
recently disclosed Copy Fail
flaw:
Because the embargo has now been broken, no patches or CVEs exist for
these vulnerabilities. After consultation with the linux-distros@vs.openwall.org
maintainers, and at the maintainers' request, I am publicly releasing this
Dirty Frag document.
As with the previous Copy Fail vulnerability, Dirty Frag likewise allows
immediate root privilege escalation on all major distributions.
Kim, who discovered the flaw and had attempted a coordinated
disclosure set for May 12, has released the code for an exploit, as well as a example
script to remove the vulnerable modules. A full
write-up, with the disclosure timeline, is also available. It's
unknown at this time whether this is an example of parallel discovery
or how the third party was able to disclose it prior to the end of the
embargo. We will be following up as more information comes to light.
|
|
Thu, 07 May 2026 14:42:35 +0000 |
|
On April 21, Andrew Morton let
it be known that he intends to begin stepping away from the
maintainership of kernel's memory-management subsystem — a responsibility
he has carried since before memory management was even seen as its own
subsystem. At the 2026 Linux Storage, Filesystem, Memory Management, and
BPF Summit, one of the first sessions in the memory-management track was
devoted to how the maintainership would be managed going forward. There
are a lot of questions still to be answered.
|
|
Thu, 07 May 2026 14:10:52 +0000 |
|
Arjen Hiemstra has published
an article on the status of the Union project: a
single system to support all of KDE's technologies used for styling
applications.
The work on Union's Breeze implementation has progressed to the
point where it is very hard to distinguish whether or not you are
running the Union version. We have also tested with a bunch of
applications and made sure that any differences were fixed. So we are
at a stage where we need to get Union into the hands of more people,
both to get extra people testing whether there are any major issues,
but also to have interested people creating new styles.
This means that with the upcoming Plasma 6.7 release, we plan to
include Union. Discussion is currently ongoing whether we will enable
it by default, but even if not there will be a way to try it out.
See Hiemstra's introductory
article on Union, published in February 2025, for more about the
project and its creation. KDE 6.7 is expected to be released in mid-June.
|
|
Thu, 07 May 2026 13:10:37 +0000 |
|
Security updates have been issued by AlmaLinux (dovecot, fence-agents, freeipmi, git-lfs, image-builder, kernel, libsoup, osbuild-composer, and python-tornado), Debian (apache2, libdatetime-timezone-perl, lrzip, tzdata, and wireshark), Fedora (dovecot, forgejo-runner, gh, gnutls, krb5, nano, pdns, pyOpenSSL, squid, vim, and xorg-x11-server-Xwayland), Mageia (graphicsmagick, kernel-linus, krb5-appl, libexif, libtiff, nano, nginx, ntfs-3g, opam, perl-Net-CIDR-Lite, perl-Starlet, perl-Starman, tcpflow, and virtualbox), Oracle (dovecot, fence-agents, freeipmi, image-builder, kernel, libcap, LibRaw, libsoup, openssh, osbuild-composer, python, python-tornado, python3, systemd, thunderbird, and tigervnc), SUSE (containerd, curl, erlang, flatpak, java-11-openjdk, java-21-openjdk, java-25-openjdk, liblxc-devel, libpng12, libthrift-0_23_0, openCryptoki, openexr, openssl-3, python3, python311-social-auth-core, rclone, skim, and thunderbird), and Ubuntu (apache2, coin3, editorconfig-core, insighttoolkit, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-gcp-6.17, linux-hwe-6.17, linux-oracle, linux-realtime, linux-realtime-6.17, linux-azure, linux-azure-6.17, linux-oem-6.17, linux-azure-5.15, linux-gcp-6.8, nghttp2, python-dynaconf, slurm-wlm, swish-e, and webkit2gtk).
|
|
Thu, 07 May 2026 06:36:28 +0000 |
|
The
7.0.4,
6.18.27, and
6.12.86
stable kernels have been released; each contains another set of important
fixes.
|
|
Thu, 07 May 2026 00:01:08 +0000 |
|
Inside this week's LWN.net Weekly Edition:
- Front: LLMs and security; restartable sequences and TCMalloc; Fedora and GNOME bug reports; Prolly trees; Arm on s390.
- Briefs: NHS open source; Alpine outage; GCC 16.1; Incus 7.0 LTS; NetHack 5.0.0; PHP license; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
|
|
Wed, 06 May 2026 14:56:20 +0000 |
|
Predictions that LLM tools would cause a surge in reports of security vulnerabilities
have, unquestionably, borne out. As expected, maintainers are having to wade
through more security reports than ever before; in addition, LLM tools are
disrupting traditional-coordinated disclosure practices as well. The method of Copy Fail's disclosure, in particular, left
vendors, projects, and users scrambling. In addition, maintainers are seeing
parallel discovery of the same security flaws within the embargo window. Both
of these developments mean that coordinated security disclosures may become a
thing of the past.
|
|
Wed, 06 May 2026 13:53:58 +0000 |
|
Version
7.0 of the Incus container and
virtual-machine management system has been released. Notable changes in this
release include the inclusion of a low-level backup API, the addition
of basic S3 operations directly in Incus to replace the now-unmaintained
MinIO project, as well as the removal of support for
cgroups v1 and xtables (iptables/ip6tables/ebtables). This is a
long-term-support (LTS) release, with support through June 2031.
The first 2 years will feature bug and security fixes as well as minor
usability improvements, delivered through occasional point releases
(7.0.x). After that initial two years, Incus 7.0 LTS will move to security only
maintenance for the remaining of its 5 years of support.
A total of 204 individuals contributed to Incus between the 6.0 LTS and 7.0
LTS releases with 45 contributing between the 6.23 and 7.0 LTS releases.
|
|
Wed, 06 May 2026 13:05:18 +0000 |
|
Security updates have been issued by AlmaLinux (corosync, dovecot, image-builder, python-tornado, resource-agents, and systemd), Debian (openjdk-11, openjdk-17, and pyjwt), Fedora (pdns, pyOpenSSL, and squid), Slackware (hunspell), SUSE (alloy, avahi, bubblewrap, cmctl, coredns, curl, dpkg, firefox, golang-github-prometheus-prometheus, grafana, libpng12, PackageKit, sed, and xen), and Ubuntu (docker.io-app, nghttp2, python-django, and python-mako).
|
|
Tue, 05 May 2026 14:52:45 +0000 |
|
A recent
patch set from Steffen Eiden and others has set the groundwork for allowing
hardware-assisted emulation of Arm CPUs on s390 CPUs.
Version two of the posting fixes a handful of smaller problems, but does not
differ much.
The patches were welcomed
by the Arm maintainers, pending some discussion of how the collaboration between the
architectures could be structured to prevent maintainability problems on the Arm
side. When those details are resolved, the patches could pave the way for
transparently running Arm-based virtual machines (VMs) on s390 hosts at native or
near-native speeds.
|