Version 3.22.0 of the Alpine Linux distribution has been released. Notable changes in this release include the removal of the X11 session for KDE Plasma, a switch to systemd-efistub, and experimental support for user services with the OpenRC init system. See the release notes for a detailed list of changes.
Software patents and workarounds for them are, once again, causing headaches for open-source projects and users. This time around, Fedora users have been vulnerable to a serious flaw in the OpenH264 library for months—not for want of a fix, but because of the Rube Goldberg machine methodology of distributing the library to Fedora users. The software is open source under a two-clause BSD license; the RPMs are built and signed by Fedora, but the final product is distributed by Cisco, so the company can pick up the tab for license fees. Unfortunately, a breakdown in the process of handing RPMs to Cisco for distribution has left Fedora users vulnerable, and inaction on Fedora's part has left users unaware that they are at risk.
Mozilla has decided to throw in the towel on Pocket, a social-bookmarking service that it acquired in 2017. This has left many users scrambling for a replacement for Pocket before its shutdown in July. One possible option is wallabag, a self-hostable, MIT-licensed project for saving web content for later reading. It can import saved data from services like Pocket, share content on the web, export to various formats, and more. Even better, it puts users in control of their data long-term.
As of this writing, 5,546 non-merge changesets have been pulled into the mainline kernel repository for the 6.16 release. This is a bit less than half of the total commits for 6.15, so the merge window is well on its way. Read on for our summary of the first half of the 6.16 merge window.
The SUSE Security Team has published a detailed report about security vulnerabilities it discovered in the Kea DHCP server suite from the Internet Systems Consortium (ISC).
Since SUSE is also going to ship Kea DHCP in its products, we performed a routine review of its code base. Even before checking the network security of Kea, we stumbled over a range of local security issues, among them a local root exploit which is possible in many default installations of Kea on Linux and BSD distributions. [...]
This report is based on Kea release 2.6.1. Any source code references in this report relate to this version. Many systems still ship older releases of Kea, but we believe they are all affected as well by the issues described in this report.
The report details seven security issues including local-privilege-escalation and arbitrary file overwrite vulnerabilities. Security fixes for the vulnerabilities have been published in all of the currently supported release series of Kea: 2.4.2, 2.6.3, and the 2.7.9 development release were all released on May 28. Kea has assigned CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 to the vulnerabilities. Note that some of the CVEs cover multiple security flaws.
The GNU C Library (glibc) is the core C library for most Linux distributions, so it is a crucial part of the open-source ecosystem—and an attractive target for any attackers looking to carry out supply-chain attacks. With that being the case, securing the project's infrastructure using industry best practices and improving the security of its development practices are a frequent topic among glibc developers. A recent discussion suggests that improvements are not happening as quickly as some would like.
Mahé Tardy led two sessions about some of the challenges that he, Kornilios Kourtis, and John Fastabend have run into in their work on Tetragon (Apache-licensed BPF-based security monitoring software) at the Linux Storage, Filesystem, Memory Management, and BPF Summit. The session prompted discussion about the feasibility of letting BPF programs send data over the network, as well as potential new kfuncs to let BPF firewalls send TCP reset packets. Tardy presented several possible ways that these could be accomplished.
Canonical's Launchpad software-collaboration platform that is used for Ubuntu development will be shutting down its hosted mailing lists at the end of October. The announcement recommends Discourse or Launchpad Answers as alternatives. Ubuntu's mailing lists are unaffected by the change.
The increasing sophistication of attackers has organizations realizing that perimeter-based security models are inadequate. Many are planning to transition their internal networks to a zero-trust architecture. This requires every communication on the network to be encrypted, authenticated, and authorized. This can be achieved in applications and services by using modern communication protocols. However, the world still depends on Domain Name System (DNS) services where encryption, while possible, is far from being the industry standard. To address this we, as part of a working group at Red Hat, worked on fully integrating encrypted DNS for Linux systems—not only while the system is running but also during the installation and boot process, including support for a custom certificate chain in the initial ramdisk. This integration is now available in CentOS Stream 9, 10, and the upcoming Fedora 43 release.
The goal of AlmaLinux OS is to support our community, and AlmaLinux OS 10 is the best example of that yet. With an unwavering eye on maintaining compatibility with Red Hat Enterprise Linux (RHEL), we have made small improvements to AlmaLinux OS 10 that target specific sections of our userbase.
See the release notes for details.
Srinivas Narayana led a remote session about extending Agni to prove the correctness of the BPF verifier's handling of different execution paths as part of the Linux Storage, Filesystem, Memory Management, and BPF Summit. The problem of ensuring the correctness of path exploration is much more difficult than the problem of ensuring the correctness of arithmetic operations (which was the subject of the previous session), however. Narayana's plan to tackle the problem makes use of a mixture of specialized techniques — and may need some assistance from the BPF developers to make it feasible at all.
Connexion