On January 14, Nick Tait announced the discovery of six vulnerabilities in rsync, the popular file-synchronization tool. While software vulnerabilities are not uncommon, the most serious one he announced allows for remote code execution on servers that run rsyncd — and possibly other configurations. The bug itself is fairly simple, but this event provides a nice opportunity to dig into it, show why it is so serious, and consider ways the open-source community can prevent such mistakes in the future.

The series of singleton stable kernel updates continues with 6.6.73, which reverts three changes that were causing problems for users of the overlayfs filesystem.

Security updates have been issued by AlmaLinux (grafana), Debian (libebml, poco, redis, sympa, tiff, and ucf), Fedora (rsync), Mageia (dcmtk, git, proftpd, and raptor2), Red Hat (grafana, iperf3, kernel, microcode_ctl, and redis), SUSE (chromium, dhcp, git, libqt5-qtwebkit, and pam_u2f), and Ubuntu (python3.10, python3.8 and python3.12).

The 6.13 development cycle ended on January 19 with the release of the 6.13 kernel. This cycle was, on its surface, one of the slowest we have seen in some time; the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.13 page can be consulted for a refresher on all it contains. Here, instead, we will take our usual look at where all of those changes came from.

Version 3.2.0 of the Dillo web browser has been released about a month after its 25th anniversary. Notable new features in 3.2.0 include SVG support for math formulas, optional support for WebP images, and more.

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp).

Linus has released the 6.13 kernel. "So nothing horrible or unexpected happened last week, so I've tagged and pushed out the final 6.13 release."

Significant features in this release include the lazy preemption model for CPU scheduling, Arm64 Guarded Control Stack support, the PIDFD_GET_INFO() operation, multi-grain file timestamps, beginning atomic write support for the ext4 and XFS filesystems, the setxattrat(), getxattrat(), listxattrat(), and removexattrat() system calls, private stacks for BPF programs, a new mechanism for adding guard pages to a memory mapping, the removal of the reiserfs filesystem, and more. See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.13 page for more information.

Version 16.1 of the GDB debugger is out. There are a lot of changes, including watchpoints for tagged data pointers, a new script to print the stack trace of a running process, better Intel Processor Trace support, and more.

Greg Kroah-Hartman has released the 6.1.126 stable kernel to fix build failures with the 6.1.125 stable release.

Only upgrade if 6.1.125 did not build properly for you. If it did build properly, no need to upgrade. Thanks to Ron Economos for the fix for this issue.

A reminder has gone out that the deadline for proposals for the 2025 Linux Storage, Filesystem, Memory Management and BPF Summit is February 1; anybody wanting to attend will need to make themselves known before then. The reminder also says that there will be no remote participation option (or live streams) this year.

The idea of adding None-aware operators to Python has sprung up once again. These would make traversing structures with None values in them easier, by short-circuiting lookups when a None is encountered. Almost exactly a year ago, LWN covered the previous attempt to bring the operators to Python, but there have been periodic discussions stretching back to 2015 and possibly before. This time Noah Kim has taken up the cause. After some debate, he eventually settled on redrafting the existing PEP to have a more limited scope, which might finally see it move past the cycle of debate, resurrection, and abandonment that it has been stuck in for most of the last decade.

The 6.12.10, 6.6.72, and 6.1.125 stable kernels have been released on the expected schedule.

Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm).

The kernel is, on its face, a single large development project, but internally it is better viewed as 100 or so semi-independent projects all crammed into one big tent. Within those projects, there is a fair amount of latitude about how changes are managed, and some subsystems are using that freedom in the search for more efficient ways of working. In the end, though, all of these sub-projects have to work together and interface with kernel-wide efforts, including the stable-release and CVE-assignment processes. For some time, there has been friction between the direct rendering (DRM, or graphics) subsystem and the stable maintainers; that friction recently burst into view in a way that shows some of the limitations of how the kernel community manages patches.

Security updates have been issued by AlmaLinux (fence-agents, raptor2, and rsync), Debian (chromium), Fedora (rsync and seamonkey), Mageia (openjpeg2), Red Hat (tuned), Slackware (git), SUSE (dcmtk, dnsmasq, govulncheck-vulndb, libQtWebKit4, libraptor-devel, opera, python311-Pillow, python311-translate-toolkit, rsync, and SDL2_sound-devel), and Ubuntu (linux-raspi-5.4, neomutt, and python2.7).

Inside this week's LWN.net Weekly Edition:

• Front: Chimera Linux; Vim; Page-table hardening; Modifying system calls; Ghostty 1.0; TuxFamily.
• Briefs: rsync vulnerabilities; Linux Mint 22.1; Git v2.48.0; Libvirt v11.0.0; Rust 1.84.0; RIP Helen Borrie, Paolo Mantegazza, and Bill Gianopoulos; SFC lawsuit; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The Ghostty terminal emulator project has generated a surprising amount of interest, even before code was released to the public. This is in part due to the high profile of its creator, HashiCorp founder Mitchell Hashimoto. Its development was conducted behind closed doors for beta testing, until version 1.0 was released on December 26 under the MIT license. While far from finished, Ghostty is ready for day-to-day use and might be of interest to those who spend significant amounts of time at the command line.

Version 11.0.0 of the libvirt virtualization API has been released. Notable changes in this release include the ability to export virtiofs filesystems in read-only mode, the addition of support for vlan tagging and trunking of network interfaces with the network, qemu, and lxc drivers, as well as a number of bug fixes.

We have just now received word of the passing of Helen Borrie, a longtime contributor to the Firebird relational database project.

Helen's quiet leadership and dedication left a lasting impact on Firebird and its users. Her efforts helped build not just a powerful database but also a strong, collaborative community. She will be deeply missed by all who knew her and benefited from her work.

She will be greatly missed. (Thanks to Steve Friedl.)

Linux Mint version 22.1, a long-term-support (LTS) release with support until 2029, is now available. Notable changes in this release include a transition to Aptkit for background package management tasks, Captain to install Debian packages, and a new default theme with improved Wayland compatibility. See the release notes for known issues.