Version 14.5 of the Tor Browser has been released. Notable features in this release include the addition of Connection Assist for the Android version of the Tor Browser, and language support for Belarusian, Bulgarian, and Portuguese for all versions of the browser.
Should Tor Browser fail to establish a direct connection to the Tor network, Connection Assist will offer to find and try bridges for you. But before this feature could be made available on Android, we had to embark on a multi-year effort to refactor our tor integration across each platform first. This project has now reached an important milestone, and we're proud to announce the release of Connection Assist for Android today.
See the full changelog for all changes in this release, and the issues page for known problems.
Debian's Advanced Package Tool (APT) is the suite of utilities that handle package management on Debian and Debian-derived operating systems. APT recently received a major upgrade to 3.0 just in time for inclusion in Debian 13 ("trixie"), which is planned for release sometime in 2025. The version bump is warranted; the latest APT has user-interface improvements, switches to Sequoia to verify package signatures, and includes solver3—a new solver that is designed to improve how it evaluates and resolves package dependencies.
GNOME contributor Michael Catanzaro has written a blog post about a noteworthy vulnerability in GNOME's help browser, Yelp.
I don't normally blog about particular CVEs, but Yelp CVE-2025-3155 is noteworthy because it is quite severe, public for several weeks now, and not yet fixed upstream. In short, help files can read your filesystem and execute arbitrary JavaScript code, allowing an attacker to exfiltrate any files your Unix user has access to.
The vulnerability was first reported on December 25, and it
was made public on March 26 after the 90-day-disclosure deadline
was reached. Patches
have been proposed to fix the issue. The bug reporter has published a writeup
demonstrating the attack. Catanzaro asks that Linux vendors
"please consider applying the provided patches even though they
have not yet been accepted upstream
".
The BPF verifier is not magic; it cannot solve the halting problem. Therefore, it has to err on the side of assuming that a program will run too long if it cannot prove that the program will not. The ultimate check on the size of a BPF program is the one-million-instruction limit — the verifier will refuse to process more than one-million instructions, no matter what a BPF program does. Alexei Starovoitov gave a talk at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit about that limit, why correctly written BPF programs shouldn't hit it, and how to make the user experience of large BPF programs better in the future.
Sergiu Gatlan reports that the US government has extended funding for the Common Vulnerabilities and Exposures (CVE) program, following yesterday's reports that funding would run out as of April 16.
"The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
The article also mentions the launch of a CVE Foundation, to
transition the CVE program to a dedicated foundation and eliminate
"a single point of failure in the vulnerability management
ecosystem
", as well as a European vulnerability
database (EUVD) backed by the European Union Agency for
Cybersecurity (ENISA). Details on these initiatives are scant at the
moment, and it is unclear whether restoration of funding will have any
impact on these efforts.
Maintained by MITRE Corporation, a not-for-profit organization that operates federal R&D centers, the CVE program is funded through multiple channels, including the U.S. government, industry partnerships, and international organizations.Earlier this month, in anticipation of the US government funding cuts, MITRE initiated layoffs that affected more than 400 employees in its Virginia office. The cuts were ordered after the Trump administration announced more than $28 million in canceled contracts for the company.
Version 25.0 ("Zetar") of the Arch-based Manjaro Linux distribution is now available. This release includes Linux kernel 6.12, GNOME 48, KDE 6.3, Xfce 4.18, and more.
The Fedora Project has announced the release of Fedora Linux 42, with "what's new" articles for Fedora Workstation and Fedora KDE Plasma Desktop. There is also a last-minute warning about the live media for the release:
We discovered a problem with the Live boot media at the last minute, and since the release was already out of the airlock, we can't do much about it. It doesn't damage anything, but is annoying: just booting the Live media adds an unexpected entry to the UEFI boot loader even when Fedora Linux 42 is not installed to the local system.
This is primarily a concern when you are dual-booting with a different operating system, or if you're just running the Live image and not intending to actually install.
See the release notes for more information, and LWN's coverage of Fedora 42.
Fedora Linux 42 has been released with many incremental improvements and updates. In this development cycle, the KDE Plasma Desktop has finally gotten a promotion from a spin to an edition, the new web-based user interface for the Anaconda installer makes its debut, and the Wayland-ification of Fedora continues apace. In all it is a solid release with lots of polish.
Version 3.0 of the Pinta image editor has been released. The most notable change in this release is that Pinta has been ported to GTK 4.0 and libadwaita. It also includes a number of improvements, new effects, and bug fixes.
Connexion