LWN.net

LWN recently reported on the Trivy compromise that led, in turn, to the compromise of the LiteLLM system; that article made the point that the extent of the problem was likely rather larger than was known. The Next Web now reports that the Trivy attack was used to compromise a wide range of European Commission systems. The European Union's computer emergency response team said on Thursday that a supply chain attack on an open-source security scanner gave hackers the keys to the European Commiss…

GNU GRUB 2 , mostly just referred to as GRUB these days, is the most widely used boot loader for x86_64 Linux systems. It supports reading from a vast selection of filesystems, handles booting modern systems with UEFI or legacy systems with a BIOS, and even allows users to customize the "splash" image displayed when a system boots. Alas, all of those features come with a price; GRUB has had a parade of security vulnerabilities over the years. To mitigate some of those problems, Ubuntu core deve…

On April 1, the Gentoo Linux project published a blog post announcing that it was switching to GNU Hurd as its primary kernel as an April Fool's joke. While that is not true, the project has followed up with an announcement of a new Gentoo port to the Hurd: Our crack team has been working hard to port Gentoo to the Hurd and can now share that they've succeeded, though it remains still in a heavily experimental stage. You can try Gentoo GNU/Hurd using a pre-prepared disk image. The easiest way t…

Security updates have been issued by AlmaLinux (freerdp, grafana, kernel, rsync, and thunderbird), Debian (chromium, inetutils, and libpng1.6), Fedora (bind9-next, nginx-mod-modsecurity, and openbao), Mageia (firefox, nss and thunderbird), Red Hat (container-tools:rhel8), SUSE (conftest, dnsdist, ignition, libsoup, libsoup2, LibVNCServer, libXvnc-devel, opensc, ovmf-202602, perl-Crypt-URandom, python-tornado, python311-ecdsa, python311-Pygments, python315, tar, and wireshark), and Ubuntu (cairo…

Denver Gingerich of the Software Freedom Conservancy (SFC) has published an article on the impact of the ban on the sale of all new home routers not made in the United States issued by the Federal Communications Commission (FCC). The SFC, of course, is the organization behind the OpenWrt One router . Since software updates to already-FCC-approved devices do not require a new FCC approval, it appears the FCC is trying to move beyond its usual authorization procedures to restrict what manufacture…

The kernel provides a number of ways for processes to communicate with each other, but they never quite seem to fit the bill for many users. There are currently a few proposals for interprocess communication (IPC) enhancements circulating on the mailing lists. The most straightforward one adds a new system call for POSIX message queues that enables the addition of new features. For those wanting an entirely new way to do interprocess communication, there is a proposal to add a new subsystem for…

Brian "bex" Exelbierd has published a blog post exploring follow-up questions raised by the recent debate about the use of the LLM-based review tool Sashiko in the memory-management subsystem. His main finding is that Sashiko reviews are bi-modal with regards to whether they contain reports about code not directly changed by the patch set — most do not, but the ones that do often have several such comments. Hypothesis 1: Reviewers are getting told about bugs they didn't create. Sashiko's review…

OpenSSH 10.3 has been released. Among the many changes in this release are a security fix to address late validation of metacharacters in user names, removal of bug compatibility for SSH implementations that do not support rekeying , and a fix to ensure that scp clears setuid/setgid bits from downloaded files when operating as root in legacy ( -O ) mode. See the release announcement for a full list of new features, bug fixes, and potentially incompatible changes.

Security updates have been issued by AlmaLinux (python3.11, python3.12, squid, and thunderbird), Debian (gst-plugins-bad1.0 and gst-plugins-ugly1.0), Fedora (bpfman, crun, gnome-remote-desktop, polkit, python3.14, rust-rustls-webpki, rust-sccache, rust-scx_layered, rust-scx_rustland, rust-scx_rusty, and scap-security-guide), Oracle (freerdp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free, kernel, libxslt, python3.11, python3.12, s…

Greg Kroah-Hartman has released the 6.19.11 , 6.18.21 , 6.12.80 , and 6.6.131 stable kernels, followed by a quick release of 6.6.132 with two patches reverted to address a problem building the rust core in 6.6.131. Each kernel contains important fixes; users are advised to upgrade.

Inside this week's LWN.net Weekly Edition: Front : LiteLLM compromise; systemd controversy; LLM kernel review; OpenBSD and vibe-coding; Rust trait-solver; Pandoc. Briefs : Rspamd 4.0.0; telnyx vulnerability; Fedora forge; SystemRescue 13.00; Servo 0.0.6; Quotes; ... Announcements : Newsletters, conferences, security updates, patches, and more.

Michael Meeks has posted an angry missive about changes at the Document Foundation. What has really happened is not entirely clear, but it seems to involve, at a minimum, the forced removal of all Collabora staff from the foundation. There has been a set of "thank you" notes to the people involved posted in the foundation's forums . The Document Foundation's decision to restart LibreOffice Online almost certainly plays into this as well. Details are fuzzy at best; we will be working at providin…

Pandoc is a document-conversion program that can translate among a myriad of formats, including LaTeX , HTML, Office Open XML (docx), plain text, and Markdown . It is also extensible by writing Lua filters that can manipulate the document structure and perform arbitrary computations. Pandoc has appeared in various LWN articles over the years, such as my look at Typst and at the importance of free software to science in 2025, but we have missed providing an overview of the tool. The February rel…

Version 0.0.6 of the Rust-based Servo web browser rendering engine has been released. This release boasts a long list of new features, performance enhancements, improvements, and bug fixes . Some of the notable changes include layout performance improvements , a servo:config page for setting any preference, and developer tools enhancements .

Security updates have been issued by AlmaLinux (freerdp, libxslt, python3.11, and python3.12), Debian (libpng1.6, lxd, netty, and python-tornado), Fedora (chunkah, cpp-httplib, firefox, freerdp, gst-devtools, gst-editing-services, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, insight, python-gstreamer1, python3.14, rust, rust-cargo-rpmstat…