Linux NewsFour stable kernels for the weekend
Greg Kroah-Hartman has released the 6.18.6, 6.12.66, 6.6.121, and 6.1.161 stable kernels. As usual, each has important fixes throughout the tree; users are advised to upgrade.
All Sources
9to5Linux
Fedora Magazine
Foss Force
How-to Geek
It's FOSS
Linux Insider
Linux Journal
Linux Magazine
Linux TLDR
Linux.org
Linuxiac
LPI
LWN.net
OMG! Ubuntu
Phoronix
[$] A free and open-source rootkit for Linux
While there are several rootkits that target Linux, they have so far not fully embraced the open-source ethos typical of Linux software. Luckily, Matheus Alves has been working to remedy this lack by creating an open-source rootkit called Singularity for Linux systems. Users who feel their computers are too secure can install the Singularity kernel module in order to allow remote code execution, disable security features, and hide files and processes from normal administrative tools. Despite its many features, Singularity is not currently known to be in use in the wild โ instead, it provides security researchers with a testbed to investigate new detection and evasion techniques.
Security updates for Friday
Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).
A 0-click exploit chain for the Pixel 9 (Project Zero)
The Project Zero blog has a three-part series describing a working, zero-click exploit for Pixel 9 devices. Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones. The blog entry does not question the wisdom of directly exposing audio decoders to external attackers, but it does provide a lot of detail showing how it can go wrong. The first part looks at compromising the codec; part two extends the exploit to the kernel, and part three looks at the implications: It is alarming
Running Debian on the OpenWrt One (Collabora Blog)
Sjoerd Simons has published a blog post about running Debian on the OpenWrt One router hardware: With openwrt-one-debian, you can now install and run a full Debian system leveraging the OpenWrt One's NVMe storage, enabling everything from custom services and containers to development tools and lightweight server workloads, all on open hardware. This project provides a rust-based flasher to install Debian on the OpenWrt One, opening the door to standard Debian tooling, packages, and workflows. For developers and power users, it transforms the OpenWrt One from a network appliance into a compact, general-purpose Linux system. See the GitHub repository for the code and latest build. LWN reviewed the device in November 2024, and covered Denver Gingerich's talk at SCALE 22x about the making of the router in March 2025.
Forgejo 14.0 released
Version 14.0 of the Forgejo software forge has been released. Notable changes in this release include several database improvements, new options for approving actions execution from pull requests, a new file editor, and progress toward making Forgejo's web UI work without JavaScript.
[$] Removing a pointer dereference from slab allocations
Al Viro does not often stray outside of the core virtual filesystem area; when he does, it is usually worthy of note. Recently, he wandered into memory management with this patch series to the slab allocator and some of its users. Kernel developers will often put considerable effort into small optimizations, but it is still interesting to look at just how much effort has gone toward the purpose of avoiding a single pointer dereference in some memory-allocation hot paths.
A note for MXroute users
We have recently noticed that email from LWN.net seems to be blocked by MXroute. Unfortunately, the company also does not seem to have a way for non-customers to report problems in mail delivery, so we have no good way to get ourselves unblocked. As a result, readers who have subscribed to an LWN mailing list from a domain hosted with MXroute will probably not receive our mailings. We have not yet unsubscribed addresses that are being blocked by MXroute, but will soon if the problem persists. Please accept our apologies for the inconvenience; it is unfortunate that it is becoming so difficult to send legitimate email as a small business.
Security updates for Thursday
Security updates have been issued by Debian (chromium, gnupg2, and mongo-c-driver), Fedora (firefox, gpsd, linux-firmware, and seamonkey), Mageia (net-snmp), Oracle (kernel, podman, postgresql16, postgresql:13, postgresql:15, postgresql:16, and uek-kernel), Red Hat (libpq, net-snmp, and transfig), Slackware (libpng and mozilla), SUSE (avahi, bluez, capstone, curl, dpdk, firefox, firefox-esr, fluidsynth, glib2, kernel, kernel-devel, libmicrohttpd, libpcap, libpng16, libsoup, libsoup-3_0-0, libtasn1, libvirt, mcphost, openvswitch, ovmf, podman, poppler, python-tornado6, python311, qemu, rsync, and valkey), and Ubuntu (erlang, klibc, libpng1.6, and ruby-rack).
[$] LWN.net Weekly Edition for January 15, 2026
Inside this week's LWN.net Weekly Edition: Front: SFC v. VIZIO; GPLv2 requirements; Debian and GTK 2; OpenZL; kernel scheduler QoS; Rust concurrent data access; Asciinema. Briefs: OpenSSL and Python; LSFMM+BPF 2026; Fedora elections; Gentoo retrospective; EU lawmaking; Git data model; Firefox 147; Radicle 1.6.0; Quotes; ... Announcements: Newsletters, conferences, security updates, patches, and more.
The State of OpenSSL for pyca/cryptography
Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some strongly worded criticism of OpenSSL. It comes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). The post goes into a lot of detail about the problems with the OpenSSL code base and testing, which has led the cryptography team to reconsider using the library. "The mistakes we see in OpenSSL's development have become so significant that we believe substantial changes are required โ either to OpenSSL, or to our reliance on it." They go further in the conclusion: First, we will no longer require OpenSSL implementations for new functionality. Where we deem it desirable, we will add new APIs that are only on LibreSSL/BoringSSL/AWS-LC. Concretely, we expect to add ML-KEM and ML-DSA APIs that are only available with LibreSSL/BoringSSL/AWS-LC, and not with OpenSSL. Second, we currently statically link a copy of OpenSSL in our wheels (binary artifacts). We are beginning t
[$] Format-specific compression with OpenZL
Lossless data compression is an important tool for reducing the storage requirements of the world's ever-growing data sets. Yann Collet developed the LZ4 algorithm and designed the Zstandard (or Zstd) algorithm; he came to the 2025 Open Source Summit Japan in Tokyo to talk about where data compression goes from here. It turns out that we have reached a point where general-purpose algorithms are only going to provide limited improvement; for significant increases in compression, while keeping computation costs within reason for data-center use, turning to format-specific techniques will be needed.
[$] Debian discusses removing GTK 2 for forky
The Debian GNOME team would like to remove the GTK 2 graphics toolkit, which has been unmaintained upstream for more than five years, and ship Debian 14 ("forky") without it. As one might expect, however, there are those who would like to find a way to keep it. Despite its age and declared obsolescence, quite a few Debian packages still depend on GTK 2. Many of those applications are unlikely to be updated, and users are not eager to give them up. Discussion about how to handle this is ongoing; it seems likely that Debian developers will find some way to continue supporting applications that require GTK 2, but users may have to look outside official Debian repositories.
Radicle 1.6.0 released
Version 1.6.0 of the Radicle peer-to-peer, local-first code collaboration stack has been released. Notable changes in this release include support for systemd credentials, use of Rust's clap crate for parsing command-line arguments, and more. LWN covered the project in March 2024.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).
Page 1 of 13
Next »