|
|
Log in / Subscribe / Register

Brief items

Security

A set of AppArmor vulnerabilities

Qualys has sent out a somewhat breathless advisory describing a number of vulnerabilities in the AppArmor security module, which is used in a number of Debian-based distributions (among others).

This "CrackArmor" advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel. These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads.

Comments (20 posted)

Local-privilege escalation in snapd

Qualys has discovered a local-privilege escalation (LPE) vulnerability affecting Ubuntu Desktop 24.04 and later:

This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles.

More details are available in the security advisory. Canonical has published updated packages as well as instructions for verifying if a system is vulnerable and how to upgrade if so.

Comments (2 posted)

Kernel development

Kernel release status

The current development kernel is 7.0-rc4, released on March 15. Linus said:

Then Thursday hit with the networking pull. And then on Friday everybody else decided to send in their work for the week, with a few more trickling in over the weekend. End result: what had for a short few days looked like a nice calm week turned into another "bigger than usual" release candidate.

To be fair, that "almost everything comes in at the end of the week" is 100% normal, and none of this is surprising. I was admittedly hoping that things would start to calm down, but that was not to be.

I no longer really believe that it was the one extra week we had last release cycle: I'm starting to suspect it's the psychological result of "hey, new major number", and people are just being a bit more active as a result.

This development cycle, as of -rc4, has brought in 12,891 non-merge changesets from 2,112 developers, 388 of whom are first-time kernel contributors; we would appear to be headed toward breaking the previous record for most developers (2,141) set by the 6.19 release. The history now looks like:

RCDateCommits
v7.0-rc1 2026-02-2212468 12468
v7.0-rc2 2026-03-01434 434
v7.0-rc3 2026-03-08537 537
v7.0-rc4 2026-03-15544 544

See the (subscriber-only) KSDB 7.0 page for a lot more details.

Stable updates: 6.19.7 and 6.18.17 were released on March 12, followed by 6.19.8, 6.18.18, and 6.12.77 one day later.

The 6.19.9 and 6.18.19 updates are in the review process; they are due on March 19.

Comments (none posted)

The Sashiko patch-review system

Roman Gushchin has announced the existence of an LLM-driven patch-review system named Sashiko. It automatically creates reviews for all patches sent to the linux-kernel mailing list (and some others).

In my measurement, Sashiko was able to find 53% of bugs based on a completely unfiltered set of 1,000 recent upstream issues using "Fixes:" tags (using Gemini 3.1 Pro). Some might say that 53% is not that impressive, but 100% of these issues were missed by human reviewers.

Sashiko is built on Chris Mason's review prompts (covered here in October 2025), but the implementation has evolved considerably.

Comments (29 posted)

Distributions

Debian Project Leader election underway

Kurt Roeckx has announced that Debian has moved to the campaigning period for the 2026 Debian Project Leader (DPL) election. This year there is only one candidate, Sruthi Chandran, so Debian voters will have a choice between Chandran as DPL or "None of the above". The campaign period will run through April 3, and the voting period will run from April 4 to April 17. Chandran has not yet posted a platform for the 2026 election, but her 2024 platform is available on the Debian wiki.

Comments (2 posted)

Fedora Asahi Remix 43 released

Fedora Asahi Remix 43 is now available:

This release incorporates all the exciting improvements brought by Fedora Linux 43. Notably, package management is significantly upgraded with RPM 6.0 and the new DNF5 backend for PackageKit for Plasma Discover and GNOME Software ahead of Fedora Linux 44. It also continues to provide extensive device support. This includes newly added support for the Mac Pro, microphones in M2 Pro/Max MacBooks, and 120Hz refresh rate for the built-in displays for MacBook Pro 14/16 models.

Comments (none posted)

Development

GIMP 3.2 released

After a year's worth of development since GIMP 3.0 was released, the team behind the open-source image editor has released GIMP 3.2. It comes as part of the plan to release GIMP more frequently, rather than wait six or seven years between releases. The release comes with lots of new features (as can be seen in more detail in the release notes), including 20 new brushes for the MyPaint Brush tool, an "overwrite" paint mode, new and upgraded file formats, UI improvements in a variety of places, such as the on-canvas text editor, and new non-destructive layers:
  • You can now use Link Layers to incorporate external image as part of your compositions, easily scaling, rotating, and transforming them without losing quality or sharpness. The link layer's content is updated when the source file is modified
  • The Path tool can now create Vector Layers, which lets you draw shapes with adjustable fill and stroke settings.

Comments (none posted)

Marknote 1.5 released

Version 1.5 of Marknote, a Markdown-based note-management application, has been released. Notable features in this release include Source Mode for working directly with Markdown instead of the WYSIWYG interface, internal wiki-style links for notes, as well as simpler management of notes and notebooks.

Comments (1 posted)

Development quotes of the week

The modern AI world is the fulfillment of the Stallmanite dream. We are transitioning from Software-as-a-Product, a black box we receive, to Software-as-a-Specification, a fluid intent that users with little to no programming skills can control. Critics may fret over the "slop" of AI-generated code, but they are missing the philosophical forest for the digital trees. The Free Software movement was never about the aesthetic purity of the code or a totem to the primacy of developers via copyright law; it was about the sovereignty of the user.

By democratizing the ability to write, refactor, and understand code, AI provides the technical enforcement of the freedoms that the GPL could only provide legally. The first liberation gave us the code; the second liberation gives us the mastery of it. The "tyranny of the vendor" is finally meeting its match, not in a courtroom, but in the prompt. The hack is complete.

Stefano Maffulli

Licenses aren't tools for social engineering. If you're trying to build a commercially and technically successful community, clever license terms aren't going to do that for you. You have to do the actual community-building work.
Josh Berkus

Comments (4 posted)

Miscellaneous

FSFE reports trouble with payment provider

The Free Software Foundation Europe (FSFE) is reporting that payment provider Nexi has terminated its contract without prior notice, which means that a number of FSFE supporters' recurring payments have been halted:

Over the past few months, our former payment provider Nexi S.p.A. ("Nexi") requested access to private data, which we understood to be specifically the usernames and passwords of our supporters. We have refused this request. All our attempts to clarify Nexi's request, or to understand how their need for such information was necessary and legal, were met with what we consider to be vague and unsatisfactory explanations relating to a general need for risk analysis.

[...] The decisions that Nexi has made are incomprehensible to us. Over the last months, as part of a security audit that Nexi claimed to be conducting, we have provided them with large amounts of the FSFE's financial documentation, which even included private information of our executive staff. We have answered all of their questions. But we have to draw a line when private companies like Nexi demand access to the sensitive and private data of our supporters.

According to the blog post, more than 450 supporters have been affected by this. The FSFE's donation pages have been updated with its new payment provider.

Comments (16 posted)

An investigation of the forces behind the age-verification bills

Reddit user "Ok_Lingonberry3296" has posted the results of an extensive investigation into the companies that are pushing US state legislatures to enact age-verification bills.

I've been pulling public records on the wave of "age verification" bills moving through US state legislatures. IRS 990 filings, Senate lobbying disclosures, state ethics databases, campaign finance records, corporate registries, WHOIS lookups, Wayback Machine archives. What started as curiosity about who was pushing these bills turned into documenting a coordinated influence operation that, from a privacy standpoint, is building surveillance infrastructure at the operating system level while the company behind it faces zero new requirements for its own platforms.

(See also this article for a look at the California law.)

Comments (46 posted)

Page editor: Daroc Alden
Next page: Announcements>>


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds