Brief items
Security
Akamai finds many systems with exposed CUPS vulnerability
Akamai released a report pointing out that the recently-reported CUPS vulnerability (original disclosure) could be used to drive distributed denial-of-service (DDoS) attacks as well. Even if an attacker cannot gain remote control over a computer, they can still cause it to fetch a URL of their choice — potentially getting free DDoS amplification.
The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+).
oath-toolkit: privilege escalation in pam_oath.so (SUSE Security Team Blog)
The SUSE Security Team Blog has a detailed report on its discovery of a privilege escalation in the oath-toolkit, which provides libraries and utilities for managing one-time password (OTP) authentication.
Fellow SUSE engineer Fabian Vogt approached our Security Team about the project's PAM module. A couple of years ago, the module gained a feature which allows to place the OTP state file (called usersfile) in the home directory of the to-be-authenticated user. Fabian noticed that the PAM module performs unsafe file operations in users' home directories. Since PAM stacks typically run as root, this can easily cause security issues.
Kernel development
Kernel release status
The current development kernel is 6.12-rc2, released on October 6. Linus said:
Anyway, this isn't one of the small rc2's. But looking at historical trends, being a bigger rc2 isn't _that_ unusual, and nothing in here looks all that odd. Yes, the diffstat may look a bit unusual, in that we had a global header renaming (asm/unaligned.h -> linux/unaligned.h) and we had a couple of reverts that stand out as spikes in the stats, but everything else looks nice and small.
Stable updates: 6.11.2, 6.10.13, and 6.6.54 were released on October 4.
The 6.11.3, 6.10.14, and 6.6.55 updates are in the review process; they are due on October 10.
Quotes of the week
This work is way more fun when we can work together, and the relationships I've built in this community through this collaboration around solving problems are my most cherished professional relationships.— Josef BacikOr we can keep doing this, randomly throwing mud at each other, pissing each other off, making ourselves into unhireable pariahs. I've made my decision, and honestly I think it's better.
I try to make my merge commit messages be somewhat "cohesive", and so I often edit the pull request language to match a more standard layout and language. It's not a big deal, and often it's literally just about whitespace so that we don't have fifteen different indentation models and bullet syntaxes. I generally do it as I read through the text anyway, so it's not like it makes extra work for me.— Linus TorvaldsBut what *does* make extra work is when some maintainers use passive voice, and then I try to actively rewrite the explanation (or, admittedly, sometimes I just decide I don't care quite enough about trying to make the messages sound the same).
So I would ask maintainers to please use active voice, and preferably just imperative.
Distributions
OpenBSD 7.6 released
OpenBSD 7.6 has been released. Notable new features include work to improve suspend/resume on modern hardware, support for the arm64 Qualcomm Snapdragon X Elite laptops, as well as many improvements in hardware support and driver bug fixes.
With this release all files that existed in the first commit in the OpenBSD source repository have been updated, modified or replaced at some point in time, reaching OpenBSD of Theseus.
See the changelog for all changes between OpenBSD 7.5 and 7.6.
Distributions quote of the week
Apparently I'm a Lintian maintainer now. I had a quick look at Lintian and lintian.debian.org is referenced in multiple places.
It seems like actually fixing lintian.debian.org will be faster and more productive than going wack-a-mole and trying to retcon it ever existing.
— Louis-Philippe Véronneau comments on the lack of an actual lintian.debian.org system.
Development
Git 2.47.0 released
Version 2.47.0 of the Git source-code management system has been released. The changes include a long list of incremental improvements; see the announcement and this GitHub blog post for details.Julia v1.11.0 has been released
The Julia project has released version 1.11.0. A separate blog post covers some of the highlights. The release includes a number of helpful features.
In previous Julia versions, there was no "programmatic way" of knowing if an unexported name was considered part of the public API or not. Instead, the guideline was basically that if it was not in the manual then it was not public which was a bit underwhelming. To remedy that, there is now a public keyword in Julia that can be used to indicate that an unexported name is part of the public API.
Python 3.13 released
Version 3.13 of the Python programming language has been released. The "What's New In Python 3.13" page has a summary of all the new features and changes. Highlights of the release include a basic JIT compiler, experimental support for free-threading, and much more. See the changelog for even more details.
RPM 4.20 released
Version 4.20 of the RPM Package Manager (RPM) has been released. Major changes in this release include a new plugin to prevent filesystem and network access by scriptlets, the BuildSystem directive for declaring the build system to be used by packaged software, and more. LWN covered the development of RPM 4.20 in September.
Development quote of the week
If you're still a user of Python 3.8, I don't blame you, it's a lovely version. But it's time to move on to newer, greater things. Whether it's typing generics in built-in collections, pattern matching, except*, low-impact monitoring, or a new pink REPL, I'm sure you'll find your favorite new feature in one of the versions we still support. So upgrade today!
Page editor: Daroc Alden
Next page:
Announcements>>