Linux Community News

The Project Zero blog has a three-part series describing a working, zero-click exploit for Pixel 9 devices. Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones. The blog entry does not question the wisdom of directly exposing audio decoders to external attackers, but it does provide a lot of detail showing how it can go wrong. The first part looks at compromising the codec; part two extends the exploit to the kernel, and part three looks at the implications: It is alarming that it took 139 days for a vulnerability exploitable in a 0-click context to get patched on any Android device, and it took Pixel 54 days longer. The vulnerability was public for 82 days before it was patched by Pixel.

Sjoerd Simons has published a blog post about running Debian on the OpenWrt One router hardware: With openwrt-one-debian, you can now install and run a full Debian system leveraging the OpenWrt One’s NVMe storage, enabling everything from custom services and containers to development tools and lightweight server workloads, all on open hardware. This project provides a rust-based flasher to install Debian on the OpenWrt One, opening the door to standard Debian tooling, packages, and workflows. For developers and power users, it transforms the OpenWrt One from a network appliance into a compact, general-purpose Linux system. See the GitHub repository for the code and latest build. LWN reviewed the device in November 2024, and covered Denver Gingerich’s talk at SCALE 22x about the making of the router in March 2025.

Version 14.0 of the Forgejo software forge has been released. Notable changes in this release include several database improvements, new options for approving actions execution from pull requests, a new file editor, and progress toward making Forgejo’s web UI work without JavaScript.

Al Viro does not often stray outside of the core virtual filesystem area; when he does, it is usually worthy of note. Recently, he wandered into memory management with this patch series to the slab allocator and some of its users. Kernel developers will often put considerable effort into small optimizations, but it is still interesting to look at just how much effort has gone toward the purpose of avoiding a single pointer dereference in some memory-allocation hot paths.

We have recently noticed that email from LWN.net seems to be blocked by MXroute. Unfortunately, the company also does not seem to have a way for non-customers to report problems in mail delivery, so we have no good way to get ourselves unblocked. As a result, readers who have subscribed to an LWN mailing list from a domain hosted with MXroute will probably not receive our mailings. We have not yet unsubscribed addresses that are being blocked by MXroute, but will soon if the problem persists. Please accept our apologies for the inconvenience; it is unfortunate that it is becoming so difficult to send legitimate email as a small business.

Security updates have been issued by Debian (chromium, gnupg2, and mongo-c-driver), Fedora (firefox, gpsd, linux-firmware, and seamonkey), Mageia (net-snmp), Oracle (kernel, podman, postgresql16, postgresql:13, postgresql:15, postgresql:16, and uek-kernel), Red Hat (libpq, net-snmp, and transfig), Slackware (libpng and mozilla), SUSE (avahi, bluez, capstone, curl, dpdk, firefox, firefox-esr, fluidsynth, glib2, kernel, kernel-devel, libmicrohttpd, libpcap, libpng16, libsoup, libsoup-3_0-0, libtasn1, libvirt, mcphost, openvswitch, ovmf, podman, poppler, python-tornado6, python311, qemu, rsync, and valkey), and Ubuntu (erlang, klibc, libpng1.6, and ruby-rack).

Inside this week’s LWN.net Weekly Edition: Front: SFC v. VIZIO; GPLv2 requirements; Debian and GTK 2; OpenZL; kernel scheduler QoS; Rust concurrent data access; Asciinema. Briefs: OpenSSL and Python; LSFMM+BPF 2026; Fedora elections; Gentoo retrospective; EU lawmaking; Git data model; Firefox 147; Radicle 1.6.0; Quotes; … Announcements: Newsletters, conferences, security updates, patches, and more.

Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some strongly worded criticism of OpenSSL. It comes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). The post goes into a lot of detail about the problems with the OpenSSL code base and testing, which has led the cryptography team to reconsider using the library. “The mistakes we see in OpenSSL’s development have become so significant that we believe substantial changes are required — either to OpenSSL, or to our reliance on it.” They go further in the conclusion: First, we will no longer require OpenSSL implementations for new functionality. Where we deem it desirable, we will add new APIs that are only on LibreSSL/BoringSSL/AWS-LC. Concretely, we expect to add ML-KEM and ML-DSA APIs that are only available with LibreSSL/BoringSSL/AWS-LC, and not with OpenSSL. Second, we currently statically link a copy of OpenSSL in our wheels (binary artifacts). We are beginning the process of looking into what would be required to change our wheels to link against one of the OpenSSL forks. If we are able to successfully switch to one of OpenSSL’s forks for our binary wheels, we will begin considering the circumstances under which we would drop support for OpenSSL entirely.

Lossless data compression is an important tool for reducing the storage requirements of the world’s ever-growing data sets. Yann Collet developed the LZ4 algorithm and designed the Zstandard (or Zstd) algorithm; he came to the 2025 Open Source Summit Japan in Tokyo to talk about where data compression goes from here. It turns out that we have reached a point where general-purpose algorithms are only going to provide limited improvement; for significant increases in compression, while keeping computation costs within reason for data-center use, turning to format-specific techniques will be needed.

The Debian GNOME team would like to remove the GTK 2 graphics toolkit, which has been unmaintained upstream for more than five years, and ship Debian 14 (“forky”) without it. As one might expect, however, there are those who would like to find a way to keep it. Despite its age and declared obsolescence, quite a few Debian packages still depend on GTK 2. Many of those applications are unlikely to be updated, and users are not eager to give them up. Discussion about how to handle this is ongoing; it seems likely that Debian developers will find some way to continue supporting applications that require GTK 2, but users may have to look outside official Debian repositories.

Version 1.6.0 of the Radicle peer-to-peer, local-first code collaboration stack has been released. Notable changes in this release include support for systemd credentials, use of Rust’s clap crate for parsing command-line arguments, and more. LWN covered the project in March 2024.

Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).

Quality-of-service (QoS) mechanisms attempt to prioritize some processes (or network traffic, disk I/O, etc.) over others in order to meet a system’s performance goals. This is a difficult topic to handle in the world of Linux, where workloads, hardware, and user expectations vary wildly. Qais Yousef spoke at the 2025 Linux Plumbers Conference, alongside his collaborators John Stultz, Steven Rostedt, and Vincent Guittot, about their plans for introducing a high-level QoS API for Linux in a way that leaves end users in control of its configuration. The talk focused specifically on a QoS mechanism for the scheduler, to prioritize access to CPU resources differently for different kinds of processes. (slides; video)

Version 147.0 of the Firefox web browser has been released. Notable changes in this release include support for the XDG Base Directory specification, enabling local network access restrictions for users with enhanced tracking protection (ETP) set to “Strict”, and a fix that improves Firefox’s rendering with GNOME on fractionally scaled displays. Firefox 147 also includes a number of security fixes, including several sandbox-escape vulnerabilities.

Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).