Wiki - https://fedoraproject.org/wiki/Changes/golang1.27 Discussion Thread - https://discussion.fedoraproject.org/t/f45-change-proposal-golang-1-27-system-wide/192438 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Update of Go (golang package) to the upcoming version 1.27 in Fedora 45. == Owner == * Name: [[User:alexsaezm| Alejandro Sáez Morollón]] * Email: asm@redhat.com == Detailed Description == Update of Go (golang package) to the upcoming version 1.27 in Fedora 45. Go 1.27 is expected to be released in [https://tip.golang.org/doc/go1.27 August 2026]. A mass rebuild of all the dependent packages is required. == Feedback == No feedback yet. == Benefit to Fedora == Fedora users will receive the most current and recent Go release. Being close to upstream allows us to avoid security issues and provide more updated features. Consequently, Fedora will provide a reliable development platform for the Go language and projects written in it. For a complete list of changes, see upstream change notes at https://tip.golang.org/doc/go1.27 == Scope == * Proposal owners: Rebase the Golang package in Fedora 45 and help resolve any issues found during the rebuild. * Other developers: Fix potential issues with the help of the Golang package maintainers. * Release engineering: [https://forge.fedoraproject.org/releng/tickets/issues #Releng issue number] Rebuild of dependent packages as part of planned mass-rebuild. * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: It helps maintain the quality of the project, even though it doesn't align directly with the current objectives. == Upgrade/compatibility impact == No upgrade or compatibility impact. == Early Testing (Optional) == == How To Test == # Install golang 1.27 from rawhide and use it to build your application(s)/package(s). # Perform a scratch build against rawhide. # Your application/package built using golang 1.27 should work as expected. == User Experience == Users will have a newer version of Go, with new features described in the release notes and security fixes. == Dependencies == <pre> dnf4 repoquery -q --releasever=rawhide --disablerepo='*' --qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source --enablerepo=updates-testing-source --archlist=src --whatrequires 'golang' dnf4 repoquery -q --releasever=rawhide --disablerepo='*' --qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source --enablerepo=updates-testing-source --archlist=src --whatrequires 'compiler(go-compiler)' dnf4 repoquery -q --releasever=rawhide --disablerepo='*' --qf='%{name}' --enablerepo=fedora-source --enablerepo=updates-source --enablerepo=updates-testing-source --archlist=src --whatrequires 'go-rpm-macros' </pre> <pre> Omitted due to the number of packages listed: ~900. </pre> == Contingency Plan == * Contingency mechanism: Revert to Go 1.26.X if significant issues are discovered * Contingency deadline: Beta freeze * Blocks release? No == Documentation == https://tip.golang.org/doc/go1.27 == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
Wednesday, May 27, 2026
F45 Change Proposal: RPM 6.1 (system-wide)
Wiki - https://fedoraproject.org/wiki/Changes/RPM-6.1 Discussion Thread - https://discussion.fedoraproject.org/t/f45-change-proposal-rpm-6-1-system-wide/192437 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Update RPM to the latest upstream 6.1 release. == Owners == * Name: [[User:Pmatilai| Panu Matilainen]], [[User:Mdomonko|Michal Domonko]] * Email: pmatilai@redhat.com, mdomonko@redhat.com == Detailed Description == Update RPM to the upcoming 6.1 release for various improvements across the board. Some noteworthy items include bringing back NSS support for user/group lookups, new man pages, enhancements to the macro subsystem, and scriptlet running optimization on Linux. == Feedback == == Benefit to Fedora == * The packaging community will appreciate various new features in this release: ** literal and one-shot macro modifiers for escape-correctness and performance ** fine-grained control over %global behavior through %define options ** rpmbuild short-circuit to %check stage ** the build scriptlet environment is exported to rpmbuild.env file in the build directory * Restored NSS lookup improves usability in large organizations with central user/group management * Separate keystore lock allows queries during transactions again == Scope == * Proposal owners: ** Rebase RPM ** Address possible regressions with high priority * Other developers: ** Test and report issues * Release engineering: [https://forge.fedoraproject.org/releng/tickets/issues/13351 #13351] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: N/A == Upgrade/compatibility impact == There are no intentional incompatibilities introduced in this release. == Early Testing (Optional) == Do you require 'QA Blueprint' support? N == How To Test == Rpm receives a thorough and constant testing via every single package build, system installs and updates, but of particular interest in this release are * Macro modifiers: https://rpm-software-management.github.io/rpm/man/rpm-macros.7 * Users who require NSS in their environment are encouraged to test the reintroduced support == User Experience == * Restored NSS-based user/group lookups by default * Separate keystore lock allows queries during transactions again * Improved rpmkeys -Kv verification output * Improved usability of rpm-plugin-syslog(8) with systemd journal * New man pages covering dependency generators, scriptlets and more == Dependencies == * rpm-sequoia >= 1.10.2 is required, but this is already in Fedora * soname does not change, no requirement to rebuild dependencies == Contingency Plan == * Contingency mechanism: Revert back to RPM 6.0 * Contingency deadline: Beta freeze * Blocks release? No == Documentation == * Upstream release notes: http://rpm.org/releases/6.1.0 * Upstream 6.1 man pages and other documentation: https://rpm-software-management.github.io/rpm/ * Upstream new stable release policy announcement: https://github.com/rpm-software-management/rpm/discussions/4193 == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
F45 Change Proposal: Erlang 27 (self-contained)
Wiki - https://fedoraproject.org/wiki/Changes/Erlang_27 Discussion Thread - https://discussion.fedoraproject.org/t/f45-change-proposal-erlang-27-self-contained/192436 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Update Erlang/OTP to version 27. == Owner == * Name: [[User:Peter|Peter Lemenkov]], [[SIGs/Erlang|Fedora Erlang SIG]] * Email: lemenkov@gmail.com, erlang@lists.fedoraproject.org == Previous Change History == * Attempted for Fedora 43 (FESCo issue: [https://pagure.io/fesco/issue/2809 #2809]) — withdrawn due to RabbitMQ not yet supporting Erlang 27. * Retargeted to Fedora 44 (FESCo issue: [https://pagure.io/fesco/issue/3433 #3433]) — rejected/deferred, same reason. * RabbitMQ 4.0.4 added full Erlang 27 support. The blocker no longer exists. == Detailed Description == Upgrade Erlang to version 27 which brings a lot of changes. Just a few highlights [https://www.erlang.org/blog/highlights-otp-27/ from many]: * Triple-Quoted strings * Sigils * The new <code>json</code> module * Process labels * New functionality in STDLIB * New SSL client-side stapling support * Lots of bugfixes Aside from this, we plan to further improve quality of Erlang and related packages. These are shortcomings we want to address: * Finish switching to rebar3 as a main build tool and deprecate rebar2. Note: the new declarative <code>BuildSystem: rebar3</code> directive is now available in F45+ via <code>erlang-srpm-macros ≥ 0.3.11</code>. * Improve [https://fedoraproject.org/wiki/User:Peter/Erlang_Packaging_Guidelines Erlang Packaging Guidelines] and promote them as the official guideline. * SELinux rules for main Erlang applications (Ejabberd, CouchDB, RabbitMQ) are still outdated or missing. == Benefit to Fedora == Fedora users, both developers and end-users, will have visible benefits from using Fedora-provided packages. Namely: * Improved scalability and robustness. * Much easier developing and debugging. * Unblocks ecosystem packages that require OTP 27 syntax (triple-quoted strings, new <code>-doc</code> attributes, <code>json</code> module, etc.). * RabbitMQ 4.2.x and 4.3.x both fully support Erlang 27 — the previous blocker is resolved. == Scope == * Proposal owners: ** Upgrade Erlang to version 27. ** Upgrade outdated packages: *** {{package|ejabberd}} *** {{package|rabbitmq-server}} ** Package GDB macros for easier coredump debugging (see also [https://bugzilla.redhat.com/show_bug.cgi?id=663253 this ticket]). * Other developers: N/A * Release engineering: No special action required. NIF-based packages will be rebuilt as part of the regular mass rebuild. * Policies and guidelines: ** We should officially promote [https://fedoraproject.org/wiki/User:Peter/Erlang_Packaging_Guidelines Erlang Packaging Guidelines]. * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == N/A — Erlang 27 is backward compatible with code compiled on Erlang 26. Packages with Native Implemented Functions (NIFs) need to be rebuilt, which happens automatically during the mass rebuild. == How To Test == Ensure that high-grade Erlang applications are still working: {| class="wikitable" |- ! '''Name''' !! '''Tested''' |- | {{package|ejabberd}} || No |- | {{package|elixir}} || No |- | {{package|rabbitmq-server}} || No |} * Collect feedback from volunteers regarding their experience with this Erlang/OTP version. == User Experience == Users will get more robust, scalable, and fast Erlang applications. Developers will benefit from new language features (triple-quoted strings, sigils, the json module) without needing to install Erlang from external sources. == Dependencies == The following packages must be rebuilt: NIF-libraries (happens automatically during mass rebuild). == Contingency Plan == * Contingency mechanism: None necessary. Instead of falling back to the previous version we should fix existing packages in order to help the Community. We should also monitor upstream development process for potentially discovered issues and proactively apply patches (as we already did with [[Features/Erlang_R14|Erlang R14]], [[Features/Erlang_R15|Erlang R15]], [[Features/Erlang_R16|Erlang R16]], [[Changes/BetterErlangSupport|Erlang 17]], [[Changes/Erlang_18|Erlang 18]], [[Changes/Erlang_19|Erlang 19]], [[Changes/Erlang_20|Erlang 20]], [[Changes/Erlang_21|Erlang 21]], [[Changes/Erlang_22|Erlang 22]], [[Changes/Erlang_23|Erlang 23]], [[Changes/Erlang_24|Erlang 24]], and [[Changes/Erlang_25|Erlang 25]]). It should be noted that this change consists of independent or loosely coupled smaller changes. If we fail to deliver some changes in time, we should reschedule these exact changes to the future Fedora release while keeping already implemented ones. * Contingency deadline: N/A * Blocks release? No * Blocks product? No == Documentation == * [https://www.erlang.org/news/170 Erlang/OTP 27.0 release notes] * [https://www.erlang.org/news/171 Erlang/OTP 27.1 release notes] * [https://www.erlang.org/news/172 Erlang/OTP 27.2 release notes] * [https://www.erlang.org/news/175 Erlang/OTP 27.3 release notes] == Release Notes == Erlang/OTP 27.0 is available in Fedora 45. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
F45 Change Proposal: Adopt PURL Metadata (system-wide)
Wiki - https://fedoraproject.org/wiki/Changes/Adopt_PURL_Metadata Discussion Thread - https://discussion.fedoraproject.org/t/f45-change-proposal-adopt-purl-metadata-system-wide/192435 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Package metadata will be enhanced with standardized identifiers based on the PURL (Package-URL) specification with the goal of simplifying the mapping between upstream projects and Fedora packages. == Owner == * Name: [[User:Decathorpe| Fabio Valentini]] * Email: decathorpe AT gmail DOT com == Detailed Description == The Package-URL (PURL) standard privides a "standardized URL-based syntax that uniquely identifies software packages, independent of their ecosystem or distribution channel" ([https://github.com/package-url/purl-spec from the project README]). It is being adopted by many projects across the ecosystem - including the [https://cyclonedx.org/ CycloneDX] and SPDX SBOM formats, various software vulnerability databases, and the CVE Record Format ([https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0 added as an optional field in version 5.2.0]). By adding standardized identifiers to Fedora packages, it becomes easier to map upstream projects to packages - for example, to identify which packages are affected by a security vulnerability. The PURL standard defines this URL scheme: <code> scheme:type/namespace/name@version?qualifiers#subpath </code> For many "types" of packages, RPM generators already add virtual "Provides" for packages (for example, <code>crate(libc) = 0.2.186</code> or <code>rubygem(kramdown) = 2.5.2</code>) - but this is a downstream-specific format. The RPM generators for package ecosystems that are supported by the PURL specification will be extended to also add metadata in the PURL format (like <code>purl(pkg:cargo/libc@0.2.186)</code> or <code>purl(pkg:gem/kramdown@2.5.2</code>). The next package rebuild after the necessary RPM generator changes land will include this new metadata. This could then be extended to <code>bundled(...)</code> virtual Provides as well, which are currently even more heterogeneous since there's no standardized format for them in Fedora, and could potentially replace existing non-standard <code>bundled(...)</code> Provides in many cases. The initial target of this Change is to start adding virtual Provides in PURL format for packages in the following language ecosystems: * "cargo" (Rust crates) * "cpan" (Perl packages) * "cran" (R packages) * "gem" (RubyGems) * "hackage" (Haskell packages) * "maven" (Java packages) * "npm" (NodeJS / NPM packages) * "opam" (OCaml packages) * "pypi" (Python packages from PyPI) Currently, the only supported PURL "type" for C/C++ projects appears to be "conan", which is not useful in this context, but new types are [https://github.com/package-url/purl-spec/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22PURL%20type%20new%22 getting added to the spec regularly]. This will likely be an iterative process and the necessary changes might not happen for all language ecosystems in just one release cycle. == Feedback == TBD == Benefit to Fedora == This Change aims at making it easier and more reliable to identify which packages contain code from what projects. This allows for more reliable identification of packages affected by security vulnerabilities. Additionally, this metadata might be interesting for generating SBOMs for content included in (container) images. == Scope == * Proposal owners: Implement adaptations for RPM generators to emit the new virtual Provides. * Other developers: Review and apply changes to RPM generators and other packages, where necessary. * Release engineering: [https://forge.fedoraproject.org/releng/tickets/issues/13347 #13347] This Change requires a mass rebuild for affected packages to get the new metadata. * Policies and guidelines: Update Packaging Guidelines to recommend attaching metadata in PURL format to packages, where possible (to be determined if this also applies to <code>bundled(...)</code> Provides). FPC Ticket: https://forge.fedoraproject.org/packaging/guidelines/issues/1536 * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: N/A (not needed for this Change) == Upgrade/compatibility impact == This Change only provides additional package metadata and should have no effect on upgrades or backwards compatibility. == Early Testing (Optional) == N/A Do you require 'QA Blueprint' support? N == How To Test == Packages that are rebuilt after these changes land should have additional RPM Provides. This can be verified by running something like <code>dnf --provides perl-Errno</code> and looking for an entry in the <code>purl(...)</code> format. == User Experience == No direct impact to user experience is expected. However, easier identification of packages that are affected by security vulnerabilities should enable fixes for these issues to happen more reliably (and potentially faster). == Dependencies == '''Direct dependencies''': * Packages that contain the RPM generator implementations '''Indirect dependencies''': * Everything. == Contingency Plan == This is a purely additive and / or metadata-only Change. If the necessary changes are not finished by the mass rebuild date, they can still land at a later point in time, but will only affect a subset of packages. For best results, the changes should land before the Mass Rebuild, but this is not strictly necessary. * Contingency mechanism: Changes do not need to be reverted. If changes are not complete before the mass rebuild, it might need to be documented that the Change will only be partially implemented for the targeted Fedora release, and that only the next release will benefit fully. * Contingency deadline: Mass rebuild. * Blocks release? No. == Documentation == * [https://packageurl.org/ Package-URL Homepage] * [https://github.com/package-url/purl-spec PURL specification] * [https://github.com/package-url/purl-spec/tree/main/types List of valid package types] == Release Notes == -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
Tuesday, May 26, 2026
Flock to Fedora 2026: Call for On-Site Volunteers
-- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
Monday, May 25, 2026
confirm 3e3d3085b07b336fc9464e0d753e1d4385af7634
Your membership in the mailing list ubuntu-security-announce has been disabled due to excessive bounces The last bounce received from you was dated 25-May-2026. You will not get any more messages from this list until you re-enable your membership. You will receive 3 more reminders like this before your membership in the list is deleted. To re-enable your membership, you can simply respond to this message (leaving the Subject: line intact), or visit the confirmation page at https://lists.ubuntu.com/mailman/confirm/ubuntu-security-announce/3e3d3085b07b336fc9464e0d753e1d4385af7634 You can also visit your membership page at https://lists.ubuntu.com/mailman/options/ubuntu-security-announce/reallost1.fbsd2233449%40blogger.com On your membership page, you can change various delivery options such as your email address and whether you get digests or not. As a reminder, your membership password is quicker If you have any questions or problems, you can contact the list owner at ubuntu-security-announce-owner@lists.ubuntu.com
[USN-8301-1] SimpleEval vulnerability
========================================================================== Ubuntu Security Notice USN-8301-1 May 25, 2026 simpleeval vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: SimpleEval could be made to run programs if it received specially crafted input. Software Description: - simpleeval: Python library for evaluating expressions Details: Byambadalai Sumiya discovered that SimpleEval did not properly restrict attribute access and callback handling inside a sandbox. An attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS python3-simpleeval 1.0.3-1+deb13u1build0.26.04.1 Ubuntu 25.10 python3-simpleeval 1.0.3-1+deb13u1build0.25.10.1 Ubuntu 24.04 LTS python3-simpleeval 0.9.12-1+deb12u1build0.24.04.1 Ubuntu 22.04 LTS python3-simpleeval 0.9.11-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS python3-simpleeval 0.9.10-1+deb11u1build0.20.04.1 Available with Ubuntu Pro Ubuntu 18.04 LTS python-simpleeval 0.9.5-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-simpleeval 0.9.5-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS python-simpleeval 0.8.7-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-simpleeval 0.8.7-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8301-1 CVE-2026-32640 Package Information: https://launchpad.net/ubuntu/+source/simpleeval/1.0.3-1+deb13u1build0.26.04.1 https://launchpad.net/ubuntu/+source/simpleeval/1.0.3-1+deb13u1build0.25.10.1 https://launchpad.net/ubuntu/+source/simpleeval/0.9.12-1+deb12u1build0.24.04.1
[USN-8291-3] Linux kernel (Low Latency) vulnerabilities
========================================================================== Ubuntu Security Notice USN-8291-3 May 25, 2026 linux-lowlatency vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-lowlatency: Linux low latency kernel Details: Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; - Netfilter; - io_uring subsystem; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-178-lowlatency 5.15.0-178.188 linux-image-5.15.0-178-lowlatency-64k 5.15.0-178.188 linux-image-lowlatency 5.15.0.178.150 linux-image-lowlatency-5.15 5.15.0.178.150 linux-image-lowlatency-64k 5.15.0.178.150 linux-image-lowlatency-64k-5.15 5.15.0.178.150 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8291-3 https://ubuntu.com/security/notices/USN-8291-2 https://ubuntu.com/security/notices/USN-8291-1 CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351 Package Information: https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-178.188
[USN-8300-1] ngtcp2 vulnerability
========================================================================== Ubuntu Security Notice USN-8300-1 May 25, 2026 ngtcp2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: ngtcp2 could be made to run programs as your login if it received specially crafted network traffic when qlog was enabled. Software Description: - ngtcp2: RFC9000 QUIC protocol implementation Details: Zou Dikai discovered that ngtcp2 serialized peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog was enabled, a remote attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libngtcp2-16 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls-dev 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls8 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl-dev 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl0 1.16.0-1ubuntu0.1 libngtcp2-dev 1.16.0-1ubuntu0.1 Ubuntu 25.10 libngtcp2-16 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls-dev 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls8 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-dev 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-client 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-server 1.11.0-1+deb13u1build0.25.10.1 Ubuntu 24.04 LTS libngtcp2-9 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls-dev 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls2 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-dev 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-client 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-server 0.12.1+dfsg-1+deb12u1build0.24.04.1 Ubuntu 22.04 LTS libngtcp2-0 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-crypto-gnutls-dev 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-crypto-gnutls0 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-dev 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro ngtcp2-client 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro ngtcp2-server 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8300-1 CVE-2026-40170 Package Information: https://launchpad.net/ubuntu/+source/ngtcp2/1.16.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/ngtcp2/1.11.0-1+deb13u1build0.25.10.1 https://launchpad.net/ubuntu/+source/ngtcp2/0.12.1+dfsg-1+deb12u1build0.24.04.1
[USN-8299-1] Rclone vulnerabilities
========================================================================== Ubuntu Security Notice USN-8299-1 May 25, 2026 rclone vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Rclone. Software Description: - rclone: rsync for commercial cloud storage Details: It was discovered that Rclone incorrectly handled authorization in the remote control API. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-41176) It was discovered that Rclone incorrectly handled backend instantiation via the remote control API. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41179) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS rclone 1.60.1+dfsg-4ubuntu3.1 Ubuntu 25.10 rclone 1.60.1+dfsg-4ubuntu2.1 Ubuntu 24.04 LTS rclone 1.60.1+dfsg-3ubuntu0.24.04.5 Ubuntu 22.04 LTS rclone 1.53.3-4ubuntu1.22.04.4 Ubuntu 20.04 LTS rclone 1.50.2-2ubuntu0.2+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8299-1 CVE-2026-41176, CVE-2026-41179 Package Information: https://launchpad.net/ubuntu/+source/rclone/1.60.1+dfsg-4ubuntu3.1 https://launchpad.net/ubuntu/+source/rclone/1.60.1+dfsg-4ubuntu2.1 https://launchpad.net/ubuntu/+source/rclone/1.60.1+dfsg-3ubuntu0.24.04.5 https://launchpad.net/ubuntu/+source/rclone/1.53.3-4ubuntu1.22.04.4
[arch-announce] Breaking changes for all users of `varnish`, which is renamed to `vinyl-cache`
The Varnish project has [renamed itself to Vinyl Cache][0]. We followed this rename with a [new `vinyl-cache` package][1]. This upgrade results in [breaking changes][2] and users are advised to study these changes and how it affects them before following the replacement. All references to "`varnish`" have been changed to "`vinyl`" in all binaries and directories. At minimum, users will have to: - rename `/etc/varnish` to `/etc/vinyl-cache` - rename `/var/lib/varnish` to `/var/lib/vinyl-cache` - fix up ownership of files inside `/var/lib/varnish` - user `varnish` becomes `vinyl` - group `varnish` becomes `vinyl` - user `varnishlog` becomes `vinyllog` - user `vcache` remains the same - disable the old `varnish.service` and `varnishncsa.service` systemd units - enable the new `vinyl-cache.service` and `vinylncsa.service` systemd units Meanwhile, the `varnish` package has been dropped from `[extra]`. We're not currently planning to maintain a new `varnish` package as it's a different upstream project. [0]: https://vinyl-cache.org/organization/on_vinyl_cache_and_varnish_cache.html#org-vinyl-varnish [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/vinyl-cache [2]: https://vinyl-cache.org/docs/9.0/whats-new/upgrading-9.0.html URL: https://archlinux.org/news/breaking-changes-for-all-users-of-varnish-which-is-renamed-to-vinyl-cache/
Friday, May 22, 2026
[USN-8280-2] Linux kernel (Azure)vulnerabilities
========================================================================== Ubuntu Security Notice USN-8280-2 May 22, 2026 linux-azure, linux-azure-5.4, linux-azure-fips vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems Details: It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Packet sockets; - TLS protocol; (CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.4.0-1163-azure 5.4.0-1163.169 Available with Ubuntu Pro linux-image-5.4.0-1163-azure-fips 5.4.0-1163.169+fips1 Available with Ubuntu Pro linux-image-azure-5.4 5.4.0.1163.155 Available with Ubuntu Pro linux-image-azure-fips 5.4.0.1163.99 Available with Ubuntu Pro linux-image-azure-fips-5.4 5.4.0.1163.99 Available with Ubuntu Pro linux-image-azure-lts-20.04 5.4.0.1163.155 Available with Ubuntu Pro Ubuntu 18.04 LTS linux-image-5.4.0-1163-azure 5.4.0-1163.169~18.04.1 Available with Ubuntu Pro linux-image-azure 5.4.0.1163.169~18.04.1 Available with Ubuntu Pro linux-image-azure-5.4 5.4.0.1163.169~18.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8280-2 https://ubuntu.com/security/notices/USN-8280-1 CVE-2026-31431, CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078