We have released OpenBGPD 9.0, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Rewrite the Adj-RIB-Out handling to be more memory efficent
and faster. For large IXP route server deployments a reduction
in memory usage of more than 50% should be feasible.
* Process UPDATE messages in two phases: first update Adj-RIB-In,
Loc-RIB, and FIB, then process all the Adj-RIB-Out tables.
This significantly reduces the latency since updating all the
Adj-RIB-Out tables could take a fair amount of time.
* Introduce CH hash tables - a scalable hash map implementation
that boosts performance through improved cache locality.
* Introduce new metrics that track the amount of time spent in
various parts of the main event loop of the route decision engine.
* Fix various non-criticial things uncovered by Coverity scanner.
OpenBGPD-portable is known to compile and run on FreeBSD and the
Linux distributions Alpine, Debian, Fedora, RHEL/CentOS and Ubuntu.
It is our hope that packagers take interest and help adapt OpenBGPD-portable
to more distributions.
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
Tuesday, December 30, 2025
Tuesday, December 23, 2025
F44 System-Wide Changes Submission Deadline is Today
Hi Folks,
If you are thinking of submitting a System Wide[1] change for Fedora Linux 44 today is the last day to submit. The deadline for Self Contained changes is January 13, 2026.
While your changes do not need to be complete by the submission deadlines, please bear in mind that all changes are required to be in a 'testable'[2] state by February 3, 2026, and 'complete' by February 17, 2026.
For a full list of key dates in this release cycle, please refer to our schedule[3].
Kind regards,
Allison
[1] https://docs.fedoraproject.org/en-US/program_management/changes_policy/#_change_categories
[2] https://docs.fedoraproject.org/en-US/program_management/changes_policy/#_change_process_milestones
[3] https://fedorapeople.org/groups/schedule/f-44/f-44-key-tasks.html
Saturday, December 20, 2025
Inactive packagers removed from the packager group
Hi all,
Today, 2025-12-20, we have removed inactive packagers
from the packager group.
This is in accordance with the FESCo policy on inactive packagers:
https://docs.fedoraproject.org/en-US/fesco/Policy_for_inactive_packagers/
If the removed user is 'main admin' for a package, this package
will be orphaned. If there are co-maintainers for the package,
one of them should take the role of 'main admin',
by clicking "✋ Take" on
`https://src.fedoraproject.org/rpms/<package>`".
Otherwise any packager may take the package while it's orphaned.
After 6 weeks, the package will be retired.
After another 8 weeks, a new review is needed to unretire it.
see https://docs.fedoraproject.org/en-US/fesco/Policy_for_orphan_and_retired_packages/
for more details.
More details available in
https://pagure.io/fedora-infrastructure/issue/12891
Packages that have been orphaned are:
flatpaks/libreoffice
rpms/bashmount
rpms/btrfs-progs
rpms/ccache
rpms/ceres-solver
rpms/cl-asdf
rpms/cockpit-composer
rpms/common-lisp-controller
rpms/cvsps
rpms/deco
rpms/deco-archive
rpms/et
rpms/fctxpd
rpms/geany
rpms/gecode
rpms/golang-github-alibabacloud-debug
rpms/golang-github-alibabacloud-tea
rpms/golang-github-aliyun-cli
rpms/golang-github-aliyun-credentials
rpms/golang-github-aliyun-ossutil
rpms/golang-github-alyu-configparser
rpms/golang-github-droundy-goopt
rpms/golang-github-dustinkirkland-petname
rpms/golang-github-gehirninc-crypt
rpms/golang-github-haproxytech-client-native
rpms/golang-github-haproxytech-config-parser
rpms/golang-github-haproxytech-logger
rpms/golang-github-lestrrat-apache-logformat
rpms/golang-github-lestrrat-envload
rpms/golang-github-lestrrat-strftime
rpms/golang-github-nathanaelle-syslog5424-2
rpms/golang-github-rodaine-hclencoder
rpms/golang-github-shulhan-bindata
rpms/ikona
rpms/java-jd-decompiler
rpms/libfaketime
rpms/libstatgrab
rpms/lxsplit
rpms/mingw-jansson
rpms/mingw-speexdsp
rpms/mingw-yaml-cpp
rpms/multimedia-menus
rpms/muse
rpms/nodejs-rhea
rpms/nodejs-underscore
rpms/openjdk-asmtools
rpms/perl-Alien-Packages
rpms/perl-Log-Any
rpms/perl-MooX-Log-Any
rpms/perl-MooX-Roles-Pluggable
rpms/perl-Net-Twitter
rpms/perl-Unix-Statgrab
rpms/perl-WWW-Shorten
rpms/phototonic
rpms/python3-gql
rpms/python-novaclient-os-networks
rpms/python-octaviaclient
rpms/python-pyvat
rpms/qclib
rpms/qt5-qtwebchannel
rpms/qt5-qtwebsockets
rpms/rcs
rpms/rubygem-bacon-colored_output
rpms/rubygem-codeclimate-test-reporter
rpms/rubygem-diffy
rpms/rubygem-generator_spec
rpms/rubygem-ipaddress
rpms/rubygem-minitest-around
rpms/rubygem-mixlib-cli
rpms/rubygem-mixlib-config
rpms/rubygem-mixlib-shellout
rpms/rubygem-nifti
rpms/rubygem-powerpack
rpms/rubygem-systemu
rpms/serafettin-cartoon-fonts
rpms/smaclient
rpms/systemd-bootchart
rpms/twirssi
rpms/uchardet
rpms/vera++
rpms/ws-commons-util
tests/scap-security-guide
tests/scap-workbench
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Today, 2025-12-20, we have removed inactive packagers
from the packager group.
This is in accordance with the FESCo policy on inactive packagers:
https://docs.fedoraproject.org/en-US/fesco/Policy_for_inactive_packagers/
If the removed user is 'main admin' for a package, this package
will be orphaned. If there are co-maintainers for the package,
one of them should take the role of 'main admin',
by clicking "✋ Take" on
`https://src.fedoraproject.org/rpms/<package>`".
Otherwise any packager may take the package while it's orphaned.
After 6 weeks, the package will be retired.
After another 8 weeks, a new review is needed to unretire it.
see https://docs.fedoraproject.org/en-US/fesco/Policy_for_orphan_and_retired_packages/
for more details.
More details available in
https://pagure.io/fedora-infrastructure/issue/12891
Packages that have been orphaned are:
flatpaks/libreoffice
rpms/bashmount
rpms/btrfs-progs
rpms/ccache
rpms/ceres-solver
rpms/cl-asdf
rpms/cockpit-composer
rpms/common-lisp-controller
rpms/cvsps
rpms/deco
rpms/deco-archive
rpms/et
rpms/fctxpd
rpms/geany
rpms/gecode
rpms/golang-github-alibabacloud-debug
rpms/golang-github-alibabacloud-tea
rpms/golang-github-aliyun-cli
rpms/golang-github-aliyun-credentials
rpms/golang-github-aliyun-ossutil
rpms/golang-github-alyu-configparser
rpms/golang-github-droundy-goopt
rpms/golang-github-dustinkirkland-petname
rpms/golang-github-gehirninc-crypt
rpms/golang-github-haproxytech-client-native
rpms/golang-github-haproxytech-config-parser
rpms/golang-github-haproxytech-logger
rpms/golang-github-lestrrat-apache-logformat
rpms/golang-github-lestrrat-envload
rpms/golang-github-lestrrat-strftime
rpms/golang-github-nathanaelle-syslog5424-2
rpms/golang-github-rodaine-hclencoder
rpms/golang-github-shulhan-bindata
rpms/ikona
rpms/java-jd-decompiler
rpms/libfaketime
rpms/libstatgrab
rpms/lxsplit
rpms/mingw-jansson
rpms/mingw-speexdsp
rpms/mingw-yaml-cpp
rpms/multimedia-menus
rpms/muse
rpms/nodejs-rhea
rpms/nodejs-underscore
rpms/openjdk-asmtools
rpms/perl-Alien-Packages
rpms/perl-Log-Any
rpms/perl-MooX-Log-Any
rpms/perl-MooX-Roles-Pluggable
rpms/perl-Net-Twitter
rpms/perl-Unix-Statgrab
rpms/perl-WWW-Shorten
rpms/phototonic
rpms/python3-gql
rpms/python-novaclient-os-networks
rpms/python-octaviaclient
rpms/python-pyvat
rpms/qclib
rpms/qt5-qtwebchannel
rpms/qt5-qtwebsockets
rpms/rcs
rpms/rubygem-bacon-colored_output
rpms/rubygem-codeclimate-test-reporter
rpms/rubygem-diffy
rpms/rubygem-generator_spec
rpms/rubygem-ipaddress
rpms/rubygem-minitest-around
rpms/rubygem-mixlib-cli
rpms/rubygem-mixlib-config
rpms/rubygem-mixlib-shellout
rpms/rubygem-nifti
rpms/rubygem-powerpack
rpms/rubygem-systemu
rpms/serafettin-cartoon-fonts
rpms/smaclient
rpms/systemd-bootchart
rpms/twirssi
rpms/uchardet
rpms/vera++
rpms/ws-commons-util
tests/scap-security-guide
tests/scap-workbench
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[arch-announce] NVIDIA 590 driver drops Pascal support; main packages switch to Open Kernel Modules
With the update to driver version 590, the NVIDIA driver no longer supports Pascal (GTX 10xx) GPUs or older. We will replace the `nvidia` package with `nvidia-open`, `nvidia-dkms` with `nvidia-open-dkms`, and `nvidia-lts` with `nvidia-lts-open`.
**Impact:** Updating the NVIDIA packages on systems with Pascal, Maxwell, or older cards will fail to load the driver, which may result in a broken graphical environment.
**Intervention required for Pascal/older users:** Users with GTX 10xx series and older cards must switch to the legacy proprietary branch to maintain support:
* Uninstall the official `nvidia`, `nvidia-lts`, or `nvidia-dkms` packages.
* Install `nvidia-580xx-dkms` from the AUR
Users with Turing (20xx and GTX 1650 series) and newer GPUs will automatically transition to the open kernel modules on upgrade and require no manual intervention.
URL: https://archlinux.org/news/nvidia-590-driver-drops-pascal-support-main-packages-switch-to-open-kernel-modules/
**Impact:** Updating the NVIDIA packages on systems with Pascal, Maxwell, or older cards will fail to load the driver, which may result in a broken graphical environment.
**Intervention required for Pascal/older users:** Users with GTX 10xx series and older cards must switch to the legacy proprietary branch to maintain support:
* Uninstall the official `nvidia`, `nvidia-lts`, or `nvidia-dkms` packages.
* Install `nvidia-580xx-dkms` from the AUR
Users with Turing (20xx and GTX 1650 series) and newer GPUs will automatically transition to the open kernel modules on upgrade and require no manual intervention.
URL: https://archlinux.org/news/nvidia-590-driver-drops-pascal-support-main-packages-switch-to-open-kernel-modules/
Friday, December 19, 2025
F44 Change Proposal: StopCreatingDefaultNetworkProfilesByAnaconda [SystemWide]
Wiki: https://fedoraproject.org/wiki/Changes/StopCreatingDefaultNetworkProfilesByAnaconda
Discussion Thread: https://discussion.fedoraproject.org/t/177637
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Traditionally Anaconda installer used to create default network profiles (NetworkManager ifcfg files or keyfiles) on the installed sytem for each wired device. With the change only ... [truncated]
== Owner ==
* Name: [[User:rvykydal| Radek Vykydal]]
* Email: rvykydal@redhat.com
== Detailed Description ==
The reasons for the current behavior - creating of the default profiles for each wired network device - were from large part technical, imposed by the architecture of the installer network configuration module. The Anaconda default profiles were created at the initial stage of installation from NetworkManager connections where possible - either by dumping a connection (for example 'Wired Connection' created in initramfs) - or cloning a default connection ('Wired Connection 1' created after switchroot) with connection id updated to the interface name. In cases where reusing the connection created by NM was not possible Anaconda created new connection on its own via NetworkManager API. In some cases Anaconda was also updating some values of the connections like addr-gen-mode.
Over the years there were requests from the users to stop creating the profiles for unconfigured devices - only the devices configured in installer should have persistent profile created on the installed system. The updates in the NewtworkManager backend and its integration in the installer, together with improved CI coverage, now allows to drop the default connections and by this also to address several long term issues:
* There were bugs reported related to the default connections present on the installed system unexpectedly by the users (https://bugzilla.redhat.com/show_bug.cgi?id=2031385#c8, https://bugzilla.redhat.com/show_bug.cgi?id=2115783, https://issues.redhat.com/browse/RHEL-100200). In some cases the profiles prevented proper activation of virtual connections configured by the user. The issues were usually addressed by installer by updating already complex logic for management of the profiles by the installer. For port devices installer already stopped to create the profiles recently (https://github.com/rhinstaller/anaconda/pull/5703).
* On the Live ISO installations (as Fedora Workstation) the installer network configuration UI and the connection management had to be disabled because it was conflicting with the Gnome configuration tools present in the environment. In scope of the ongoing move towards the WebUI graphical user interface the installer team aims to provide UI that can seamlessly integrate with other tools, usable both in Live ISO environment and installer image environment (for example Server variant using Netinst ISO or DVD ISO), preferably reusing Cockpit network configuration module. This requires dropping some parts of installer network connections management - with this change being an important step (see https://issues.redhat.com/browse/INSTALLER-3088).
* Significant part of installer users work around the current behavior by removing the default connections created by installer in their custom kickstart '%post' scripts or other installation post-processing ([https://pagure.io/fedora-kickstarts/blob/f43/f/fedora-cloud-base.ks#_146 fedora-cloud-base.ks] for example).
* There was already a request from NetworkManager side for installer team to drop creating of default profiles: https://github.com/rhinstaller/anaconda/pull/1588. Installer team was not able to prioritize it to be addressed yet.
== Feedback ==
The feedback we were getting from the community over the past years was asking for removing of the default Anaconda profiles, as pointed out in the **Detailed Description**.
On the other hand we may expect negative feedback triggered by potential need for adaptation to the new behavior.
== Benefit to Fedora ==
* Improved consistency - persistent profiles exist only for configured devices.
* Single point of truth for defaults - installer steps out of the business of creating default network profiles (name, id, binding) and even setting its default values.
* User perspective: no unexpected network configuration produced by installation. Workarounds for removing undesired profiles in post installation steps are no more needed.
* More flexibility for network configuration tooling choices in the installer environment (like LiveISO).
* Makes shared use of Cockpit network configuration module in installer WebUI for non-live ISO variants feasible.
== Scope ==
* Proposal owners: replace the DumpMissingConfigFiles API with API for just persisting initramfs configuration. The work is in advanced progress in https://github.com/rhinstaller/anaconda/pull/6787.
* Other developers: potentially adapt scripts and tools assuming existence of the persistent profiles for non-configured devices
* Release engineering: [https://pagure.io/releng/issues #Releng issue number]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
Upgrades impact: none, the change is applied only to newly installed systems.
Compatibility impact: automation tools used to post process network configuration of systems after installation might need adjustments if they are working with network profiles without verifying its existence
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? Y/N
== How To Test ==
The change can be tested by installing Fedora variants which are using installer environment iso (boot.iso, netinst or DVD, for example Fedora Server) on various installation scenarios with or without network configuration in installer:
* via boot options (for example 'ip=dhcp', 'ip=enp1s0:dhcp')
* via kickstart ('network' command)
* via text UI
* via Gtk UI
The devices not configured by any of these means should not have persistent configuration profile on installed system (in '/etc/NetworkManager/system-connecitons'). See also the examples in the **User Experience** section.
== User Experience ==
**Example 1**: Fedora Server Network Installation, no network configuration during installation.
*Without the change* - state after installed system reboot:
root@ibm-p8-kvm-03-guest-02:~# nmcli con
NAME UUID TYPE DEVICE..
enp0s22 2c4fb9f7-feab-3c4e-a4d5-549b34feab67 ethernet enp0s22.
lo eff6e9ee-ffe6-4cd8-8d91-a131d75ccdaf loopback lo......
root@ibm-p8-kvm-03-guest-02:~# ls /etc/NetworkManager/system-connections/
enp0s22.nmconnection
root@ibm-p8-kvm-03-guest-02:~# cat /etc/NetworkManager/system-connections/enp0s22.nmconnection.
[connection]
id=enp0s22
uuid=2c4fb9f7-feab-3c4e-a4d5-549b34feab67
type=ethernet
autoconnect-priority=-999
interface-name=enp0s22
timestamp=1765956677
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=eui64
method=auto
[proxy]
*With the change* - state after installed system reboot:
root@ibm-p8-kvm-03-guest-02:~# nmcli con
NAME UUID TYPE DEVICE..
Wired connection 1 3500649e-c341-3a36-bb89-02e29d6f6f4f ethernet enp0s22.
lo 4147084d-dedd-4513-aed2-bb8ecbe0b26e loopback lo......
root@ibm-p8-kvm-03-guest-02:~# ls /etc/NetworkManager/system-connections/
root@ibm-p8-kvm-03-guest-02:~# ls /run/NetworkManager/system-connections/
lo.nmconnection 'Wired connection 1.nmconnection'
root@ibm-p8-kvm-03-guest-02:~# cat /run/NetworkManager/system-connections/Wired\ connection\ 1.nmconnection.
[connection]
id=Wired connection 1
uuid=3500649e-c341-3a36-bb89-02e29d6f6f4f
type=ethernet
autoconnect-priority=-999
interface-name=enp0s22
timestamp=1765959194
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
[.nmmeta]
nm-generated=true
**Example 2**: Fedora Server DVD installation with network device unplugged during installation and plugged in before booting installed system. No network configuration during installation.
*Without the change* - state after installed system reboot:
root@dhcp193:~# nmcli con
NAME UUID TYPE DEVICE.
lo 60c2b452-c923-44b7-b119-484f1fc119dc loopback lo.....
enp1s0 f986e267-90bc-4e3a-bc89-d16ffa581246 ethernet --.....
root@dhcp193:~# ls /etc/NetworkManager/system-connections/
enp1s0.nmconnection
root@dhcp193:~# ls /run/NetworkManager/system-connections/
lo.nmconnection
root@dhcp193:~# cat /run/NetworkManager/system-connections/enp1s0.nmconnection
[connection]
id=enp1s0
uuid=f986e267-90bc-4e3a-bc89-d16ffa581246
type=ethernet
autoconnect=false
interface-name=enp1s0
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=eui64
method=auto
[proxy]
*With the change* - state after installed system reboot (is the same as in Example 1):
root@dhcp193:~# nmcli con
NAME UUID TYPE DEVICE
Wired connection 1 9196327c-a909-3cda-8733-06d6c77546f9 ethernet enp1s0
lo 64f89f2c-85c8-40eb-92bf-b6712e3162d5 loopback lo
root@dhcp193:~# ls /etc/NetworkManager/system-connections/
root@dhcp193:~# ls /run/NetworkManager/system-connections/
lo.nmconnection 'Wired connection 1.nmconnection'
root@dhcp193:~# cat /run/NetworkManager/system-connections/Wired\ connection\ 1.nmconnection
[connection]
id=Wired connection 1
uuid=9196327c-a909-3cda-8733-06d6c77546f9
type=ethernet
autoconnect-priority=-999
interface-name=enp1s0
timestamp=1765961287
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
[.nmmeta]
nm-generated=true
== Dependencies ==
It is possible that some Anaconda installer clients performing installed system post processing will need to adapt to the change, expecting the Anaconda default profiles existing (for their modification, removal, etc).
Regarding system management / configuration tools, I think the risk they may assume the profiles existing on the installed system is reasonably small, and the tools should be able to handle their removing without issues.
== Contingency Plan ==
* Contingency mechanism: Reverting the change.
* Contingency deadline: Beta freeze
* Blocks release? No
== Documentation ==
I am not aware of the current behavior being documented anywhere else then in the [https://anaconda-installer.readthedocs.io/en/latest/autoapi/pyanaconda/modules/network/network_interface/index.html#pyanaconda.modules.network.network_interface.NetworkInterface.DumpMissingConfigFilesWithTask DumpMissingConfigFiles API].
The new behavior should be the one users would expected by default, so no explicit documentation is required.
The change of behavior will be documented in release notes.
== Release Notes ==
Discussion Thread: https://discussion.fedoraproject.org/t/177637
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Traditionally Anaconda installer used to create default network profiles (NetworkManager ifcfg files or keyfiles) on the installed sytem for each wired device. With the change only ... [truncated]
== Owner ==
* Name: [[User:rvykydal| Radek Vykydal]]
* Email: rvykydal@redhat.com
== Detailed Description ==
The reasons for the current behavior - creating of the default profiles for each wired network device - were from large part technical, imposed by the architecture of the installer network configuration module. The Anaconda default profiles were created at the initial stage of installation from NetworkManager connections where possible - either by dumping a connection (for example 'Wired Connection' created in initramfs) - or cloning a default connection ('Wired Connection 1' created after switchroot) with connection id updated to the interface name. In cases where reusing the connection created by NM was not possible Anaconda created new connection on its own via NetworkManager API. In some cases Anaconda was also updating some values of the connections like addr-gen-mode.
Over the years there were requests from the users to stop creating the profiles for unconfigured devices - only the devices configured in installer should have persistent profile created on the installed system. The updates in the NewtworkManager backend and its integration in the installer, together with improved CI coverage, now allows to drop the default connections and by this also to address several long term issues:
* There were bugs reported related to the default connections present on the installed system unexpectedly by the users (https://bugzilla.redhat.com/show_bug.cgi?id=2031385#c8, https://bugzilla.redhat.com/show_bug.cgi?id=2115783, https://issues.redhat.com/browse/RHEL-100200). In some cases the profiles prevented proper activation of virtual connections configured by the user. The issues were usually addressed by installer by updating already complex logic for management of the profiles by the installer. For port devices installer already stopped to create the profiles recently (https://github.com/rhinstaller/anaconda/pull/5703).
* On the Live ISO installations (as Fedora Workstation) the installer network configuration UI and the connection management had to be disabled because it was conflicting with the Gnome configuration tools present in the environment. In scope of the ongoing move towards the WebUI graphical user interface the installer team aims to provide UI that can seamlessly integrate with other tools, usable both in Live ISO environment and installer image environment (for example Server variant using Netinst ISO or DVD ISO), preferably reusing Cockpit network configuration module. This requires dropping some parts of installer network connections management - with this change being an important step (see https://issues.redhat.com/browse/INSTALLER-3088).
* Significant part of installer users work around the current behavior by removing the default connections created by installer in their custom kickstart '%post' scripts or other installation post-processing ([https://pagure.io/fedora-kickstarts/blob/f43/f/fedora-cloud-base.ks#_146 fedora-cloud-base.ks] for example).
* There was already a request from NetworkManager side for installer team to drop creating of default profiles: https://github.com/rhinstaller/anaconda/pull/1588. Installer team was not able to prioritize it to be addressed yet.
== Feedback ==
The feedback we were getting from the community over the past years was asking for removing of the default Anaconda profiles, as pointed out in the **Detailed Description**.
On the other hand we may expect negative feedback triggered by potential need for adaptation to the new behavior.
== Benefit to Fedora ==
* Improved consistency - persistent profiles exist only for configured devices.
* Single point of truth for defaults - installer steps out of the business of creating default network profiles (name, id, binding) and even setting its default values.
* User perspective: no unexpected network configuration produced by installation. Workarounds for removing undesired profiles in post installation steps are no more needed.
* More flexibility for network configuration tooling choices in the installer environment (like LiveISO).
* Makes shared use of Cockpit network configuration module in installer WebUI for non-live ISO variants feasible.
== Scope ==
* Proposal owners: replace the DumpMissingConfigFiles API with API for just persisting initramfs configuration. The work is in advanced progress in https://github.com/rhinstaller/anaconda/pull/6787.
* Other developers: potentially adapt scripts and tools assuming existence of the persistent profiles for non-configured devices
* Release engineering: [https://pagure.io/releng/issues #Releng issue number]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
Upgrades impact: none, the change is applied only to newly installed systems.
Compatibility impact: automation tools used to post process network configuration of systems after installation might need adjustments if they are working with network profiles without verifying its existence
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? Y/N
== How To Test ==
The change can be tested by installing Fedora variants which are using installer environment iso (boot.iso, netinst or DVD, for example Fedora Server) on various installation scenarios with or without network configuration in installer:
* via boot options (for example 'ip=dhcp', 'ip=enp1s0:dhcp')
* via kickstart ('network' command)
* via text UI
* via Gtk UI
The devices not configured by any of these means should not have persistent configuration profile on installed system (in '/etc/NetworkManager/system-connecitons'). See also the examples in the **User Experience** section.
== User Experience ==
**Example 1**: Fedora Server Network Installation, no network configuration during installation.
*Without the change* - state after installed system reboot:
root@ibm-p8-kvm-03-guest-02:~# nmcli con
NAME UUID TYPE DEVICE..
enp0s22 2c4fb9f7-feab-3c4e-a4d5-549b34feab67 ethernet enp0s22.
lo eff6e9ee-ffe6-4cd8-8d91-a131d75ccdaf loopback lo......
root@ibm-p8-kvm-03-guest-02:~# ls /etc/NetworkManager/system-connections/
enp0s22.nmconnection
root@ibm-p8-kvm-03-guest-02:~# cat /etc/NetworkManager/system-connections/enp0s22.nmconnection.
[connection]
id=enp0s22
uuid=2c4fb9f7-feab-3c4e-a4d5-549b34feab67
type=ethernet
autoconnect-priority=-999
interface-name=enp0s22
timestamp=1765956677
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=eui64
method=auto
[proxy]
*With the change* - state after installed system reboot:
root@ibm-p8-kvm-03-guest-02:~# nmcli con
NAME UUID TYPE DEVICE..
Wired connection 1 3500649e-c341-3a36-bb89-02e29d6f6f4f ethernet enp0s22.
lo 4147084d-dedd-4513-aed2-bb8ecbe0b26e loopback lo......
root@ibm-p8-kvm-03-guest-02:~# ls /etc/NetworkManager/system-connections/
root@ibm-p8-kvm-03-guest-02:~# ls /run/NetworkManager/system-connections/
lo.nmconnection 'Wired connection 1.nmconnection'
root@ibm-p8-kvm-03-guest-02:~# cat /run/NetworkManager/system-connections/Wired\ connection\ 1.nmconnection.
[connection]
id=Wired connection 1
uuid=3500649e-c341-3a36-bb89-02e29d6f6f4f
type=ethernet
autoconnect-priority=-999
interface-name=enp0s22
timestamp=1765959194
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
[.nmmeta]
nm-generated=true
**Example 2**: Fedora Server DVD installation with network device unplugged during installation and plugged in before booting installed system. No network configuration during installation.
*Without the change* - state after installed system reboot:
root@dhcp193:~# nmcli con
NAME UUID TYPE DEVICE.
lo 60c2b452-c923-44b7-b119-484f1fc119dc loopback lo.....
enp1s0 f986e267-90bc-4e3a-bc89-d16ffa581246 ethernet --.....
root@dhcp193:~# ls /etc/NetworkManager/system-connections/
enp1s0.nmconnection
root@dhcp193:~# ls /run/NetworkManager/system-connections/
lo.nmconnection
root@dhcp193:~# cat /run/NetworkManager/system-connections/enp1s0.nmconnection
[connection]
id=enp1s0
uuid=f986e267-90bc-4e3a-bc89-d16ffa581246
type=ethernet
autoconnect=false
interface-name=enp1s0
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=eui64
method=auto
[proxy]
*With the change* - state after installed system reboot (is the same as in Example 1):
root@dhcp193:~# nmcli con
NAME UUID TYPE DEVICE
Wired connection 1 9196327c-a909-3cda-8733-06d6c77546f9 ethernet enp1s0
lo 64f89f2c-85c8-40eb-92bf-b6712e3162d5 loopback lo
root@dhcp193:~# ls /etc/NetworkManager/system-connections/
root@dhcp193:~# ls /run/NetworkManager/system-connections/
lo.nmconnection 'Wired connection 1.nmconnection'
root@dhcp193:~# cat /run/NetworkManager/system-connections/Wired\ connection\ 1.nmconnection
[connection]
id=Wired connection 1
uuid=9196327c-a909-3cda-8733-06d6c77546f9
type=ethernet
autoconnect-priority=-999
interface-name=enp1s0
timestamp=1765961287
[ethernet]
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
[.nmmeta]
nm-generated=true
== Dependencies ==
It is possible that some Anaconda installer clients performing installed system post processing will need to adapt to the change, expecting the Anaconda default profiles existing (for their modification, removal, etc).
Regarding system management / configuration tools, I think the risk they may assume the profiles existing on the installed system is reasonably small, and the tools should be able to handle their removing without issues.
== Contingency Plan ==
* Contingency mechanism: Reverting the change.
* Contingency deadline: Beta freeze
* Blocks release? No
== Documentation ==
I am not aware of the current behavior being documented anywhere else then in the [https://anaconda-installer.readthedocs.io/en/latest/autoapi/pyanaconda/modules/network/network_interface/index.html#pyanaconda.modules.network.network_interface.NetworkInterface.DumpMissingConfigFilesWithTask DumpMissingConfigFiles API].
The new behavior should be the one users would expected by default, so no explicit documentation is required.
The change of behavior will be documented in release notes.
== Release Notes ==
F44 Change Proposal: Java21RemovedEarlierThenScheduled [SelfContained]
Wiki: https://fedoraproject.org/wiki/Changes/Java21RemovedEarlierThenScheduled
Discussion Thread: https://discussion.fedoraproject.org/t/177636
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Remove java-21-openjdk already from F44, rather then F45 as was originally announced
[[Changes/ThirdPartyLegacyJdks| here]] and
[[Changes/Java25AndNoMoreSystemJdk#Detailed_Description| here]]
== Owner ==
* Name: [[User:jvanek| Jiri Vanek]]
* Email: jvanek@redhat.com
== Detailed Description ==
Short preliminary [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/FSRDMFKF6VK5HIBXLMO3I72H2WSIEWAX/#V4ZMJ5S5ZISVPF7RZICCTMW3RJOIYMEP discussion] happened in early December without any strong opposition but with several good ideas. but From total java-stack(546 packages), only 26 requires jdk21 for build:
* apache-commons-modeler-0:2.0.1-43.fc42.src
* apache-commons-text-0:1.10.0-8.fc42.src
* apache-sshd-1:2.11.0-2.fc41.src
* decentxml-0:1.4-36.fc41.src
* fop-0:2.9-9.fc41.src
* Java-WebSocket-0:1.6.0-4.fc43.src
* l10n-maven-plugin-0:1.1.0-2.fc43.src
* maven-archetype-0:3.2.1.0.8b3bdb6-14.fc41.src
* resteasy-0:3.0.26-32.fc42.src
* xmlgraphics-commons-0:2.11-1.fc43.src
* javapoet-0:1.7.0-27.fc43.src
* java-runtime-decompiler-0:10.0-6.fc43.src
* jol-0:0.17-10.fc43.src
* juniversalchardet-0:2.4.0-16.fc43.src
* plexus-velocity-0:2.2.1-2.fc43.src
* stringtemplate4-0:4.3.4-9.fc43.src
* xbean-0:4.24-8.fc43.src
* xbean-0:4.24-9.fc43.src
* icedtea-web-0:1.8.8-10.fc43.src
* ldapjdk-0:5.6.0-0.1.alpha1.fc43.3.src
* ldapjdk-0:5.6.0-1.fc43.src
* mecab-java-0:0.996-14.fc43.src
* openjdk-asmtools-0:9.0.0.b12.ea.eb1979669-0.fc43.src
* mecab-java-0:0.996-14.fc43.src
* fop-0:2.9-9.fc41.src
* nekohtml-0:1.9.22-29.fc42.src
* jedit-0:5.6.0-8.fc43.src
From those aprox 10 is FTBFs even with java-21-openjdk, and the rest seems to be ok to switch to java-25-openjdk. This part will be elaborated on.
Once those packages are resolved, jdk21 will be removed from rawhide and the [https://src.fedoraproject.org/rpms/adoptium-temurin-java-repository/blob/rawhide/f/adoptium-temurin-java-repository.spec#_54 adoptium-temurin-java-repository package] will obsolete jdk21 in f44, and will warn about jdk21 being deprecated in f43 and down.
== Feedback ==
For now the headless subpakcage was rebuked as priority to fix on temurin side. Others may pop up.
== Benefit to Fedora ==
Benefit to distribution itself is controversial. A lot of development is focussed to Eclispe Temurins, but we failed to prepare proper 1:1 replacement in past.
Main benefit will be the spared cycles of developers who will maintain one less jdk for one less cycle. Main focus of saved cycles should be the 1:1 compatibility of Temurins with our RPMs.
Note, that side benefit of this is, that Temurin JDK rpms will become more like Fedora rpms, rather then "more like Debian" or similarly.
== Scope ==
* Proposal owners:
** We will help to migrate remaining packages to jdk25
** we will deprecate and remove jdk21
** we should improve temurin rpms to fit more
* Other developers:
** No work is expected
* Release engineering: N/A
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy: ok, I think
== Upgrade/compatibility impact ==
User which was used to have several system JDKs will have one system JDK (25) and one rolling future jdk java-latest-openjdk (26 in that time) if applicable.
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? Y/N
== How To Test ==
todo
== User Experience ==
Change should be transparent to all users and power users.
Users will have latest JDK as soon as possible, as usual, and all Java packages should remain fully operational.
== Dependencies ==
* adoptium-temurin-java-repository as per schedule and description
* java-21-openjdk as per schedule and description
* remaining packages in javastack as per schedule and description
== Contingency Plan ==
* Return java-21-openjdk as it is
* Contingency deadline: beta freeze
* Blocks release? No
== Documentation ==
N/A for now
== Release Notes ==
\n
Discussion Thread: https://discussion.fedoraproject.org/t/177636
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Remove java-21-openjdk already from F44, rather then F45 as was originally announced
[[Changes/ThirdPartyLegacyJdks| here]] and
[[Changes/Java25AndNoMoreSystemJdk#Detailed_Description| here]]
== Owner ==
* Name: [[User:jvanek| Jiri Vanek]]
* Email: jvanek@redhat.com
== Detailed Description ==
Short preliminary [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/FSRDMFKF6VK5HIBXLMO3I72H2WSIEWAX/#V4ZMJ5S5ZISVPF7RZICCTMW3RJOIYMEP discussion] happened in early December without any strong opposition but with several good ideas. but From total java-stack(546 packages), only 26 requires jdk21 for build:
* apache-commons-modeler-0:2.0.1-43.fc42.src
* apache-commons-text-0:1.10.0-8.fc42.src
* apache-sshd-1:2.11.0-2.fc41.src
* decentxml-0:1.4-36.fc41.src
* fop-0:2.9-9.fc41.src
* Java-WebSocket-0:1.6.0-4.fc43.src
* l10n-maven-plugin-0:1.1.0-2.fc43.src
* maven-archetype-0:3.2.1.0.8b3bdb6-14.fc41.src
* resteasy-0:3.0.26-32.fc42.src
* xmlgraphics-commons-0:2.11-1.fc43.src
* javapoet-0:1.7.0-27.fc43.src
* java-runtime-decompiler-0:10.0-6.fc43.src
* jol-0:0.17-10.fc43.src
* juniversalchardet-0:2.4.0-16.fc43.src
* plexus-velocity-0:2.2.1-2.fc43.src
* stringtemplate4-0:4.3.4-9.fc43.src
* xbean-0:4.24-8.fc43.src
* xbean-0:4.24-9.fc43.src
* icedtea-web-0:1.8.8-10.fc43.src
* ldapjdk-0:5.6.0-0.1.alpha1.fc43.3.src
* ldapjdk-0:5.6.0-1.fc43.src
* mecab-java-0:0.996-14.fc43.src
* openjdk-asmtools-0:9.0.0.b12.ea.eb1979669-0.fc43.src
* mecab-java-0:0.996-14.fc43.src
* fop-0:2.9-9.fc41.src
* nekohtml-0:1.9.22-29.fc42.src
* jedit-0:5.6.0-8.fc43.src
From those aprox 10 is FTBFs even with java-21-openjdk, and the rest seems to be ok to switch to java-25-openjdk. This part will be elaborated on.
Once those packages are resolved, jdk21 will be removed from rawhide and the [https://src.fedoraproject.org/rpms/adoptium-temurin-java-repository/blob/rawhide/f/adoptium-temurin-java-repository.spec#_54 adoptium-temurin-java-repository package] will obsolete jdk21 in f44, and will warn about jdk21 being deprecated in f43 and down.
== Feedback ==
For now the headless subpakcage was rebuked as priority to fix on temurin side. Others may pop up.
== Benefit to Fedora ==
Benefit to distribution itself is controversial. A lot of development is focussed to Eclispe Temurins, but we failed to prepare proper 1:1 replacement in past.
Main benefit will be the spared cycles of developers who will maintain one less jdk for one less cycle. Main focus of saved cycles should be the 1:1 compatibility of Temurins with our RPMs.
Note, that side benefit of this is, that Temurin JDK rpms will become more like Fedora rpms, rather then "more like Debian" or similarly.
== Scope ==
* Proposal owners:
** We will help to migrate remaining packages to jdk25
** we will deprecate and remove jdk21
** we should improve temurin rpms to fit more
* Other developers:
** No work is expected
* Release engineering: N/A
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy: ok, I think
== Upgrade/compatibility impact ==
User which was used to have several system JDKs will have one system JDK (25) and one rolling future jdk java-latest-openjdk (26 in that time) if applicable.
== Early Testing (Optional) ==
Do you require 'QA Blueprint' support? Y/N
== How To Test ==
todo
== User Experience ==
Change should be transparent to all users and power users.
Users will have latest JDK as soon as possible, as usual, and all Java packages should remain fully operational.
== Dependencies ==
* adoptium-temurin-java-repository as per schedule and description
* java-21-openjdk as per schedule and description
* remaining packages in javastack as per schedule and description
== Contingency Plan ==
* Return java-21-openjdk as it is
* Contingency deadline: beta freeze
* Blocks release? No
== Documentation ==
N/A for now
== Release Notes ==
\n
F44 Change Proposal: SplitRubyBuild [SelfContained]
Wiki: https://fedoraproject.org/wiki/Changes/SplitRubyBuild
Discussion Thread: https://discussion.fedoraproject.org/t/177635
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
The `ruby-build` package will be split into a main package and several subpackages (`ruby-build-jruby`, `ruby-build-truffleruby`, ...). This allows users to install only the build dependencies required for their specific Ruby implementation, significantly reducing the default installation size and dependency footprint.
== Owner ==
* Name: [[User:mikelo2| Mikel Olasagasti]]
* Email: mikel@olasagasti.info
== Detailed Description ==
=== Motivation ===
Currently, the `ruby-build` spec file utilizes a comprehensive list of `Recommends` to ensure all possible Ruby implementations can be built. This monolithic approach forces the package manager to pull in a massive dependency chain by default.
For example, a default installation of `ruby-build` (which is a 323 KiB package) currently results in a transaction of 146 packages, requiring 404 MiB of downloads and occupying 2 GiB of disk space.
<pre>
# dnf install ruby-build
Updating and loading repositories:
Repositories loaded.
Package Arch Version Repository Size
Installing:
ruby-build x86_64 0:20251023-1.fc44 rawhide 323.4 KiB
Installing dependencies:
alsa-lib x86_64 0:1.2.15-4.fc44 rawhide 1.5 MiB
avahi-libs x86_64 0:0.9~rc2-6.fc43 rawhide 171.6 KiB
binutils x86_64 0:2.45.50-9.fc44 rawhide 27.0 MiB
clang-libs x86_64 0:21.1.7-1.fc44 rawhide 114.9 MiB
clang-resource-filesystem x86_64 0:21.1.7-1.fc44 rawhide 15.3 KiB
cmake-filesystem x86_64 0:3.31.10-3.fc44 rawhide 0.0 B
cpp x86_64 0:15.2.1-5.fc44 rawhide 38.0 MiB
cups-filesystem noarch 1:2.4.16-4.fc44 rawhide 0.0 B
cups-libs x86_64 1:2.4.16-4.fc44 rawhide 618.4 KiB
dbus-libs x86_64 1:1.16.0-4.fc43 rawhide 345.5 KiB
ed x86_64 0:1.22.3-1.fc44 rawhide 148.9 KiB
elfutils-debuginfod-client x86_64 0:0.194-2.fc44 rawhide 84.0 KiB
expat x86_64 0:2.7.3-1.fc44 rawhide 301.1 KiB
gcc x86_64 0:15.2.1-5.fc44 rawhide 111.9 MiB
gcc-c++ x86_64 0:15.2.1-5.fc44 rawhide 41.4 MiB
glibc-devel x86_64 0:2.42.9000-16.fc44 rawhide 2.3 MiB
groff-base x86_64 0:1.23.0-11.fc44 rawhide 3.8 MiB
info x86_64 0:7.2-7.fc44 rawhide 357.9 KiB
jansson x86_64 0:2.14-3.fc43 rawhide 89.1 KiB
javapackages-filesystem noarch 0:6.4.1-4.fc44 rawhide 2.0 KiB
kernel-headers x86_64 0:6.19.0-0.rc1.15.fc44 rawhide 6.9 MiB
libedit x86_64 0:3.1-57.20251016cvs.fc44 rawhide 240.2 KiB
libedit-devel x86_64 0:3.1-57.20251016cvs.fc44 rawhide 59.4 KiB
libmpc x86_64 0:1.3.1-8.fc43 rawhide 160.6 KiB
libpkgconf x86_64 0:2.3.0-3.fc43 rawhide 78.1 KiB
libstdc++-devel x86_64 0:15.2.1-5.fc44 rawhide 37.2 MiB
libxcrypt-devel x86_64 0:4.5.2-2.fc44 rawhide 31.0 KiB
libzstd-devel x86_64 0:1.5.7-3.fc44 rawhide 217.6 KiB
lksctp-tools x86_64 0:1.0.21-2.fc44 rawhide 251.0 KiB
llvm x86_64 0:21.1.7-1.fc44 rawhide 89.3 MiB
llvm-filesystem x86_64 0:21.1.7-1.fc44 rawhide 0.0 B
llvm-googletest x86_64 0:21.1.7-1.fc44 rawhide 2.4 MiB
llvm-libs x86_64 0:21.1.7-1.fc44 rawhide 138.6 MiB
llvm-static x86_64 0:21.1.7-1.fc44 rawhide 377.5 MiB
llvm-test x86_64 0:21.1.7-1.fc44 rawhide 2.3 MiB
make x86_64 1:4.4.1-11.fc43 rawhide 1.8 MiB
mpdecimal x86_64 0:4.0.1-2.fc43 rawhide 217.2 KiB
ncurses x86_64 0:6.5-8.20250614.fc44 rawhide 609.8 KiB
ncurses-c++-libs x86_64 0:6.5-8.20250614.fc44 rawhide 153.6 KiB
nspr x86_64 0:4.38.2-1.fc44 rawhide 315.5 KiB
nss x86_64 0:3.119.0-1.fc44 rawhide 1.9 MiB
nss-softokn x86_64 0:3.119.0-1.fc44 rawhide 2.0 MiB
nss-softokn-freebl x86_64 0:3.119.0-1.fc44 rawhide 990.8 KiB
nss-sysinit x86_64 0:3.119.0-1.fc44 rawhide 18.1 KiB
nss-util x86_64 0:3.119.0-1.fc44 rawhide 204.8 KiB
perl-AutoLoader noarch 0:5.74-520.fc43 rawhide 20.6 KiB
perl-B x86_64 0:1.89-520.fc43 rawhide 501.3 KiB
perl-Carp noarch 0:1.54-520.fc43 rawhide 46.6 KiB
perl-Class-Struct noarch 0:0.68-520.fc43 rawhide 25.4 KiB
perl-Data-Dumper x86_64 0:2.191-521.fc43 rawhide 115.6 KiB
perl-Digest noarch 0:1.20-520.fc43 rawhide 35.3 KiB
perl-Digest-MD5 x86_64 0:2.59-520.fc43 rawhide 59.7 KiB
perl-DynaLoader x86_64 0:1.57-520.fc43 rawhide 32.1 KiB
perl-Encode x86_64 4:3.21-520.fc43 rawhide 4.7 MiB
perl-Errno x86_64 0:1.38-520.fc43 rawhide 8.4 KiB
perl-Exporter noarch 0:5.79-520.fc43 rawhide 54.3 KiB
perl-Fcntl x86_64 0:1.20-520.fc43 rawhide 48.8 KiB
perl-File-Basename noarch 0:2.86-520.fc43 rawhide 14.0 KiB
perl-File-Path noarch 0:2.18-521.fc44 rawhide 63.5 KiB
perl-File-Temp noarch 1:0.231.200-1.fc44 rawhide 163.7 KiB
perl-File-stat noarch 0:1.14-520.fc43 rawhide 12.5 KiB
perl-FileHandle noarch 0:2.05-520.fc43 rawhide 9.4 KiB
perl-Getopt-Long noarch 1:2.58-520.fc43 rawhide 144.5 KiB
perl-Getopt-Std noarch 0:1.14-520.fc43 rawhide 11.2 KiB
perl-HTTP-Tiny noarch 0:0.090-521.fc43 rawhide 154.4 KiB
perl-IO x86_64 0:1.55-520.fc43 rawhide 147.4 KiB
perl-IO-Socket-IP noarch 0:0.43-521.fc43 rawhide 100.3 KiB
perl-IO-Socket-SSL noarch 0:2.095-2.fc43 rawhide 714.5 KiB
perl-IPC-Open3 noarch 0:1.24-520.fc43 rawhide 27.7 KiB
perl-MIME-Base32 noarch 0:1.303-24.fc43 rawhide 30.7 KiB
perl-MIME-Base64 x86_64 0:3.16-520.fc43 rawhide 42.0 KiB
perl-Net-SSLeay x86_64 0:1.94-11.fc43 rawhide 1.3 MiB
perl-POSIX x86_64 0:2.23-520.fc43 rawhide 231.4 KiB
perl-PathTools x86_64 0:3.94-520.fc43 rawhide 180.0 KiB
perl-Pod-Escapes noarch 1:1.07-520.fc43 rawhide 24.9 KiB
perl-Pod-Perldoc noarch 0:3.28.01-521.fc43 rawhide 163.7 KiB
perl-Pod-Simple noarch 1:3.47-3.fc43 rawhide 565.3 KiB
perl-Pod-Usage noarch 4:2.05-520.fc43 rawhide 86.3 KiB
perl-Scalar-List-Utils x86_64 5:1.70-1.fc43 rawhide 144.9 KiB
perl-SelectSaver noarch 0:1.02-520.fc43 rawhide 2.2 KiB
perl-Socket x86_64 4:2.040-2.fc43 rawhide 120.3 KiB
perl-Storable x86_64 1:3.37-521.fc43 rawhide 231.2 KiB
perl-Symbol noarch 0:1.09-520.fc43 rawhide 6.8 KiB
perl-Term-ANSIColor noarch 0:5.01-521.fc43 rawhide 97.5 KiB
perl-Term-Cap noarch 0:1.18-520.fc43 rawhide 29.3 KiB
perl-Text-ParseWords noarch 0:3.31-520.fc43 rawhide 13.6 KiB
perl-Text-Tabs+Wrap noarch 0:2024.001-520.fc43 rawhide 22.6 KiB
perl-Time-Local noarch 2:1.350-520.fc43 rawhide 69.0 KiB
perl-URI noarch 0:5.34-2.fc44 rawhide 268.0 KiB
perl-base noarch 0:2.27-520.fc43 rawhide 12.6 KiB
perl-constant noarch 0:1.33-521.fc43 rawhide 26.2 KiB
perl-if noarch 0:0.61.000-520.fc43 rawhide 5.8 KiB
perl-interpreter x86_64 4:5.42.0-520.fc43 rawhide 118.6 KiB
perl-libnet noarch 0:3.15-521.fc43 rawhide 289.4 KiB
perl-libs x86_64 4:5.42.0-520.fc43 rawhide 11.5 MiB
perl-locale noarch 0:1.13-520.fc43 rawhide 6.1 KiB
perl-mro x86_64 0:1.29-520.fc43 rawhide 41.6 KiB
perl-overload noarch 0:1.40-520.fc43 rawhide 71.6 KiB
perl-overloading noarch 0:0.02-520.fc43 rawhide 4.9 KiB
perl-parent noarch 1:0.244-520.fc43 rawhide 10.3 KiB
perl-podlators noarch 1:6.0.2-520.fc43 rawhide 317.5 KiB
perl-vars noarch 0:1.05-520.fc43 rawhide 3.9 KiB
pkgconf x86_64 0:2.3.0-3.fc43 rawhide 88.5 KiB
pkgconf-m4 noarch 0:2.3.0-3.fc43 rawhide 14.4 KiB
pkgconf-pkg-config x86_64 0:2.3.0-3.fc43 rawhide 989.0 B
python-pip-wheel noarch 0:25.3-1.fc44 rawhide 1.2 MiB
python3 x86_64 0:3.14.2-1.fc44 rawhide 28.9 KiB
python3-libs x86_64 0:3.14.2-1.fc44 rawhide 43.1 MiB
ruby-default-gems noarch 0:3.4.7-28.fc44 rawhide 66.1 KiB
ruby-libs x86_64 0:3.4.7-28.fc44 rawhide 15.1 MiB
rubygem-io-console x86_64 0:0.8.1-28.fc44 rawhide 33.2 KiB
rubygem-irb noarch 0:1.14.3-28.fc44 rawhide 290.3 KiB
rubygem-json x86_64 0:2.15.1-1.fc44 rawhide 222.3 KiB
rubygem-psych x86_64 0:5.2.2-28.fc44 rawhide 132.6 KiB
rubygem-rbs x86_64 0:3.8.0-28.fc44 rawhide 5.0 MiB
rubygem-rdoc noarch 0:6.14.2-201.fc44 rawhide 1.9 MiB
rubygems noarch 0:3.6.9-28.fc44 rawhide 1.4 MiB
rubypick noarch 0:1.1.1-23.fc43 rawhide 4.4 KiB
rust-std-static x86_64 0:1.92.0-1.fc44 rawhide 165.6 MiB
tzdata-java noarch 0:2025c-1.fc44 rawhide 100.2 KiB
Installing weak dependencies:
clang x86_64 0:21.1.7-1.fc44 rawhide 65.5 MiB
compiler-rt x86_64 0:21.1.7-1.fc44 rawhide 41.0 MiB
gdbm-devel x86_64 1:1.23-10.fc43 rawhide 82.0 KiB
java-25-openjdk-headless x86_64 1:25.0.1.0.8-1.fc44 rawhide 236.3 MiB
libatomic x86_64 0:15.2.1-5.fc44 rawhide 36.7 KiB
libffi-devel x86_64 0:3.5.2-1.fc44 rawhide 33.9 KiB
libomp x86_64 0:21.1.7-1.fc44 rawhide 2.8 MiB
libomp-devel x86_64 0:21.1.7-1.fc44 rawhide 1.5 MiB
libyaml-devel x86_64 0:0.2.5-17.fc43 rawhide 1.1 MiB
llvm-devel x86_64 0:21.1.7-1.fc44 rawhide 33.5 MiB
ncurses-devel x86_64 0:6.5-8.20250614.fc44 rawhide 893.4 KiB
openssl-devel x86_64 1:3.5.4-1.fc44 rawhide 4.6 MiB
patch x86_64 0:2.8-3.fc44 rawhide 226.6 KiB
perl-File-Compare noarch 0:1.100.800-520.fc43 rawhide 5.6 KiB
perl-FindBin noarch 0:1.54-520.fc43 rawhide 6.8 KiB
perl-NDBM_File x86_64 0:1.18-520.fc43 rawhide 28.5 KiB
python-unversioned-command noarch 0:3.14.2-1.fc44 rawhide 23.0 B
readline-devel x86_64 0:8.3-2.fc43 rawhide 595.8 KiB
ruby x86_64 0:3.4.7-28.fc44 rawhide 85.5 KiB
ruby-bundled-gems x86_64 0:3.4.7-28.fc44 rawhide 2.2 MiB
rubygem-bigdecimal x86_64 0:3.1.8-28.fc44 rawhide 134.7 KiB
rubygem-bundler noarch 0:2.6.9-28.fc44 rawhide 1.5 MiB
rubygem-rake noarch 0:13.3.0-101.fc43 rawhide 134.1 KiB
rust x86_64 0:1.92.0-1.fc44 rawhide 93.5 MiB
zlib-ng-compat-devel x86_64 0:2.3.2-2.fc44 rawhide 107.0 KiB
Transaction Summary:
Installing: 146 packages
Total size of inbound packages is 404 MiB. Need to download 404 MiB.
After this operation, 2 GiB extra will be used (install 2 GiB, remove 0 B).
</pre>
This includes heavy dependencies like `java-headless`, `rust`, `llvm`, and `clang`, even if the user only intends to build a standard MRI Ruby version.
This is the content of the spec that pulls all those dependencies:
<pre>
# ruby-build can build various ruby interpreters from source, which in turn can
# require additional dependencies
Recommends: bzip2
Recommends: clang
Recommends: gdbm-devel
Recommends: java-headless
Recommends: libffi-devel
Recommends: libyaml-devel
Recommends: llvm-devel
Recommends: make
Recommends: ncurses-devel
Recommends: openssl-devel
Recommends: patch
Recommends: perl-File-Compare
Recommends: perl-FindBin
Recommends: readline-devel
Recommends: ruby
Recommends: rubygem-rake
Recommends: rust
Recommends: zlib-devel
</pre>
=== Proposed Solution ===
The `ruby-build` package works by providing a collection of build definition files (simple text files) located in `/usr/share/ruby-build`. Each file defines how to download and compile a specific version of a Ruby interpreter like `3.2.2`, `jruby-9.4.0.0` or `truffleruby-22.3`.
This proposal changes the packaging structure to split `ruby-build` into modular subpackages based on these definition types. Each subpackage will provide the necessary build dependencies for a specific subset of definition files, matched by naming patterns. This ensures that if a user only intends to build standard MRI Ruby, they are not forced to install the build chain for JRuby or TruffleRuby.
The new package structure will be as follows:
* **ruby-build (Main Package)**
** Would be a meta-package requiring `ruby-build-core` and recommending `ruby-build-ruby`.
* **ruby-build-core**
** Contains the core binary (`/usr/bin/ruby-build`) and the man page.
** All target subpackages require this package and not `ruby-build` meta-package to avoid pulling `ruby-build-ruby` and its dependencies as recommended package.
* **ruby-build-ruby**
** Targets standard MRI/CRuby versions (definitions matching `^[0-9]*`).
** Requires: `gcc`, `perl-interpreter`, `perl(FindBin)`, `perl(lib)`, `perl(IPC::Cmd)`, `perl(File::Compare)`, `perl(File::Copy)`, `zlib-ng-compat-devel`, `libffi-devel`, `libyaml-devel`.
* **ruby-build-jruby**
** Targets JRuby versions (definitions matching `^jruby`).
** Requires: `java-latest-openjdk-headless`, `make`, `gcc-c++`.
* **ruby-build-mruby**
** Targets mruby versions (definitions matching `^mruby`).
** Requires: `ruby`, `rubygem-rake`.
* **ruby-build-picoruby**
** Targets PicoRuby versions (definitions matching `^pico`).
** Requires: `ruby`, `rubygem-rake`, `gcc`, `git-core`.
* **ruby-build-truffleruby**
** Targets TruffleRuby versions (definitions matching `^truffle`).
** Requires: `gcc`, `libyaml-devel`.
* **ruby-build-others**
** Targets less common implementations available via `rbenv install -L` (such as rbx, ree, etc.).
** Keeps the main dependency set clean.
* **ruby-build-all**
** Metapackage to install all subpackages
* **ruby-build-rbenv**
** Already exists
** Contains the ruby-build plugin for rbenv
The dependency lists are optimized for modern releases of these Ruby implementations.
== Feedback ==
== Benefit to Fedora ==
* Bloat Reduction: A default installation of `ruby-build` will drop from ~2 GiB to a few megabytes, respecting user resources.
* Modularity: Users and CI/CD systems can install exactly what they need without pulling in the entire Java ecosystem or Rust toolchain unnecessarily.
* Security: Reduces the attack surface on systems that do not need the JVM or legacy build tools.
== Scope ==
* Proposal owners: Change the spec to create the subpackages.
* Other developers: Nothing
* Release engineering: Nothing
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
* The new package `ruby-build-ruby` would be installed and multiple dependencies could be removed from the system automatically as nothing else may depend on them.
* For users wanting to build a Ruby implementation other than CRuby would need to install the required subpackage to get the definitions.
== Early Testing (Optional) ==
Test package available in Copr at https://copr.fedorainfracloud.org/coprs/mikelo2/split-ruby-build/ and code at https://src.fedoraproject.org/fork/mikelo2/rpms/ruby-build/commits/split-rubybuild
== How To Test ==
1. Install the package:
`dnf copr enable mikelo2/split-ruby-build`
`dnf install ruby-build`
*Verify that it does NOT pull in `java-headless` or `rust` by default.*
2. Test Standard Ruby:
`dnf install rbenv`
`rbenv install 3.4.8`
*This should work out of the box (via `ruby-build-ruby`).*
3. Test JRuby (Optional):
`rbenv install jruby-9.4.0.0`
*This should fail initially.*
`dnf install ruby-build-jruby`
`rbenv install jruby-9.4.0.0`
*This should now succeed.*
== User Experience ==
- Users will notice a significantly faster and smaller installation process for `ruby-build`.
- Advanced users may need to manually install specific subpackages (like `ruby-build-truffleruby`) if they are working with non-standard Ruby implementations, but the vast majority of users (MRI Ruby) will see no change in workflow, only in disk savings.
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: Revert the changes to the spec file to the monolithic dependency list
* Contingency deadline: Beta Freeze
* Blocks release? No
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
\n
Discussion Thread: https://discussion.fedoraproject.org/t/177635
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
The `ruby-build` package will be split into a main package and several subpackages (`ruby-build-jruby`, `ruby-build-truffleruby`, ...). This allows users to install only the build dependencies required for their specific Ruby implementation, significantly reducing the default installation size and dependency footprint.
== Owner ==
* Name: [[User:mikelo2| Mikel Olasagasti]]
* Email: mikel@olasagasti.info
== Detailed Description ==
=== Motivation ===
Currently, the `ruby-build` spec file utilizes a comprehensive list of `Recommends` to ensure all possible Ruby implementations can be built. This monolithic approach forces the package manager to pull in a massive dependency chain by default.
For example, a default installation of `ruby-build` (which is a 323 KiB package) currently results in a transaction of 146 packages, requiring 404 MiB of downloads and occupying 2 GiB of disk space.
<pre>
# dnf install ruby-build
Updating and loading repositories:
Repositories loaded.
Package Arch Version Repository Size
Installing:
ruby-build x86_64 0:20251023-1.fc44 rawhide 323.4 KiB
Installing dependencies:
alsa-lib x86_64 0:1.2.15-4.fc44 rawhide 1.5 MiB
avahi-libs x86_64 0:0.9~rc2-6.fc43 rawhide 171.6 KiB
binutils x86_64 0:2.45.50-9.fc44 rawhide 27.0 MiB
clang-libs x86_64 0:21.1.7-1.fc44 rawhide 114.9 MiB
clang-resource-filesystem x86_64 0:21.1.7-1.fc44 rawhide 15.3 KiB
cmake-filesystem x86_64 0:3.31.10-3.fc44 rawhide 0.0 B
cpp x86_64 0:15.2.1-5.fc44 rawhide 38.0 MiB
cups-filesystem noarch 1:2.4.16-4.fc44 rawhide 0.0 B
cups-libs x86_64 1:2.4.16-4.fc44 rawhide 618.4 KiB
dbus-libs x86_64 1:1.16.0-4.fc43 rawhide 345.5 KiB
ed x86_64 0:1.22.3-1.fc44 rawhide 148.9 KiB
elfutils-debuginfod-client x86_64 0:0.194-2.fc44 rawhide 84.0 KiB
expat x86_64 0:2.7.3-1.fc44 rawhide 301.1 KiB
gcc x86_64 0:15.2.1-5.fc44 rawhide 111.9 MiB
gcc-c++ x86_64 0:15.2.1-5.fc44 rawhide 41.4 MiB
glibc-devel x86_64 0:2.42.9000-16.fc44 rawhide 2.3 MiB
groff-base x86_64 0:1.23.0-11.fc44 rawhide 3.8 MiB
info x86_64 0:7.2-7.fc44 rawhide 357.9 KiB
jansson x86_64 0:2.14-3.fc43 rawhide 89.1 KiB
javapackages-filesystem noarch 0:6.4.1-4.fc44 rawhide 2.0 KiB
kernel-headers x86_64 0:6.19.0-0.rc1.15.fc44 rawhide 6.9 MiB
libedit x86_64 0:3.1-57.20251016cvs.fc44 rawhide 240.2 KiB
libedit-devel x86_64 0:3.1-57.20251016cvs.fc44 rawhide 59.4 KiB
libmpc x86_64 0:1.3.1-8.fc43 rawhide 160.6 KiB
libpkgconf x86_64 0:2.3.0-3.fc43 rawhide 78.1 KiB
libstdc++-devel x86_64 0:15.2.1-5.fc44 rawhide 37.2 MiB
libxcrypt-devel x86_64 0:4.5.2-2.fc44 rawhide 31.0 KiB
libzstd-devel x86_64 0:1.5.7-3.fc44 rawhide 217.6 KiB
lksctp-tools x86_64 0:1.0.21-2.fc44 rawhide 251.0 KiB
llvm x86_64 0:21.1.7-1.fc44 rawhide 89.3 MiB
llvm-filesystem x86_64 0:21.1.7-1.fc44 rawhide 0.0 B
llvm-googletest x86_64 0:21.1.7-1.fc44 rawhide 2.4 MiB
llvm-libs x86_64 0:21.1.7-1.fc44 rawhide 138.6 MiB
llvm-static x86_64 0:21.1.7-1.fc44 rawhide 377.5 MiB
llvm-test x86_64 0:21.1.7-1.fc44 rawhide 2.3 MiB
make x86_64 1:4.4.1-11.fc43 rawhide 1.8 MiB
mpdecimal x86_64 0:4.0.1-2.fc43 rawhide 217.2 KiB
ncurses x86_64 0:6.5-8.20250614.fc44 rawhide 609.8 KiB
ncurses-c++-libs x86_64 0:6.5-8.20250614.fc44 rawhide 153.6 KiB
nspr x86_64 0:4.38.2-1.fc44 rawhide 315.5 KiB
nss x86_64 0:3.119.0-1.fc44 rawhide 1.9 MiB
nss-softokn x86_64 0:3.119.0-1.fc44 rawhide 2.0 MiB
nss-softokn-freebl x86_64 0:3.119.0-1.fc44 rawhide 990.8 KiB
nss-sysinit x86_64 0:3.119.0-1.fc44 rawhide 18.1 KiB
nss-util x86_64 0:3.119.0-1.fc44 rawhide 204.8 KiB
perl-AutoLoader noarch 0:5.74-520.fc43 rawhide 20.6 KiB
perl-B x86_64 0:1.89-520.fc43 rawhide 501.3 KiB
perl-Carp noarch 0:1.54-520.fc43 rawhide 46.6 KiB
perl-Class-Struct noarch 0:0.68-520.fc43 rawhide 25.4 KiB
perl-Data-Dumper x86_64 0:2.191-521.fc43 rawhide 115.6 KiB
perl-Digest noarch 0:1.20-520.fc43 rawhide 35.3 KiB
perl-Digest-MD5 x86_64 0:2.59-520.fc43 rawhide 59.7 KiB
perl-DynaLoader x86_64 0:1.57-520.fc43 rawhide 32.1 KiB
perl-Encode x86_64 4:3.21-520.fc43 rawhide 4.7 MiB
perl-Errno x86_64 0:1.38-520.fc43 rawhide 8.4 KiB
perl-Exporter noarch 0:5.79-520.fc43 rawhide 54.3 KiB
perl-Fcntl x86_64 0:1.20-520.fc43 rawhide 48.8 KiB
perl-File-Basename noarch 0:2.86-520.fc43 rawhide 14.0 KiB
perl-File-Path noarch 0:2.18-521.fc44 rawhide 63.5 KiB
perl-File-Temp noarch 1:0.231.200-1.fc44 rawhide 163.7 KiB
perl-File-stat noarch 0:1.14-520.fc43 rawhide 12.5 KiB
perl-FileHandle noarch 0:2.05-520.fc43 rawhide 9.4 KiB
perl-Getopt-Long noarch 1:2.58-520.fc43 rawhide 144.5 KiB
perl-Getopt-Std noarch 0:1.14-520.fc43 rawhide 11.2 KiB
perl-HTTP-Tiny noarch 0:0.090-521.fc43 rawhide 154.4 KiB
perl-IO x86_64 0:1.55-520.fc43 rawhide 147.4 KiB
perl-IO-Socket-IP noarch 0:0.43-521.fc43 rawhide 100.3 KiB
perl-IO-Socket-SSL noarch 0:2.095-2.fc43 rawhide 714.5 KiB
perl-IPC-Open3 noarch 0:1.24-520.fc43 rawhide 27.7 KiB
perl-MIME-Base32 noarch 0:1.303-24.fc43 rawhide 30.7 KiB
perl-MIME-Base64 x86_64 0:3.16-520.fc43 rawhide 42.0 KiB
perl-Net-SSLeay x86_64 0:1.94-11.fc43 rawhide 1.3 MiB
perl-POSIX x86_64 0:2.23-520.fc43 rawhide 231.4 KiB
perl-PathTools x86_64 0:3.94-520.fc43 rawhide 180.0 KiB
perl-Pod-Escapes noarch 1:1.07-520.fc43 rawhide 24.9 KiB
perl-Pod-Perldoc noarch 0:3.28.01-521.fc43 rawhide 163.7 KiB
perl-Pod-Simple noarch 1:3.47-3.fc43 rawhide 565.3 KiB
perl-Pod-Usage noarch 4:2.05-520.fc43 rawhide 86.3 KiB
perl-Scalar-List-Utils x86_64 5:1.70-1.fc43 rawhide 144.9 KiB
perl-SelectSaver noarch 0:1.02-520.fc43 rawhide 2.2 KiB
perl-Socket x86_64 4:2.040-2.fc43 rawhide 120.3 KiB
perl-Storable x86_64 1:3.37-521.fc43 rawhide 231.2 KiB
perl-Symbol noarch 0:1.09-520.fc43 rawhide 6.8 KiB
perl-Term-ANSIColor noarch 0:5.01-521.fc43 rawhide 97.5 KiB
perl-Term-Cap noarch 0:1.18-520.fc43 rawhide 29.3 KiB
perl-Text-ParseWords noarch 0:3.31-520.fc43 rawhide 13.6 KiB
perl-Text-Tabs+Wrap noarch 0:2024.001-520.fc43 rawhide 22.6 KiB
perl-Time-Local noarch 2:1.350-520.fc43 rawhide 69.0 KiB
perl-URI noarch 0:5.34-2.fc44 rawhide 268.0 KiB
perl-base noarch 0:2.27-520.fc43 rawhide 12.6 KiB
perl-constant noarch 0:1.33-521.fc43 rawhide 26.2 KiB
perl-if noarch 0:0.61.000-520.fc43 rawhide 5.8 KiB
perl-interpreter x86_64 4:5.42.0-520.fc43 rawhide 118.6 KiB
perl-libnet noarch 0:3.15-521.fc43 rawhide 289.4 KiB
perl-libs x86_64 4:5.42.0-520.fc43 rawhide 11.5 MiB
perl-locale noarch 0:1.13-520.fc43 rawhide 6.1 KiB
perl-mro x86_64 0:1.29-520.fc43 rawhide 41.6 KiB
perl-overload noarch 0:1.40-520.fc43 rawhide 71.6 KiB
perl-overloading noarch 0:0.02-520.fc43 rawhide 4.9 KiB
perl-parent noarch 1:0.244-520.fc43 rawhide 10.3 KiB
perl-podlators noarch 1:6.0.2-520.fc43 rawhide 317.5 KiB
perl-vars noarch 0:1.05-520.fc43 rawhide 3.9 KiB
pkgconf x86_64 0:2.3.0-3.fc43 rawhide 88.5 KiB
pkgconf-m4 noarch 0:2.3.0-3.fc43 rawhide 14.4 KiB
pkgconf-pkg-config x86_64 0:2.3.0-3.fc43 rawhide 989.0 B
python-pip-wheel noarch 0:25.3-1.fc44 rawhide 1.2 MiB
python3 x86_64 0:3.14.2-1.fc44 rawhide 28.9 KiB
python3-libs x86_64 0:3.14.2-1.fc44 rawhide 43.1 MiB
ruby-default-gems noarch 0:3.4.7-28.fc44 rawhide 66.1 KiB
ruby-libs x86_64 0:3.4.7-28.fc44 rawhide 15.1 MiB
rubygem-io-console x86_64 0:0.8.1-28.fc44 rawhide 33.2 KiB
rubygem-irb noarch 0:1.14.3-28.fc44 rawhide 290.3 KiB
rubygem-json x86_64 0:2.15.1-1.fc44 rawhide 222.3 KiB
rubygem-psych x86_64 0:5.2.2-28.fc44 rawhide 132.6 KiB
rubygem-rbs x86_64 0:3.8.0-28.fc44 rawhide 5.0 MiB
rubygem-rdoc noarch 0:6.14.2-201.fc44 rawhide 1.9 MiB
rubygems noarch 0:3.6.9-28.fc44 rawhide 1.4 MiB
rubypick noarch 0:1.1.1-23.fc43 rawhide 4.4 KiB
rust-std-static x86_64 0:1.92.0-1.fc44 rawhide 165.6 MiB
tzdata-java noarch 0:2025c-1.fc44 rawhide 100.2 KiB
Installing weak dependencies:
clang x86_64 0:21.1.7-1.fc44 rawhide 65.5 MiB
compiler-rt x86_64 0:21.1.7-1.fc44 rawhide 41.0 MiB
gdbm-devel x86_64 1:1.23-10.fc43 rawhide 82.0 KiB
java-25-openjdk-headless x86_64 1:25.0.1.0.8-1.fc44 rawhide 236.3 MiB
libatomic x86_64 0:15.2.1-5.fc44 rawhide 36.7 KiB
libffi-devel x86_64 0:3.5.2-1.fc44 rawhide 33.9 KiB
libomp x86_64 0:21.1.7-1.fc44 rawhide 2.8 MiB
libomp-devel x86_64 0:21.1.7-1.fc44 rawhide 1.5 MiB
libyaml-devel x86_64 0:0.2.5-17.fc43 rawhide 1.1 MiB
llvm-devel x86_64 0:21.1.7-1.fc44 rawhide 33.5 MiB
ncurses-devel x86_64 0:6.5-8.20250614.fc44 rawhide 893.4 KiB
openssl-devel x86_64 1:3.5.4-1.fc44 rawhide 4.6 MiB
patch x86_64 0:2.8-3.fc44 rawhide 226.6 KiB
perl-File-Compare noarch 0:1.100.800-520.fc43 rawhide 5.6 KiB
perl-FindBin noarch 0:1.54-520.fc43 rawhide 6.8 KiB
perl-NDBM_File x86_64 0:1.18-520.fc43 rawhide 28.5 KiB
python-unversioned-command noarch 0:3.14.2-1.fc44 rawhide 23.0 B
readline-devel x86_64 0:8.3-2.fc43 rawhide 595.8 KiB
ruby x86_64 0:3.4.7-28.fc44 rawhide 85.5 KiB
ruby-bundled-gems x86_64 0:3.4.7-28.fc44 rawhide 2.2 MiB
rubygem-bigdecimal x86_64 0:3.1.8-28.fc44 rawhide 134.7 KiB
rubygem-bundler noarch 0:2.6.9-28.fc44 rawhide 1.5 MiB
rubygem-rake noarch 0:13.3.0-101.fc43 rawhide 134.1 KiB
rust x86_64 0:1.92.0-1.fc44 rawhide 93.5 MiB
zlib-ng-compat-devel x86_64 0:2.3.2-2.fc44 rawhide 107.0 KiB
Transaction Summary:
Installing: 146 packages
Total size of inbound packages is 404 MiB. Need to download 404 MiB.
After this operation, 2 GiB extra will be used (install 2 GiB, remove 0 B).
</pre>
This includes heavy dependencies like `java-headless`, `rust`, `llvm`, and `clang`, even if the user only intends to build a standard MRI Ruby version.
This is the content of the spec that pulls all those dependencies:
<pre>
# ruby-build can build various ruby interpreters from source, which in turn can
# require additional dependencies
Recommends: bzip2
Recommends: clang
Recommends: gdbm-devel
Recommends: java-headless
Recommends: libffi-devel
Recommends: libyaml-devel
Recommends: llvm-devel
Recommends: make
Recommends: ncurses-devel
Recommends: openssl-devel
Recommends: patch
Recommends: perl-File-Compare
Recommends: perl-FindBin
Recommends: readline-devel
Recommends: ruby
Recommends: rubygem-rake
Recommends: rust
Recommends: zlib-devel
</pre>
=== Proposed Solution ===
The `ruby-build` package works by providing a collection of build definition files (simple text files) located in `/usr/share/ruby-build`. Each file defines how to download and compile a specific version of a Ruby interpreter like `3.2.2`, `jruby-9.4.0.0` or `truffleruby-22.3`.
This proposal changes the packaging structure to split `ruby-build` into modular subpackages based on these definition types. Each subpackage will provide the necessary build dependencies for a specific subset of definition files, matched by naming patterns. This ensures that if a user only intends to build standard MRI Ruby, they are not forced to install the build chain for JRuby or TruffleRuby.
The new package structure will be as follows:
* **ruby-build (Main Package)**
** Would be a meta-package requiring `ruby-build-core` and recommending `ruby-build-ruby`.
* **ruby-build-core**
** Contains the core binary (`/usr/bin/ruby-build`) and the man page.
** All target subpackages require this package and not `ruby-build` meta-package to avoid pulling `ruby-build-ruby` and its dependencies as recommended package.
* **ruby-build-ruby**
** Targets standard MRI/CRuby versions (definitions matching `^[0-9]*`).
** Requires: `gcc`, `perl-interpreter`, `perl(FindBin)`, `perl(lib)`, `perl(IPC::Cmd)`, `perl(File::Compare)`, `perl(File::Copy)`, `zlib-ng-compat-devel`, `libffi-devel`, `libyaml-devel`.
* **ruby-build-jruby**
** Targets JRuby versions (definitions matching `^jruby`).
** Requires: `java-latest-openjdk-headless`, `make`, `gcc-c++`.
* **ruby-build-mruby**
** Targets mruby versions (definitions matching `^mruby`).
** Requires: `ruby`, `rubygem-rake`.
* **ruby-build-picoruby**
** Targets PicoRuby versions (definitions matching `^pico`).
** Requires: `ruby`, `rubygem-rake`, `gcc`, `git-core`.
* **ruby-build-truffleruby**
** Targets TruffleRuby versions (definitions matching `^truffle`).
** Requires: `gcc`, `libyaml-devel`.
* **ruby-build-others**
** Targets less common implementations available via `rbenv install -L` (such as rbx, ree, etc.).
** Keeps the main dependency set clean.
* **ruby-build-all**
** Metapackage to install all subpackages
* **ruby-build-rbenv**
** Already exists
** Contains the ruby-build plugin for rbenv
The dependency lists are optimized for modern releases of these Ruby implementations.
== Feedback ==
== Benefit to Fedora ==
* Bloat Reduction: A default installation of `ruby-build` will drop from ~2 GiB to a few megabytes, respecting user resources.
* Modularity: Users and CI/CD systems can install exactly what they need without pulling in the entire Java ecosystem or Rust toolchain unnecessarily.
* Security: Reduces the attack surface on systems that do not need the JVM or legacy build tools.
== Scope ==
* Proposal owners: Change the spec to create the subpackages.
* Other developers: Nothing
* Release engineering: Nothing
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
* The new package `ruby-build-ruby` would be installed and multiple dependencies could be removed from the system automatically as nothing else may depend on them.
* For users wanting to build a Ruby implementation other than CRuby would need to install the required subpackage to get the definitions.
== Early Testing (Optional) ==
Test package available in Copr at https://copr.fedorainfracloud.org/coprs/mikelo2/split-ruby-build/ and code at https://src.fedoraproject.org/fork/mikelo2/rpms/ruby-build/commits/split-rubybuild
== How To Test ==
1. Install the package:
`dnf copr enable mikelo2/split-ruby-build`
`dnf install ruby-build`
*Verify that it does NOT pull in `java-headless` or `rust` by default.*
2. Test Standard Ruby:
`dnf install rbenv`
`rbenv install 3.4.8`
*This should work out of the box (via `ruby-build-ruby`).*
3. Test JRuby (Optional):
`rbenv install jruby-9.4.0.0`
*This should fail initially.*
`dnf install ruby-build-jruby`
`rbenv install jruby-9.4.0.0`
*This should now succeed.*
== User Experience ==
- Users will notice a significantly faster and smaller installation process for `ruby-build`.
- Advanced users may need to manually install specific subpackages (like `ruby-build-truffleruby`) if they are working with non-standard Ruby implementations, but the vast majority of users (MRI Ruby) will see no change in workflow, only in disk savings.
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: Revert the changes to the spec file to the monolithic dependency list
* Contingency deadline: Beta Freeze
* Blocks release? No
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
\n
F45 Change Proposal: ModernizeBootISO [SystemWide]
Wiki: https://fedoraproject.org/wiki/Changes/ModernizeBootISO
Discussion Thread: https://discussion.fedoraproject.org/t/177634
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
We will switch over production of the boot.iso from using `lorax` to `image-builder` modernizing the build of the deliverable while keeping functional parity.
== Owner ==
* Name: [[User:supakeen| Simon de Vlieger]], [[User:ngompa| Neal Gompa]]
* Email: cmdr@supakeen.com, ngompa13@gmail.com
== Detailed Description ==
Over the past few Fedora releases we have slowly been moving deliverable production over to new image build tooling. Package based live media has moved onto `kiwi`. ostree-, and bootc-based artifacts have moved onto `image-builder` though some deliverables remain to be migrated in this area.
One of the important artifacts in Fedora is the boot.iso. This is the network installer that is shipped as the "Everything" network installer, or the "Server" network installer for Fedora Server edition.
This artifact is used in pungi and processed further into the dvd.iso (by embedding a compose's repositories into the boot.iso) and the Fedora Atomic installers (by embedding a compose's ostree commit into the boot.iso).
We would like to start producing the boot.iso with modern image build tooling.
`image-builder` is currently deployed in Fedora's Koji build system and can produce both the Everything and Fedora Server Edition boot.iso's. Thus for this effort we would like to switch over the pungi configuration to start using `image-builder` for these deliverables.
While `image-builder` definitions currently provide a boot.iso that is at parity we would like to also use this switch to address several concerns with the boot.iso media while keeping functional parity. This includes (less|no) usage of Lorax in the build process which might necessitate changes to packages and/or configuration (mostly in Anaconda).
Since the boot.iso media is used in many workflows both internal to Fedora and by users we have explicitly targeted Fedora 45 to give us enough time to discover any dragons that might appear.
We plan to switch over as early as possible after rawhide becomes Fedora 45 to give users and ourselves the maximum amount of time to find any regressions and address them.
Separately, any work on the Pungi side of things and the investigative work that will go into this will benefit other image build tooling such as `kiwi` to also be able to produce these deliverables in the future as these parts are shared. Having redundancy in our tooling (both `image-builder` and `kiwi` being able to build the same artifacts) is a great thing to have as it allows us to switch over the build backend when one or the other is having issues and reduces the risk of any complications affecting all deliverables.
== Feedback ==
== Benefit to Fedora ==
Changing the production of the boot.iso over to `image-builder` brings infrastructural benefits. It also allows users to easily build (customized) boot.iso's locally that match official Fedora deliverables and provides an easier way to produce derivatives and Fedora remixes that want to create boot.iso media using `image-builder` or `kiwi`.
Aside from this the process on how these deliverables are produced becomes more linear and simpler to understand.
## Scope [📖](https://fedoraproject.org/wiki/Changes/ModernizeBootISO#Scope)
* Proposal owners: implement definitions (`image-builder`) and descriptions (`kiwi`) to build modernized boot.iso media. Update pungi configuration to make use of this (might imply changes to pungi itself as well).
* Other developers: None.
* Release engineering: https://forge.fedoraproject.org/releng/tickets/issues/13140
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
== Early Testing (Optional) ==
Users can test the current state of these artifacts by installing `image-builder` and building the deliverables as they are now:
$ sudo dnf install image-builder
$ sudo image-builder build everything-network-installer
Note that several changes need to land upstream and thus these installers do not properly reflect the state that we want in Fedora, yet.
== How To Test ==
Once the pungi configuration for rawhide has been changed to produce these deliverables with `image-builder` OpenQA will start testing these automatically.
Users can also start testing after this point. The tests would involve the usual requirements and criteria for the boot.iso.
Once the new deliverables are testable an announcement will be made on the mailinglist and discussion forum to get as many eyes on this as possible.
== User Experience ==
The user experience of using the boot.iso media should not change in any functional way.
== Dependencies ==
There are no dependencies on other changes. The owners of this proposal will likely need to perform work in pungi, the pungi configuration, and perhaps Anaconda.
We have explicitly targeted Fedora 45 to give us enough time to make these changes as they might have long(er) timeframes to land in Fedora.
If any critical changes are not able to land before Fedora 45 we will have the option to either pave over them in `image-builder` (for example, if configuration files need to be moved around, or directories need to be removed) or to trigger the contigency and defer to Fedora 46.
== Contingency Plan ==
* Contingency mechanism: Revert pungi configuration changes
* Contingency deadline: Beta Freeze
* Blocks release: Yes
== Documentation ==
Notes will be written and kept as the implementation progresses.
== Release Notes ==
\n
Discussion Thread: https://discussion.fedoraproject.org/t/177634
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
We will switch over production of the boot.iso from using `lorax` to `image-builder` modernizing the build of the deliverable while keeping functional parity.
== Owner ==
* Name: [[User:supakeen| Simon de Vlieger]], [[User:ngompa| Neal Gompa]]
* Email: cmdr@supakeen.com, ngompa13@gmail.com
== Detailed Description ==
Over the past few Fedora releases we have slowly been moving deliverable production over to new image build tooling. Package based live media has moved onto `kiwi`. ostree-, and bootc-based artifacts have moved onto `image-builder` though some deliverables remain to be migrated in this area.
One of the important artifacts in Fedora is the boot.iso. This is the network installer that is shipped as the "Everything" network installer, or the "Server" network installer for Fedora Server edition.
This artifact is used in pungi and processed further into the dvd.iso (by embedding a compose's repositories into the boot.iso) and the Fedora Atomic installers (by embedding a compose's ostree commit into the boot.iso).
We would like to start producing the boot.iso with modern image build tooling.
`image-builder` is currently deployed in Fedora's Koji build system and can produce both the Everything and Fedora Server Edition boot.iso's. Thus for this effort we would like to switch over the pungi configuration to start using `image-builder` for these deliverables.
While `image-builder` definitions currently provide a boot.iso that is at parity we would like to also use this switch to address several concerns with the boot.iso media while keeping functional parity. This includes (less|no) usage of Lorax in the build process which might necessitate changes to packages and/or configuration (mostly in Anaconda).
Since the boot.iso media is used in many workflows both internal to Fedora and by users we have explicitly targeted Fedora 45 to give us enough time to discover any dragons that might appear.
We plan to switch over as early as possible after rawhide becomes Fedora 45 to give users and ourselves the maximum amount of time to find any regressions and address them.
Separately, any work on the Pungi side of things and the investigative work that will go into this will benefit other image build tooling such as `kiwi` to also be able to produce these deliverables in the future as these parts are shared. Having redundancy in our tooling (both `image-builder` and `kiwi` being able to build the same artifacts) is a great thing to have as it allows us to switch over the build backend when one or the other is having issues and reduces the risk of any complications affecting all deliverables.
== Feedback ==
== Benefit to Fedora ==
Changing the production of the boot.iso over to `image-builder` brings infrastructural benefits. It also allows users to easily build (customized) boot.iso's locally that match official Fedora deliverables and provides an easier way to produce derivatives and Fedora remixes that want to create boot.iso media using `image-builder` or `kiwi`.
Aside from this the process on how these deliverables are produced becomes more linear and simpler to understand.
## Scope [📖](https://fedoraproject.org/wiki/Changes/ModernizeBootISO#Scope)
* Proposal owners: implement definitions (`image-builder`) and descriptions (`kiwi`) to build modernized boot.iso media. Update pungi configuration to make use of this (might imply changes to pungi itself as well).
* Other developers: None.
* Release engineering: https://forge.fedoraproject.org/releng/tickets/issues/13140
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
== Upgrade/compatibility impact ==
== Early Testing (Optional) ==
Users can test the current state of these artifacts by installing `image-builder` and building the deliverables as they are now:
$ sudo dnf install image-builder
$ sudo image-builder build everything-network-installer
Note that several changes need to land upstream and thus these installers do not properly reflect the state that we want in Fedora, yet.
== How To Test ==
Once the pungi configuration for rawhide has been changed to produce these deliverables with `image-builder` OpenQA will start testing these automatically.
Users can also start testing after this point. The tests would involve the usual requirements and criteria for the boot.iso.
Once the new deliverables are testable an announcement will be made on the mailinglist and discussion forum to get as many eyes on this as possible.
== User Experience ==
The user experience of using the boot.iso media should not change in any functional way.
== Dependencies ==
There are no dependencies on other changes. The owners of this proposal will likely need to perform work in pungi, the pungi configuration, and perhaps Anaconda.
We have explicitly targeted Fedora 45 to give us enough time to make these changes as they might have long(er) timeframes to land in Fedora.
If any critical changes are not able to land before Fedora 45 we will have the option to either pave over them in `image-builder` (for example, if configuration files need to be moved around, or directories need to be removed) or to trigger the contigency and defer to Fedora 46.
== Contingency Plan ==
* Contingency mechanism: Revert pungi configuration changes
* Contingency deadline: Beta Freeze
* Blocks release: Yes
== Documentation ==
Notes will be written and kept as the implementation progresses.
== Release Notes ==
\n
[USN-7931-4] Linux kernel (Xilinx) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZhgFAwAAAAAACgkQZ0GeRcM5nt17
PQf/bwWWEddt+p4fsJbu905KgkCXfdAA3VVkX8lAwTzFc26IpFRKhlX9qk+HC552gr71d9+e/Sl7
oSNXVrGKo1ecqJsPamVNZySF0g69qHQOC5Da7PQdxAvS7jy1fhtPKA4qo4lOw+8OaWv3t4HxbSQE
26gm/At7s7tZwa2K7GZYfmy5fwcwSksV+gXM3+cFdCZfnlR5eYg6lfm9vhVrxucHN7sz1q0gJsdZ
5v4ItzrytZ1hdxW87NHVKLQ34LRwb3cGlLfyP1XiL0GYGyD3X3cMZ98C0zFfL4T8hv9s/3vnh30K
Su38wrscg7EwPwS/SEz7F8IW5UC67NWIdYk6ygFfIw==
=kxr/
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7931-4
December 19, 2025
linux-xilinx vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-xilinx: Linux kernel for Xilinx systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Media drivers;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2025-37958, CVE-2025-38666, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1021-xilinx 6.8.0-1021.22
linux-image-xilinx 6.8.0.1021.22
linux-image-xilinx-6.8 6.8.0.1021.22
linux-image-xilinx-zynqmp 6.8.0.1021.22
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7931-4
https://ubuntu.com/security/notices/USN-7931-3
https://ubuntu.com/security/notices/USN-7931-2
https://ubuntu.com/security/notices/USN-7931-1
CVE-2025-37958, CVE-2025-38666, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018
Package Information:
https://launchpad.net/ubuntu/+source/linux-xilinx/6.8.0-1021.22
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZhgFAwAAAAAACgkQZ0GeRcM5nt17
PQf/bwWWEddt+p4fsJbu905KgkCXfdAA3VVkX8lAwTzFc26IpFRKhlX9qk+HC552gr71d9+e/Sl7
oSNXVrGKo1ecqJsPamVNZySF0g69qHQOC5Da7PQdxAvS7jy1fhtPKA4qo4lOw+8OaWv3t4HxbSQE
26gm/At7s7tZwa2K7GZYfmy5fwcwSksV+gXM3+cFdCZfnlR5eYg6lfm9vhVrxucHN7sz1q0gJsdZ
5v4ItzrytZ1hdxW87NHVKLQ34LRwb3cGlLfyP1XiL0GYGyD3X3cMZ98C0zFfL4T8hv9s/3vnh30K
Su38wrscg7EwPwS/SEz7F8IW5UC67NWIdYk6ygFfIw==
=kxr/
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7931-4
December 19, 2025
linux-xilinx vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-xilinx: Linux kernel for Xilinx systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Media drivers;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2025-37958, CVE-2025-38666, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1021-xilinx 6.8.0-1021.22
linux-image-xilinx 6.8.0.1021.22
linux-image-xilinx-6.8 6.8.0.1021.22
linux-image-xilinx-zynqmp 6.8.0.1021.22
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7931-4
https://ubuntu.com/security/notices/USN-7931-3
https://ubuntu.com/security/notices/USN-7931-2
https://ubuntu.com/security/notices/USN-7931-1
CVE-2025-37958, CVE-2025-38666, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018
Package Information:
https://launchpad.net/ubuntu/+source/linux-xilinx/6.8.0-1021.22
[USN-7921-2] Linux kernel (Real-time) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZeIFAwAAAAAACgkQZ0GeRcM5nt2g
Rwf/dSi/9TY61BDk3oUTPPtv7c4vOOV+hZkb/Ih0jMlaeVSclEACmMVlxNdjOLE9llTp7QYQfxLn
kBGekB1bwwHxSyTBCcO/XQxIb4ZyLAJHRb8pY73gNAuI+TRrscfb5UaxbkYEi8FFEUDKOG0tzS40
94cITMMh2qcQKyiloSs+5RlwTHE0i98wxPixC1HT5pkjR+zOnxTVOzQiwxk5MOLvlnz9Je4gITMV
7uxRExQco6swNFT/A6AakPG2H7mWOqhcvkcpfSEGqk6BSTqLbDHWsbJMs9fMIjD15CrUtv6MNqgm
kPEh+yBVMAyAv2+Lje8YolOPCKTiRqdeciH1fLm8zw==
=fd8q
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7921-2
December 19, 2025
linux-realtime-6.14 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-realtime-6.14: Linux kernel for Real-time systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Media drivers;
- Netfilter;
- TLS protocol;
(CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.14.0-1017-realtime 6.14.0-1017.17~24.04.1
Available with Ubuntu Pro
linux-image-realtime-6.14 6.14.0-1017.17~24.04.1
Available with Ubuntu Pro
linux-image-realtime-hwe-24.04 6.14.0-1017.17~24.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7921-2
https://ubuntu.com/security/notices/USN-7921-1
CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018
Package Information:
https://launchpad.net/ubuntu/+source/linux-realtime-6.14/6.14.0-1017.17~24.04.1
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZeIFAwAAAAAACgkQZ0GeRcM5nt2g
Rwf/dSi/9TY61BDk3oUTPPtv7c4vOOV+hZkb/Ih0jMlaeVSclEACmMVlxNdjOLE9llTp7QYQfxLn
kBGekB1bwwHxSyTBCcO/XQxIb4ZyLAJHRb8pY73gNAuI+TRrscfb5UaxbkYEi8FFEUDKOG0tzS40
94cITMMh2qcQKyiloSs+5RlwTHE0i98wxPixC1HT5pkjR+zOnxTVOzQiwxk5MOLvlnz9Je4gITMV
7uxRExQco6swNFT/A6AakPG2H7mWOqhcvkcpfSEGqk6BSTqLbDHWsbJMs9fMIjD15CrUtv6MNqgm
kPEh+yBVMAyAv2+Lje8YolOPCKTiRqdeciH1fLm8zw==
=fd8q
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7921-2
December 19, 2025
linux-realtime-6.14 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-realtime-6.14: Linux kernel for Real-time systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Media drivers;
- Netfilter;
- TLS protocol;
(CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.14.0-1017-realtime 6.14.0-1017.17~24.04.1
Available with Ubuntu Pro
linux-image-realtime-6.14 6.14.0-1017.17~24.04.1
Available with Ubuntu Pro
linux-image-realtime-hwe-24.04 6.14.0-1017.17~24.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7921-2
https://ubuntu.com/security/notices/USN-7921-1
CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018
Package Information:
https://launchpad.net/ubuntu/+source/linux-realtime-6.14/6.14.0-1017.17~24.04.1
[USN-7928-4] Linux kernel (Raspberry Pi) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZgUFAwAAAAAACgkQZ0GeRcM5nt34
nAf/fH2Tw/35NHqtSuTwphaHmXr0atXgTaEj/1RvP9puG2f+k7Pwwfcdsq8JjKCkXaF5KoWFzqaR
tlrRV4COOvbCe5fb1NFgLzJku0fZXurwO8KLLHLRYu+mGOG0/hr/M7irvpSZtu4gZbILH0S28yLo
Zp2B0Oxax/MU71nbPUhyS55witaKAuhIl1OFeWhXhyEIne4uGxykMvWQeISsIblYqGWFQ7YMTmb1
wp++y3IEu9KlLLBa3/hFyZKtauq7I3aBvazwy4d8fpGP9tI+DUpIO60BOy/9GSYdcNd4lk+CQwmS
8JknDSIKXMhvYqtQCZFDQH+QZcwKPZVSLHnEy6lNbw==
=xitJ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7928-4
December 19, 2025
linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Media drivers;
- Network drivers;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Netfilter;
(CVE-2022-49390, CVE-2024-47691, CVE-2024-50067, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-5.15.0-1092-raspi 5.15.0-1092.95
linux-image-raspi 5.15.0.1092.90
linux-image-raspi-5.15 5.15.0.1092.90
linux-image-raspi-nolpae 5.15.0.1092.90
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7928-4
https://ubuntu.com/security/notices/USN-7928-3
https://ubuntu.com/security/notices/USN-7928-2
https://ubuntu.com/security/notices/USN-7928-1
CVE-2022-49390, CVE-2024-47691, CVE-2024-50067, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1092.95
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZgUFAwAAAAAACgkQZ0GeRcM5nt34
nAf/fH2Tw/35NHqtSuTwphaHmXr0atXgTaEj/1RvP9puG2f+k7Pwwfcdsq8JjKCkXaF5KoWFzqaR
tlrRV4COOvbCe5fb1NFgLzJku0fZXurwO8KLLHLRYu+mGOG0/hr/M7irvpSZtu4gZbILH0S28yLo
Zp2B0Oxax/MU71nbPUhyS55witaKAuhIl1OFeWhXhyEIne4uGxykMvWQeISsIblYqGWFQ7YMTmb1
wp++y3IEu9KlLLBa3/hFyZKtauq7I3aBvazwy4d8fpGP9tI+DUpIO60BOy/9GSYdcNd4lk+CQwmS
8JknDSIKXMhvYqtQCZFDQH+QZcwKPZVSLHnEy6lNbw==
=xitJ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7928-4
December 19, 2025
linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Media drivers;
- Network drivers;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Netfilter;
(CVE-2022-49390, CVE-2024-47691, CVE-2024-50067, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-5.15.0-1092-raspi 5.15.0-1092.95
linux-image-raspi 5.15.0.1092.90
linux-image-raspi-5.15 5.15.0.1092.90
linux-image-raspi-nolpae 5.15.0.1092.90
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7928-4
https://ubuntu.com/security/notices/USN-7928-3
https://ubuntu.com/security/notices/USN-7928-2
https://ubuntu.com/security/notices/USN-7928-1
CVE-2022-49390, CVE-2024-47691, CVE-2024-50067, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-39964, CVE-2025-39993,
CVE-2025-40018
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1092.95
[USN-7922-3] Linux kernel (Oracle) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZfMFAwAAAAAACgkQZ0GeRcM5nt3V
qQgAlDNG6fv+OFfii1oOA/2gAltmJ6XIKYGrqzrEdWsReaspPmQjdFBuTZf5neI7rIQJ4VmdYreq
QdDLxzT4mV3xvQ4GG2rQl8eh+8taLx/LKcVhLtPu7k44qeExVWDY9LfWuTQMlXGc3j3ul8/YN9BI
mw0t/bATar+A/UKkE4Grc3SsLOA4OTLpiEoHgL3KdEDpfKT8yzmwmHcafp3xHi87BmZ3HDCsE9cj
5K2bIiGhmsx4EZiFZ8csk1pYnXmGou9KMq5qvblFAqZ6zQ04gkokoMCLFp8hkwDOaKdP8KYl+IqN
iYD/zcjpeboB4Em4OlSlAAL+2juOXUhDYqRAqSXNdg==
=QHk6
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7922-3
December 19, 2025
linux-oracle-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
linux-image-5.4.0-1151-oracle 5.4.0-1151.161~18.04.1
Available with Ubuntu Pro
linux-image-oracle 5.4.0.1151.161~18.04.1
Available with Ubuntu Pro
linux-image-oracle-5.4 5.4.0.1151.161~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7922-3
https://ubuntu.com/security/notices/USN-7922-2
https://ubuntu.com/security/notices/USN-7922-1
CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlFZfMFAwAAAAAACgkQZ0GeRcM5nt3V
qQgAlDNG6fv+OFfii1oOA/2gAltmJ6XIKYGrqzrEdWsReaspPmQjdFBuTZf5neI7rIQJ4VmdYreq
QdDLxzT4mV3xvQ4GG2rQl8eh+8taLx/LKcVhLtPu7k44qeExVWDY9LfWuTQMlXGc3j3ul8/YN9BI
mw0t/bATar+A/UKkE4Grc3SsLOA4OTLpiEoHgL3KdEDpfKT8yzmwmHcafp3xHi87BmZ3HDCsE9cj
5K2bIiGhmsx4EZiFZ8csk1pYnXmGou9KMq5qvblFAqZ6zQ04gkokoMCLFp8hkwDOaKdP8KYl+IqN
iYD/zcjpeboB4Em4OlSlAAL+2juOXUhDYqRAqSXNdg==
=QHk6
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7922-3
December 19, 2025
linux-oracle-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
linux-image-5.4.0-1151-oracle 5.4.0-1151.161~18.04.1
Available with Ubuntu Pro
linux-image-oracle 5.4.0.1151.161~18.04.1
Available with Ubuntu Pro
linux-image-oracle-5.4 5.4.0.1151.161~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7922-3
https://ubuntu.com/security/notices/USN-7922-2
https://ubuntu.com/security/notices/USN-7922-1
CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018
Wednesday, December 17, 2025
Mass retirement of golang library leaves
Hi everyone,
As per Changes/GolangPackagesVendoredByDefault [1], all golang libraries
that are currently leaves (as defined in [2]) will be mass retired. This
will happen in the coming days. The full list of packages is available
at [3].
Note that golang libraries that current packages depend on will not be
retired as part of this process. However, non-leaf golang libraries may
still be retired as part of Orphaned Packages Process and FTI/FTBFS
processes, so this may affect your package(s) if you did not/do not take
action before these processes' respective deadlines.
Existing packages are recommended to migrate to the new vendored
dependency approach, and the updated Guidelines that mandate vendoring
apply to all new Golang applications packages added to the distribution [4].
Thank you for your cooperation and let me know if you have any questions!
Happy holidays and happy new year,
Maxwell
[1]
https://fedoraproject.org/wiki/Changes/GolangPackagesVendoredByDefault#Plan
[2] https://gitlab.com/fedora/sigs/go/package-data/-/blob/main/README.md
[3]
https://gitlab.com/fedora/sigs/go/package-data/-/blob/f6aad6bb0b54760f2e7a4b71f719b78e773a9fe8/leaves
[4] https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
As per Changes/GolangPackagesVendoredByDefault [1], all golang libraries
that are currently leaves (as defined in [2]) will be mass retired. This
will happen in the coming days. The full list of packages is available
at [3].
Note that golang libraries that current packages depend on will not be
retired as part of this process. However, non-leaf golang libraries may
still be retired as part of Orphaned Packages Process and FTI/FTBFS
processes, so this may affect your package(s) if you did not/do not take
action before these processes' respective deadlines.
Existing packages are recommended to migrate to the new vendored
dependency approach, and the updated Guidelines that mandate vendoring
apply to all new Golang applications packages added to the distribution [4].
Thank you for your cooperation and let me know if you have any questions!
Happy holidays and happy new year,
Maxwell
[1]
https://fedoraproject.org/wiki/Changes/GolangPackagesVendoredByDefault#Plan
[2] https://gitlab.com/fedora/sigs/go/package-data/-/blob/main/README.md
[3]
https://gitlab.com/fedora/sigs/go/package-data/-/blob/f6aad6bb0b54760f2e7a4b71f719b78e773a9fe8/leaves
[4] https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[USN-7940-1] Linux kernel (Azure FIPS) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlDGhsFAwAAAAAACgkQZ0GeRcM5nt16
YggAknU5J6OlBIWniMfFCEHR/GO5xNWiLb8iK4gArp4eDV0h4n/NHXD6NYphK038XH1/HZEhU3T3
6yCLEQNxYpSy+HOq28DQeugt/gnQu64jSgPQKDw/rcc6/hNKHivY8OPWs3VdiKDuFnfSKRNpIUHd
tzujPGFJsNtqYrOPVqAcb98L+4ndnbdoODXqzz0kWekJtlb6QMl2R0uuzda0haE63UXXvnOp4JgR
f3PCqbrYunmAy3BGG9653VDXBqUUNbkeDaGbF23iwDeGXOKmTUGg6meNnNILdHaXC3Iuj0m3wEGi
OSoldGvcHJpwnxuXs8EIEbbDtwGEITgXjl3nPxsIPQ==
=ICko
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7940-1
December 17, 2025
linux-azure-fips vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- PowerPC architecture;
- x86 architecture;
- Cryptographic API;
- ACPI drivers;
- Ublk userspace block driver;
- Clock framework and drivers;
- EDAC drivers;
- GPU drivers;
- HSI subsystem;
- IIO subsystem;
- InfiniBand drivers;
- Media drivers;
- MemoryStick subsystem;
- Network drivers;
- NTB driver;
- PCI subsystem;
- Remote Processor subsystem;
- Thermal drivers;
- Virtio Host (VHOST) subsystem;
- 9P distributed file system;
- File systems infrastructure;
- JFS file system;
- Network file system (NFS) server daemon;
- NTFS3 file system;
- SMB network file system;
- Memory management;
- Bluetooth subsystem;
- RDMA verbs API;
- Kernel fork() syscall;
- Timer subsystem;
- Tracing infrastructure;
- Watch queue notification mechanism;
- Appletalk network protocol;
- Asynchronous Transfer Mode (ATM) subsystem;
- Networking core;
- IPv4 networking;
- IPv6 networking;
- Netfilter;
- Network traffic control;
- SCTP protocol;
- TLS protocol;
- SoC Audio for Freescale CPUs drivers;
(CVE-2023-53034, CVE-2024-58092, CVE-2025-21729, CVE-2025-22018,
CVE-2025-22019, CVE-2025-22020, CVE-2025-22021, CVE-2025-22025,
CVE-2025-22027, CVE-2025-22028, CVE-2025-22033, CVE-2025-22035,
CVE-2025-22036, CVE-2025-22038, CVE-2025-22039, CVE-2025-22040,
CVE-2025-22041, CVE-2025-22042, CVE-2025-22044, CVE-2025-22045,
CVE-2025-22047, CVE-2025-22050, CVE-2025-22053, CVE-2025-22054,
CVE-2025-22055, CVE-2025-22056, CVE-2025-22057, CVE-2025-22058,
CVE-2025-22060, CVE-2025-22062, CVE-2025-22063, CVE-2025-22064,
CVE-2025-22065, CVE-2025-22066, CVE-2025-22068, CVE-2025-22070,
CVE-2025-22071, CVE-2025-22072, CVE-2025-22073, CVE-2025-22075,
CVE-2025-22079, CVE-2025-22080, CVE-2025-22081, CVE-2025-22083,
CVE-2025-22086, CVE-2025-22089, CVE-2025-22090, CVE-2025-22095,
CVE-2025-22097, CVE-2025-23136, CVE-2025-23138, CVE-2025-37838,
CVE-2025-37937, CVE-2025-37958, CVE-2025-38118, CVE-2025-38152,
CVE-2025-38227, CVE-2025-38240, CVE-2025-38352, CVE-2025-38575,
CVE-2025-38616, CVE-2025-38637, CVE-2025-38666, CVE-2025-38678,
CVE-2025-39682, CVE-2025-39728, CVE-2025-39735, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40114, CVE-2025-40157)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1044-azure-fips 6.8.0-1044.50+fips1
Available with Ubuntu Pro
linux-image-azure-fips 6.8.0-1044.50+fips1
Available with Ubuntu Pro
linux-image-azure-fips-6.8 6.8.0-1044.50+fips1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7940-1
CVE-2023-53034, CVE-2024-58092, CVE-2025-21729, CVE-2025-22018,
CVE-2025-22019, CVE-2025-22020, CVE-2025-22021, CVE-2025-22025,
CVE-2025-22027, CVE-2025-22028, CVE-2025-22033, CVE-2025-22035,
CVE-2025-22036, CVE-2025-22038, CVE-2025-22039, CVE-2025-22040,
CVE-2025-22041, CVE-2025-22042, CVE-2025-22044, CVE-2025-22045,
CVE-2025-22047, CVE-2025-22050, CVE-2025-22053, CVE-2025-22054,
CVE-2025-22055, CVE-2025-22056, CVE-2025-22057, CVE-2025-22058,
CVE-2025-22060, CVE-2025-22062, CVE-2025-22063, CVE-2025-22064,
CVE-2025-22065, CVE-2025-22066, CVE-2025-22068, CVE-2025-22070,
CVE-2025-22071, CVE-2025-22072, CVE-2025-22073, CVE-2025-22075,
CVE-2025-22079, CVE-2025-22080, CVE-2025-22081, CVE-2025-22083,
CVE-2025-22086, CVE-2025-22089, CVE-2025-22090, CVE-2025-22095,
CVE-2025-22097, CVE-2025-23136, CVE-2025-23138, CVE-2025-37838,
CVE-2025-37937, CVE-2025-37958, CVE-2025-38118, CVE-2025-38152,
CVE-2025-38227, CVE-2025-38240, CVE-2025-38352, CVE-2025-38575,
CVE-2025-38616, CVE-2025-38637, CVE-2025-38666, CVE-2025-38678,
CVE-2025-39682, CVE-2025-39728, CVE-2025-39735, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40114, CVE-2025-40157,
CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fips/6.8.0-1044.50+fips1
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlDGhsFAwAAAAAACgkQZ0GeRcM5nt16
YggAknU5J6OlBIWniMfFCEHR/GO5xNWiLb8iK4gArp4eDV0h4n/NHXD6NYphK038XH1/HZEhU3T3
6yCLEQNxYpSy+HOq28DQeugt/gnQu64jSgPQKDw/rcc6/hNKHivY8OPWs3VdiKDuFnfSKRNpIUHd
tzujPGFJsNtqYrOPVqAcb98L+4ndnbdoODXqzz0kWekJtlb6QMl2R0uuzda0haE63UXXvnOp4JgR
f3PCqbrYunmAy3BGG9653VDXBqUUNbkeDaGbF23iwDeGXOKmTUGg6meNnNILdHaXC3Iuj0m3wEGi
OSoldGvcHJpwnxuXs8EIEbbDtwGEITgXjl3nPxsIPQ==
=ICko
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7940-1
December 17, 2025
linux-azure-fips vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- PowerPC architecture;
- x86 architecture;
- Cryptographic API;
- ACPI drivers;
- Ublk userspace block driver;
- Clock framework and drivers;
- EDAC drivers;
- GPU drivers;
- HSI subsystem;
- IIO subsystem;
- InfiniBand drivers;
- Media drivers;
- MemoryStick subsystem;
- Network drivers;
- NTB driver;
- PCI subsystem;
- Remote Processor subsystem;
- Thermal drivers;
- Virtio Host (VHOST) subsystem;
- 9P distributed file system;
- File systems infrastructure;
- JFS file system;
- Network file system (NFS) server daemon;
- NTFS3 file system;
- SMB network file system;
- Memory management;
- Bluetooth subsystem;
- RDMA verbs API;
- Kernel fork() syscall;
- Timer subsystem;
- Tracing infrastructure;
- Watch queue notification mechanism;
- Appletalk network protocol;
- Asynchronous Transfer Mode (ATM) subsystem;
- Networking core;
- IPv4 networking;
- IPv6 networking;
- Netfilter;
- Network traffic control;
- SCTP protocol;
- TLS protocol;
- SoC Audio for Freescale CPUs drivers;
(CVE-2023-53034, CVE-2024-58092, CVE-2025-21729, CVE-2025-22018,
CVE-2025-22019, CVE-2025-22020, CVE-2025-22021, CVE-2025-22025,
CVE-2025-22027, CVE-2025-22028, CVE-2025-22033, CVE-2025-22035,
CVE-2025-22036, CVE-2025-22038, CVE-2025-22039, CVE-2025-22040,
CVE-2025-22041, CVE-2025-22042, CVE-2025-22044, CVE-2025-22045,
CVE-2025-22047, CVE-2025-22050, CVE-2025-22053, CVE-2025-22054,
CVE-2025-22055, CVE-2025-22056, CVE-2025-22057, CVE-2025-22058,
CVE-2025-22060, CVE-2025-22062, CVE-2025-22063, CVE-2025-22064,
CVE-2025-22065, CVE-2025-22066, CVE-2025-22068, CVE-2025-22070,
CVE-2025-22071, CVE-2025-22072, CVE-2025-22073, CVE-2025-22075,
CVE-2025-22079, CVE-2025-22080, CVE-2025-22081, CVE-2025-22083,
CVE-2025-22086, CVE-2025-22089, CVE-2025-22090, CVE-2025-22095,
CVE-2025-22097, CVE-2025-23136, CVE-2025-23138, CVE-2025-37838,
CVE-2025-37937, CVE-2025-37958, CVE-2025-38118, CVE-2025-38152,
CVE-2025-38227, CVE-2025-38240, CVE-2025-38352, CVE-2025-38575,
CVE-2025-38616, CVE-2025-38637, CVE-2025-38666, CVE-2025-38678,
CVE-2025-39682, CVE-2025-39728, CVE-2025-39735, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40114, CVE-2025-40157)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1044-azure-fips 6.8.0-1044.50+fips1
Available with Ubuntu Pro
linux-image-azure-fips 6.8.0-1044.50+fips1
Available with Ubuntu Pro
linux-image-azure-fips-6.8 6.8.0-1044.50+fips1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7940-1
CVE-2023-53034, CVE-2024-58092, CVE-2025-21729, CVE-2025-22018,
CVE-2025-22019, CVE-2025-22020, CVE-2025-22021, CVE-2025-22025,
CVE-2025-22027, CVE-2025-22028, CVE-2025-22033, CVE-2025-22035,
CVE-2025-22036, CVE-2025-22038, CVE-2025-22039, CVE-2025-22040,
CVE-2025-22041, CVE-2025-22042, CVE-2025-22044, CVE-2025-22045,
CVE-2025-22047, CVE-2025-22050, CVE-2025-22053, CVE-2025-22054,
CVE-2025-22055, CVE-2025-22056, CVE-2025-22057, CVE-2025-22058,
CVE-2025-22060, CVE-2025-22062, CVE-2025-22063, CVE-2025-22064,
CVE-2025-22065, CVE-2025-22066, CVE-2025-22068, CVE-2025-22070,
CVE-2025-22071, CVE-2025-22072, CVE-2025-22073, CVE-2025-22075,
CVE-2025-22079, CVE-2025-22080, CVE-2025-22081, CVE-2025-22083,
CVE-2025-22086, CVE-2025-22089, CVE-2025-22090, CVE-2025-22095,
CVE-2025-22097, CVE-2025-23136, CVE-2025-23138, CVE-2025-37838,
CVE-2025-37937, CVE-2025-37958, CVE-2025-38118, CVE-2025-38152,
CVE-2025-38227, CVE-2025-38240, CVE-2025-38352, CVE-2025-38575,
CVE-2025-38616, CVE-2025-38637, CVE-2025-38666, CVE-2025-38678,
CVE-2025-39682, CVE-2025-39728, CVE-2025-39735, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40114, CVE-2025-40157,
CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fips/6.8.0-1044.50+fips1
Tuesday, December 16, 2025
FreeBSD Security Advisory FreeBSD-SA-25:12.rtsold
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:12.rtsold Security Advisory
The FreeBSD Project
Topic: Remote code execution via ND6 Router Advertisements
Category: core
Module: rtsold
Announced: 2025-12-16
Credits: Kevin Day
Affects: All supported versions of FreeBSD.
Corrected: 2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1)
2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE)
2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14558
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
rtsold(8) and rtsol(8) are programs which process router advertisement
packets as part of the IPv6 stateless address autoconfiguration (SLAAC)
mechanism.
II. Problem Description
The rtsol(8) and rtsold(8) programs do not validate the domain search list
options provided in router advertisement messages; the option body is passed
to resolvconf(8) unmodified.
resolvconf(8) is a shell script which does not validate its input. A lack of
quoting meant that shell commands pass as input to resolvconf(8) may be
executed.
III. Impact
Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution
from systems on the same network segment. In particular, router advertisement
messages are not routable and should be dropped by routers, so the attack does
not cross network boundaries.
IV. Workaround
No workaround is available. Users not using IPv6, and IPv6 users that do not
configure the system to accept router advertisement messages, are not affected.
A network interface listed by ifconfig(8) accepts router advertisement messages
if the string "ACCEPT_RTADV" is present in the nd6 option list.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch
# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch.asc
# gpg --verify rtsold.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 6759fbb1a553 stable/15-n281548
releng/15.0/ 408f5c61821f releng/15.0-n280998
stable/14/ 26702912e857 stable/14-n273051
releng/14.3/ 3c54b204bf86 releng/14.3-n271454
stable/13/ 4fef5819cca9 stable/13-n259643
releng/13.5/ 35cee6a90119 releng/13.5-n259186
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14558>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cMACgkQbljekB8A
Gu9YXA//UpSYz4dseSTcDElpN6jp/2W0+OKDYVqRkH0PaLwZX8iGugm8QwqCxLoL
m1xK2BJir15wuUYmD++EYbjHajXrKIPaD+sW9KjqxgxDVsQWwfl9ZND743JM5TFE
Y3fx8halkChIwtNGCNDHTu5N2DmEPoTO03jOqKqjH6PZwJ6ycYTw4zJvPdP5eDiT
+zWpTNNm0VCkBQQB7ukJGku3zWAh4swZWylP2GvyzifcYKR3Z4OGhDdwQCBa99cn
jC67D7vURTqlk4pcTFJ6JrIVRIQJdNWQGRou3hAedE59bpAZZc8B/fd//Ganmrit
CBG1kMLYVxtV3/12+maEt/DLEMM7isGJPQiSWYe+qseBcdakmuJ8hdR8HKTqrK40
57ZO59CnzEFr49DrrTD4B97cJwtrXLWtUp4LiXxuYy0CkCl8CiXvcgovCBusQpx+
r68dgbfcH0UY/ryQp0ZWTI1y3NKmOSuPVpkW4Ss0BeGESlA4DJHuEwIs1D4TnOJL
90C5D7v7jeOtdXhZ6BHVLtXB+nn8zMpAO209H/pRQWJdAEpABheKCgisP9C80g6h
kM300GZjH4joYDyFbMYrW6uWfylwDFC1g8MdFi8yjZzEEOfrKNcY63b+Kx+c3xNL
hIa8yUcjLYHvMRnjTQU1bgUVU+SmW6n05HcqtWV7VKh39ATJcX4=
=TK7t
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:12.rtsold Security Advisory
The FreeBSD Project
Topic: Remote code execution via ND6 Router Advertisements
Category: core
Module: rtsold
Announced: 2025-12-16
Credits: Kevin Day
Affects: All supported versions of FreeBSD.
Corrected: 2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1)
2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE)
2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14558
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
rtsold(8) and rtsol(8) are programs which process router advertisement
packets as part of the IPv6 stateless address autoconfiguration (SLAAC)
mechanism.
II. Problem Description
The rtsol(8) and rtsold(8) programs do not validate the domain search list
options provided in router advertisement messages; the option body is passed
to resolvconf(8) unmodified.
resolvconf(8) is a shell script which does not validate its input. A lack of
quoting meant that shell commands pass as input to resolvconf(8) may be
executed.
III. Impact
Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution
from systems on the same network segment. In particular, router advertisement
messages are not routable and should be dropped by routers, so the attack does
not cross network boundaries.
IV. Workaround
No workaround is available. Users not using IPv6, and IPv6 users that do not
configure the system to accept router advertisement messages, are not affected.
A network interface listed by ifconfig(8) accepts router advertisement messages
if the string "ACCEPT_RTADV" is present in the nd6 option list.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch
# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch.asc
# gpg --verify rtsold.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 6759fbb1a553 stable/15-n281548
releng/15.0/ 408f5c61821f releng/15.0-n280998
stable/14/ 26702912e857 stable/14-n273051
releng/14.3/ 3c54b204bf86 releng/14.3-n271454
stable/13/ 4fef5819cca9 stable/13-n259643
releng/13.5/ 35cee6a90119 releng/13.5-n259186
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14558>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cMACgkQbljekB8A
Gu9YXA//UpSYz4dseSTcDElpN6jp/2W0+OKDYVqRkH0PaLwZX8iGugm8QwqCxLoL
m1xK2BJir15wuUYmD++EYbjHajXrKIPaD+sW9KjqxgxDVsQWwfl9ZND743JM5TFE
Y3fx8halkChIwtNGCNDHTu5N2DmEPoTO03jOqKqjH6PZwJ6ycYTw4zJvPdP5eDiT
+zWpTNNm0VCkBQQB7ukJGku3zWAh4swZWylP2GvyzifcYKR3Z4OGhDdwQCBa99cn
jC67D7vURTqlk4pcTFJ6JrIVRIQJdNWQGRou3hAedE59bpAZZc8B/fd//Ganmrit
CBG1kMLYVxtV3/12+maEt/DLEMM7isGJPQiSWYe+qseBcdakmuJ8hdR8HKTqrK40
57ZO59CnzEFr49DrrTD4B97cJwtrXLWtUp4LiXxuYy0CkCl8CiXvcgovCBusQpx+
r68dgbfcH0UY/ryQp0ZWTI1y3NKmOSuPVpkW4Ss0BeGESlA4DJHuEwIs1D4TnOJL
90C5D7v7jeOtdXhZ6BHVLtXB+nn8zMpAO209H/pRQWJdAEpABheKCgisP9C80g6h
kM300GZjH4joYDyFbMYrW6uWfylwDFC1g8MdFi8yjZzEEOfrKNcY63b+Kx+c3xNL
hIa8yUcjLYHvMRnjTQU1bgUVU+SmW6n05HcqtWV7VKh39ATJcX4=
=TK7t
-----END PGP SIGNATURE-----
FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:11.ipfw Security Advisory
The FreeBSD Project
Topic: ipfw denial of service
Category: core
Module: ipfw
Announced: 2025-12-16
Affects: FreeBSD 13 and 14
Corrected: 2025-11-04 00:52:54 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:24 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-11-04 00:52:12 UTC (stable/13, 13.5-STABLE)
2025-12-16 23:43:32 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14769
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
ipfw(4) is one of the firewalls provided in the FreeBSD base system. Its
`tcp-setmss` configuration directive allows the system administrator to lower
the Maximum Segment Size of a packet.
II. Problem Description
In some cases, the `tcp-setmss` handler may free the packet data and throw an
error without halting the rule processing engine. A subsequent rule can then
allow the traffic after the packet data is gone, resulting in a NULL pointer
dereference.
III. Impact
Maliciously crafted packets sent from a remote host may result in a Denial of
Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would
allow the traffic to pass.
IV. Workaround
No workaround is available, but systems that do not use ipfw(4) with the
`tcp-setmss` directive are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch.asc
# gpg --verify ipfw-14.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch.asc
# gpg --verify ipfw-13.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ deb684f9d1d6 stable/14-n272799
releng/14.3/ c0cb68169beb releng/14.3-n271453
stable/13/ 94360584542a stable/13-n259534
releng/13.5/ 60026b06366f releng/13.5-n259185
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284606>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14769>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:11.ipfw.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cAACgkQbljekB8A
Gu9XFA//V2aCX1XCn6tCRPR51ixMJ/9rKfpWmYpGruZoB1GaKC0UvkQqDNIkXw8K
r6OY1G2rK36y+AGCrxtXHnUKfDj/hzZkL4lEBr9AjcB6N4czk6q/fSuzcL0FCi9T
CbWjxSEjV2M2IO4nObu8CKB/7cVY6UlIhe2d4iBH+otkzfyBsYHwCSvhDOWxeWFj
f+I9ddOvCFv7lRh74RZk0CdSPe4HyptCSkwERwIn5Cm+fk7PJIFWDM4hF9atP+G8
VT3PUirG1na33vtfRw46c/Qj+L8gybq0pztkTnqsm52WME0n1go3aI7mbPmSWTwe
xSC5totcYxbjQ/lMcXv00kgDzraFuPSzSzej6Z4BYXTHOgNTgHHexa3rqxs8y3i/
IoOWSDZdyd2d3B9r5xAFSzp+HVv+C9UBB/AQ0kQt0gPTX6j9d0WiMninNiedVSWf
BOYCmgvI7+0ybeV54QFrVnEsImEoYu32NlLVVmswSnDOBuBcU2XtHtO7/x5BUcyU
CdOiAZ78TS+007QllROCuidXiQc0FNFqgm+rRFv37Wmmm0LZVkVJ7OVB0vXuk4ps
iNBFmXxHCiKL6zJGvx+OQmAXLE+xf71n9xt0jJIk/NfI1BkHYRrlYnH7JXhfBvAO
SYtM+FXK1Kehj+ltLUO+9WYhkgfAUtlI/+7GKLMDzy76Q+ZMzhk=
=0OhG
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:11.ipfw Security Advisory
The FreeBSD Project
Topic: ipfw denial of service
Category: core
Module: ipfw
Announced: 2025-12-16
Affects: FreeBSD 13 and 14
Corrected: 2025-11-04 00:52:54 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:24 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-11-04 00:52:12 UTC (stable/13, 13.5-STABLE)
2025-12-16 23:43:32 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14769
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
ipfw(4) is one of the firewalls provided in the FreeBSD base system. Its
`tcp-setmss` configuration directive allows the system administrator to lower
the Maximum Segment Size of a packet.
II. Problem Description
In some cases, the `tcp-setmss` handler may free the packet data and throw an
error without halting the rule processing engine. A subsequent rule can then
allow the traffic after the packet data is gone, resulting in a NULL pointer
dereference.
III. Impact
Maliciously crafted packets sent from a remote host may result in a Denial of
Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would
allow the traffic to pass.
IV. Workaround
No workaround is available, but systems that do not use ipfw(4) with the
`tcp-setmss` directive are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch.asc
# gpg --verify ipfw-14.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch.asc
# gpg --verify ipfw-13.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ deb684f9d1d6 stable/14-n272799
releng/14.3/ c0cb68169beb releng/14.3-n271453
stable/13/ 94360584542a stable/13-n259534
releng/13.5/ 60026b06366f releng/13.5-n259185
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284606>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14769>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:11.ipfw.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cAACgkQbljekB8A
Gu9XFA//V2aCX1XCn6tCRPR51ixMJ/9rKfpWmYpGruZoB1GaKC0UvkQqDNIkXw8K
r6OY1G2rK36y+AGCrxtXHnUKfDj/hzZkL4lEBr9AjcB6N4czk6q/fSuzcL0FCi9T
CbWjxSEjV2M2IO4nObu8CKB/7cVY6UlIhe2d4iBH+otkzfyBsYHwCSvhDOWxeWFj
f+I9ddOvCFv7lRh74RZk0CdSPe4HyptCSkwERwIn5Cm+fk7PJIFWDM4hF9atP+G8
VT3PUirG1na33vtfRw46c/Qj+L8gybq0pztkTnqsm52WME0n1go3aI7mbPmSWTwe
xSC5totcYxbjQ/lMcXv00kgDzraFuPSzSzej6Z4BYXTHOgNTgHHexa3rqxs8y3i/
IoOWSDZdyd2d3B9r5xAFSzp+HVv+C9UBB/AQ0kQt0gPTX6j9d0WiMninNiedVSWf
BOYCmgvI7+0ybeV54QFrVnEsImEoYu32NlLVVmswSnDOBuBcU2XtHtO7/x5BUcyU
CdOiAZ78TS+007QllROCuidXiQc0FNFqgm+rRFv37Wmmm0LZVkVJ7OVB0vXuk4ps
iNBFmXxHCiKL6zJGvx+OQmAXLE+xf71n9xt0jJIk/NfI1BkHYRrlYnH7JXhfBvAO
SYtM+FXK1Kehj+ltLUO+9WYhkgfAUtlI/+7GKLMDzy76Q+ZMzhk=
=0OhG
-----END PGP SIGNATURE-----
FreeBSD Errata Notice FreeBSD-EN-25:20.vmm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:20.vmm Errata Notice
The FreeBSD Project
Topic: bhyve(8) PCI passthru regression
Category: core
Module: vmm
Announced: 2025-12-16
Affects: FreeBSD 15.0
Corrected: 2025-12-15 15:47:23 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:00 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
vmm(4) is a kernel module which provides an interface to hardware
virtualization capabilities. It is the kernel-side counterpart to bhyve(8).
PCI passthru is a feature of bhyve(8) on amd64 which allows a PCIe device, such
as a network interface or GPU, to be effectively detached from the host system
and passed directly into a guest virtual machine, allowing the guest to control
the physical hardware.
II. Problem Description
Some refactoring of the vmm(4) code introduced a regression in the portion
of the module which creates IOMMU mappings of guest memory.
III. Impact
The bug could cause PCI passthrough to not work as expected.
IV. Workaround
No workaround is available. Users not using bhyve(8) with PCI passthrough are
unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch.asc
# gpg --verify vmm.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 4f7436bf297b stable/15-n281529
releng/15.0/ 04e9f1aab83a releng/15.0-n280997
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290920>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:20.vmm.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+b0ACgkQbljekB8A
Gu94Og//V+/8PQJEF9OxtyaDRsgoC2NmHDDdYW4RnwG6uxSCHhSLO8LUH1XjmWWb
c54Miuk6Xqh1D54D3Ppmr62nFKEhhqihDIZ28JTp67pvrJIFFUC5DXGTVcAUKzOG
O/6jNJST82SFmfUHu6ntHWwRkaOW7LjUdBnH8pj3JetlseRtYghiWX6Y2Ql5XDfB
AQF18mnxicXAg/PkI00iLqqkXaolAM29G2Io/KsdwMZZtL9RrFHKOlekX5iIyIBz
TOm+7hpLznKbNEpybdknphc3VpjG9aaJyoDMqjkuZ/wJSUusFDMNpO3vpggnTS5D
Yiu9yOGZb1nFEorfRco25Lh06FURaMb6t2lQFdmBg2ade1tiqR8E0CNdEBJIgjU+
v6qZw7ayLTnfExvHyeHYxgVWpHp9eUpxMITiO7wt03BiEQvmmsnAMFSx2f5+Cvcy
Q3eddVsJ0S4pS9mhUBAfrUxvDikXj2sQ2fKs3niB5xzk3z6XzC1Ukf6XlGtOyH0J
PnMwZXRBChgaFwCzMwTdZpw2pZiVcWdsuLy24ecUWp9OUDGlfUG3heIbZBfSrdjz
VeUo8Mv+gmwVAeOcYZxJLbNftNwjtKIVvjbs/Dx30g8hiGck7QpdBLTOmLQouUx+
1GcguiXe6fhsf15aywvEM/Okt+g2X4jDArhYM3xF4dZGSoX7RpY=
=8iiC
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:20.vmm Errata Notice
The FreeBSD Project
Topic: bhyve(8) PCI passthru regression
Category: core
Module: vmm
Announced: 2025-12-16
Affects: FreeBSD 15.0
Corrected: 2025-12-15 15:47:23 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:00 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
vmm(4) is a kernel module which provides an interface to hardware
virtualization capabilities. It is the kernel-side counterpart to bhyve(8).
PCI passthru is a feature of bhyve(8) on amd64 which allows a PCIe device, such
as a network interface or GPU, to be effectively detached from the host system
and passed directly into a guest virtual machine, allowing the guest to control
the physical hardware.
II. Problem Description
Some refactoring of the vmm(4) code introduced a regression in the portion
of the module which creates IOMMU mappings of guest memory.
III. Impact
The bug could cause PCI passthrough to not work as expected.
IV. Workaround
No workaround is available. Users not using bhyve(8) with PCI passthrough are
unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch.asc
# gpg --verify vmm.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 4f7436bf297b stable/15-n281529
releng/15.0/ 04e9f1aab83a releng/15.0-n280997
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290920>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:20.vmm.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+b0ACgkQbljekB8A
Gu94Og//V+/8PQJEF9OxtyaDRsgoC2NmHDDdYW4RnwG6uxSCHhSLO8LUH1XjmWWb
c54Miuk6Xqh1D54D3Ppmr62nFKEhhqihDIZ28JTp67pvrJIFFUC5DXGTVcAUKzOG
O/6jNJST82SFmfUHu6ntHWwRkaOW7LjUdBnH8pj3JetlseRtYghiWX6Y2Ql5XDfB
AQF18mnxicXAg/PkI00iLqqkXaolAM29G2Io/KsdwMZZtL9RrFHKOlekX5iIyIBz
TOm+7hpLznKbNEpybdknphc3VpjG9aaJyoDMqjkuZ/wJSUusFDMNpO3vpggnTS5D
Yiu9yOGZb1nFEorfRco25Lh06FURaMb6t2lQFdmBg2ade1tiqR8E0CNdEBJIgjU+
v6qZw7ayLTnfExvHyeHYxgVWpHp9eUpxMITiO7wt03BiEQvmmsnAMFSx2f5+Cvcy
Q3eddVsJ0S4pS9mhUBAfrUxvDikXj2sQ2fKs3niB5xzk3z6XzC1Ukf6XlGtOyH0J
PnMwZXRBChgaFwCzMwTdZpw2pZiVcWdsuLy24ecUWp9OUDGlfUG3heIbZBfSrdjz
VeUo8Mv+gmwVAeOcYZxJLbNftNwjtKIVvjbs/Dx30g8hiGck7QpdBLTOmLQouUx+
1GcguiXe6fhsf15aywvEM/Okt+g2X4jDArhYM3xF4dZGSoX7RpY=
=8iiC
-----END PGP SIGNATURE-----
Subscribe to:
Comments (Atom)