news
Security and Fake Security
-
LWN ☛ The mystery of the Mailman 2 CVEs
Many eyebrows were raised recently when three vulnerabilities were announced that allegedly impact GNU Mailman 2.1, since many folks assumed that it was no longer being supported. That's not quite the case. Even though version 3 of the GNU Mailman mailing-list manager has been available since 2015, and version 2 was declared (mostly) end of life (EOL) in 2020, there are still plenty of users and projects still using version 2.1.x. There is, as it turns out, a big difference between mostly EOL and actually EOL. For example: WebPros, the company behind the cPanel server and web-site-management platform, still maintains a port of Mailman 2.1.x to Python 3 for its customers and was quick to respond to reports of vulnerabilities. However, the company and upstream Mailman project dispute that the CVEs are valid.
-
Canonical/Ubuntu Family
-
Ubuntu ☛ CRA compliance: Things IoT manufacturers can no longer do under the CRA (and what to do instead)
In this blog, I’ll give you a thorough overview of common IoT manufacturer and PDE developer practices that need immediate attention, and how to change or improve these practices so that your work and PDEs can keep their place on the EU market with full CRA compliance.
-
PC Perspective ☛ Memory-Safe Sudo-rs To Become Default In Ubuntu 25.10 [Ed: This isn't about safety and likely the exact opposite [1, 2]]
Ubuntu has a fairly large announcement that may not be terribly exciting for many, will help many security specialists sleep better at night. The current Sudo command is vulnerable to several privilege escalation vulnerabilities, stemming from it’s C and C++ roots. Certain processes can be abused to trigger things like dangling pointers and use-after-free errors which hackers can take advantage of, and Sudo as it exists now does not enforce single ownership. All in all, moving to Sudo-rs is a good step forward in securing one of the major causes of crashes and unauthorized access to Linux based devices.
-
Web Pro News ☛ Memory-Safe Sudo-rs To Become Default In Ubuntu 25.10 [Ed: New code won't be secure, no matter if it's in Rust or not; the main thing they change at Canonical is 1) the licence (letting code become more proprietary). 2) hosting shifts to the NSA's top partner (PRISM's initiator), Microsoft. Canonical is rapidly losing credibility and it did the same to GNU.]
Canonical is making a major change to Ubuntu, starting with the upcoming Ubuntu 25.10, replacing GNU Coreutils with the Rust-based uutils.
Coreutils has comprised a core component of most Linux distributions since the beginning, providing many of the most common command-line utilities, including chmod, dir, install, ls, cp, mkdir, mv, and more. Canonical’s Jon Seager announced in March the company’s intention to replace Coreutils with uutils.
-
Update
One more on this:
-
Ubuntu 25.10 Will Default to Rust-Powered sudo-rs
Canonical has announced that the upcoming Ubuntu 25.10 (Questing Quokka) release, scheduled for early October, will be the first major Linux distribution to replace C‑based sudo implementation with sudo‑rs, a Rust‑based reimplementation developed by the Trifecta Tech Foundation.