Achtung – heute mit erhöhter Verbosity! Neben unserem einjährigem Jubiläum wollen auch zahlreiche kritische Linux-CVEs ausführlich besprochen werden. Vor allem PackageKit, Copy Fail, DirtyFrag, Fragnesia und ssh-keysign-pwn sorgten in den letzten Wochen für reichlich Trubel. Glücklicherweise gibt es mit Ubuntu 26.04 und Fedora 44 auch erfreuliche Neuerscheinungen. Proxmox VE 9.2 und Proxmox Backup Server 4.2 sind erschienen und auch von der Red Hat Summit 2026 gibt es einige interessante Neuerungen. Das allgemeine Vertrauen in GitHub sinkt weiter, in der Diskussion um Altersverifikation gibt es eine positive Entwicklung.

Intro

• Erster SpamAssassin-Commit (GitHub): https://github.com/apache/spamassassin/commit/ba0548fa2d1fce1051d6303e2d425340f8f4d2f7
• Als Festplatten noch riesig waren: Die Quantum Bigfoot wird 30 Jahre alt (c’t Magazin): https://www.heise.de/news/Als-Festplatten-noch-riesig-waren-Die-Quantum-Bigfoot-wird-30-Jahre-alt-11278133.html
• Linux mascot Tux the penguin hits 30 years old (Tom’s Hardware): https://www.tomshardware.com/software/linux/linux-mascot-tux-the-penguin-hits-30-years-old-linus-torvalds-outlined-the-design-of-the-slightly-overweight-penguin-on-may-9-1996

Feedback und Ankündigungen

• GitHub – evilsocket/opensnitch: OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch. (GitHub): https://github.com/evilsocket/opensnitch
• Feedback von Jonas: https://mastodon.art/@jfml/116481272348259534

Ein Jahr Urlaub im Userspace

• HedgeDoc – Ideas grow better together (HedgeDoc – Ideas grow better together): https://hedgedoc.org/
• Studio Link – Professionelle Audio-Over-IP Verbindungen (studio-link.de): https://studio-link.de/
• REAPER | Audio Production Without Limits (www.reaper.fm): https://www.reaper.fm/
• Ultraschall – HighEnd Podcasting für alle (Ultraschall): https://ultraschall.fm/
• 🎙️ MacWhisper (goodsnooze.gumroad.com): https://goodsnooze.gumroad.com/l/macwhisper
• Urlaub im Userspace · OP3: The Open Podcast Prefix Project (op3.dev): https://op3.dev/show/3cbe1652-7e27-44cb-9e60-2f82ef9fd2ab
• E007 – FrOSCon 2025 und ein Jubiläum (Urlaub im Userspace): E007 – FrOSCon 2025 und ein Jubiläum (Urlaub im Userspace): https://user.space/e007-froscon-2025-und-ein-jubilaeum/
• E009 – Interview mit Zendis (Urlaub im Userspace): https://user.space/e009-interview-mit-zendis/
• E011 – 30 Jahre MySQL (Urlaub im Userspace): https://user.space/e011-30-jahre-mysql/
• Auphonic (auphonic.com): https://auphonic.com/
• Readeck: Home (Readeck): Readeck: Home (Readeck): https://readeck.org/
• readeck (PyPI): https://pypi.org/project/readeck/

Follow-Up

• A Linux Hardware Maker is Convincing Colorado to Leave Open Source Alone (It’s FOSS): https://itsfoss.com/news/colorado-age-attestation-bill-open-source-exemption/
• Debian Project Leader Elections 2026 (www.debian.org): https://www.debian.org/vote/2026/vote_001

Aufreger des Monats

• Valve Releases Steam Controller CAD Files Under Creative Commons License (digitalfoundry): https://www.digitalfoundry.net/news/2026/05/valve-releases-steam-controller-cad-files-under-creative-commons-license
• Steam Controller funktioniert jetzt ohne Steam (Notebookcheck): https://www.notebookcheck.com/Steam-Controller-funktioniert-jetzt-ohne-Steam.1298689.0.html
• FSFE warnt: NHS sollte quelloffenen Code nicht depublizieren (Security): https://www.heise.de/news/FSFE-warnt-NHS-sollte-quelloffenen-Code-nicht-depublizieren-11283406.html
• NHS England (GitHub): https://github.com/nhsengland
• Ghostty Is Leaving GitHub (Mitchell Hashimoto): https://mitchellh.com/writing/ghostty-leaving-github
• I know this is ridiculously dramatic, but its the truth: I actually cried writin… | Hacker News (news.ycombinator.com): https://news.ycombinator.com/item?id=47939809
• tangled · tightly-knit social coding (Tangled): https://tangled.org/
• Radicle: the sovereign forge (radicle.dev): https://radicle.dev/

PackageKit-CVE

• Golem (www.golem.de): https://www.golem.de/news/fast-12-jahre-unentdeckt-telekom-deckt-gefaehrliche-root-luecke-in-linux-auf-2604-207963.html
• „Pack2TheRoot“: Sicherheitslücke betrifft mehrere Linux-Distributionen (Security): https://www.heise.de/news/Pack2TheRoot-Sicherheitsluecke-betrifft-mehrere-Linux-Distributionen-11272897.html
• deploy-copyfail-mitigation.playbook.yml (Gist): deploy-copyfail-mitigation.playbook.yml (Gist): https://gist.github.com/mschmitt/d2b0a19034e3247428d5c31091ba7bef

Red Hat Summit-News

• Red Hat Enterprise Linux 10.2 and 9.8 are here: The intelligent evolution of enterprise Linux (www.redhat.com): https://www.redhat.com/en/blog/rhel-102-and-98-intelligent-evolution-enterprise-linux
• Release Notes for Red Hat Enterprise Linux 9.8: (Red Hat Documentation): https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.8_release_notes/index
• Release Notes for Red Hat Enterprise Linux 10.2: (Red Hat Documentation): https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/10.2_release_notes/index
• Red Hat Summit Newsroom (www.redhat.com): https://www.redhat.com/en/about/red-hat-summit-newsroom
• Fedora Hummingbird Linux: Neue Container-basierte Distribution (iX Magazin): https://www.heise.de/news/Fedora-Hummingbird-Linux-Neue-Container-basierte-Distribution-11295489.html
• Fedora Hummingbird: Taking the Hummingbird model to the full operating system – Fedora Magazine (Fedora Magazine): https://fedoramagazine.org/fedora-hummingbird-linux-taking-the-hummingbird-model-to-the-full-os/
• Project Hummingbird: Project Hummingbird (Project Hummingbird): https://hummingbird-project.io/
• Red Hat Hardened Images: Red Hat Hardened Images (Hardened Images): https://images.redhat.com/
• Project Bluefin: Bluefin (projectbluefin.io): https://projectbluefin.io/
• E002 – Red Hat Summit 2025 (Urlaub im Userspace): https://user.space/e002-red-hat-summit-2025/
• Red Hat baut Ansible zur Steuerzentrale für KI-Agenten um (iX Magazin): https://www.heise.de/news/Red-Hat-baut-Ansible-zur-Steuerzentrale-fuer-KI-Agenten-um-11293057.html

Zahlreiche Linux-CVEs

• KI Fail, Copy Fail, S/MIME Fail (Passwort – der Podcast von heise security): KI Fail, Copy Fail, S/MIME Fail (Passwort – der Podcast von heise security): https://passwort.podigee.io/57-ki-fail-copy-fail-s-mime-fail
• Copy Fail: 732 Bytes to Root on Linux – Xint (xint.io): https://xint.io/blog/copy-fail-linux-distributions
• deploy-copyfail-mitigation.playbook.yml (Gist): deploy-copyfail-mitigation.playbook.yml (Gist): https://gist.github.com/mschmitt/d2b0a19034e3247428d5c31091ba7bef
• SUSE responds to the copy.fail vulnerability (www.suse.com): https://www.suse.com/c/suse-responds-to-the-copy-fail-vulnerability/
• „Copy Fail“: Linux-root in allen großen Distributionen mit 732 Byte Python (Security): https://www.heise.de/news/Copy-Fail-Linux-root-in-allen-grossen-Distributionen-mit-732-Byte-Python-11277590.html
• Golem (www.golem.de): https://www.golem.de/news/copy-fail-und-die-ki-forscher-patzen-bei-offenlegung-von-linux-luecke-2605-208331.html
• cve-details (access.redhat.com): https://access.redhat.com/security/cve/cve-2026-46300
• GitHub – V4bel/dirtyfrag (GitHub): https://github.com/V4bel/dirtyfrag
• GitHub – V4bel/dirtyfrag (GitHub): Meme collection about dirtyfrag · Issue #38 · V4bel/dirtyfrag (GitHub): https://github.com/V4bel/dirtyfrag/issues/38
• „Dirty Frag“: Linux-Lücken verschaffen root-Rechte (Security): https://www.heise.de/news/Dirty-Frag-Linux-Luecken-verschaffen-root-Rechte-11286691.html
• Golem (www.golem.de): https://www.golem.de/news/dirty-frag-weitere-root-luecke-gefaehrdet-unzaehlige-linux-systeme-2605-208467.html
• Will Dormann (@wdormann@infosec.exchange) (Infosec Exchange): https://infosec.exchange/@wdormann/116556727281568564
• KI Fail, Copy Fail, S/MIME Fail (Passwort – der Podcast von heise security): KI Fail, Copy Fail, S/MIME Fail (Passwort – der Podcast von heise security): https://passwort.podigee.io/57-ki-fail-copy-fail-s-mime-fail
• Yet another Dirty Frag type vulnerability: Fragnesia (LWN.net): https://lwn.net/Articles/1072647/
• Fragnesia Made Public As Latest Linux Local Privilege Escalation Vulnerability (www.phoronix.com): https://www.phoronix.com/news/Linux-Fragnesia
• GitHub – 0xdeadbeefnetwork/ssh-keysign-pwn: Steal SSH host private keys and /etc/shadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels. (GitHub): https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/
• NVD – CVE-2026-31431 (nvd.nist.gov): https://nvd.nist.gov/vuln/detail/CVE-2026-31431
• Linux 7.0.8 Released & LTS Kernels Updated For ssh-keysign-pwn (www.phoronix.com): https://www.phoronix.com/news/Linux-7.0.8-Released

Proxmox 9.2 und Proxmox Backup Server 4.2

• Proxmox Virtual Environment 9.2 available! (Proxmox Support Forum): https://forum.proxmox.com/threads/proxmox-virtual-environment-9-2-available.183741/
• High Availability (pve.proxmox.com): https://pve.proxmox.com/pve-docs/chapter-ha-manager.html#ha_manager_crs
• Proxmox Backup Server 4.2 released! (Proxmox Support Forum): https://forum.proxmox.com/threads/proxmox-backup-server-4-2-released.183130/
• Erste Testuser für BackupPilot gesucht (Proxmox Support Forum): https://forum.proxmox.com/threads/erste-testuser-für-backuppilot-gesucht.183740/
• Proxmox und Kasm Technologies gehen eine Partnerschaft ein, um sichere Open-Source-VDI- und webbasierte Arbeitsumgebungen anzubieten (Proxmox): https://www.proxmox.com/de/ueber-uns/details-unternehmen/pressemitteilungen/kasm-de
• Proxmox erweitert Storage-Optionen für Enterprise-Kunden mit nativer StorPool Integration (Proxmox): https://www.proxmox.com/de/ueber-uns/details-unternehmen/pressemitteilungen/storpool-de

ProFTPD-CVE

• ProFTPD: Codeschmuggel durch mod_sql möglich (Security): https://www.heise.de/news/ProFTPD-Codeschmuggel-durch-mod-sql-moeglich-11277942.html

Fedora 44

• Linux-Distribution Fedora 44: KDE Plasma und Wayland im Fokus (c’t Magazin): https://www.heise.de/news/Linux-Distribution-Fedora-44-KDE-Plasma-und-Wayland-im-Fokus-11274348.html
• Releases/44/ChangeSet – Fedora Project Wiki (fedoraproject.org): https://fedoraproject.org/wiki/Releases/44/ChangeSet
• E016 – Newsupdate 03/2026: Diskussion um Altersverifikation, Motorola und GrapheneOS, GNOME 50, Snap- und AppArmor-Sicherheitslücken (Urlaub im Userspace): https://user.space/e016-newsupdate-03-2026-diskussion-um-altersverifikation-motorola-und-grapheneos-gnome-50-snap-und-apparmor-sicherheitsluecken/
• E015 – Newsupdate 02/2026: GnuPG-Lücke, Linux 6.19, IPFire DBL, KDE Plasma 6.6, GNOME 50 Beta (Urlaub im Userspace): https://user.space/e015-newsupdate-02-2026-gnupg-lucke-linux-6-19-ipfire-dbl-kde-plasma-6-6-gnome-50-beta

Ubuntu 26.04

• Ubuntu 26.04 (“Resolute Raccoon”) LTS released (Ubuntu Community Hub): https://discourse.ubuntu.com/t/ubuntu-26-04-resolute-raccoon-lts-released/80833
• Update concerning DDoS attack on Canonical and Ubuntu (Ubuntu Discourse): https://discourse.ubuntu.com/t/update-concerning-ddos-attack-on-canonical-and-ubuntu/81482
• Taggart :ifin: (@mttaggart@infosec.exchange) (Infosec Exchange): https://infosec.exchange/@mttaggart/116518022621367937
• Ubuntu Core 26 Released With Live Kernel Patching, Better OTA Updates (www.phoronix.com): https://www.phoronix.com/news/Ubuntu-Core-26
• Ubuntu integriert lokale KI (iX Magazin): https://www.heise.de/news/Ubuntu-integriert-lokale-KI-11276449.html
• ntpd-rs – it’s about time (Ubuntu Discourse): https://discourse.ubuntu.com/t/ntpd-rs-its-about-time/79154
• Golem (www.golem.de): https://www.golem.de/news/linux-ubuntu-setzt-jetzt-mehr-ram-voraus-als-windows-11-2604-207275.html
• The future of AI in Ubuntu (LWN.net): https://lwn.net/Articles/1069944/
• Ubuntu’s “AI Kill Switch” Is Achieved By Removing Snaps, Initially Opt-In (www.phoronix.com): https://www.phoronix.com/news/Ubuntu-AI-Kill-Switch-Opt-In

Patch-Management-News

• Release notes for Uyuni Server (www.uyuni-project.org): https://www.uyuni-project.org/doc/2026.04/release-notes-uyuni-server.html#_version_2026_04
• Refreshed images for Uyuni 2026.04: Ready for deployment (openSUSE Mailing Lists): https://lists.opensuse.org/archives/list/announce@lists.uyuni-project.org/thread/TSFY5KNTFAK2QT6NGUHOQUAT7M4IY376/
• Again refreshed images for Uyuni 2026.04: Ready for deployment (openSUSE Mailing Lists): https://lists.opensuse.org/archives/list/announce@lists.uyuni-project.org/thread/4KN5QG6FBQADEG4QE334KOWPY2UWC4QE/
• Upgrade to 2026.04 fails during upgrade of DB-Container (DB susemanager doesn’t exist) · Issue #11855 · uyuni-project/uyuni (GitHub): https://github.com/uyuni-project/uyuni/issues/11855
• Foreman :: Manual (theforeman.org): https://theforeman.org/manuals/3.19/index.html#Headlinefeatures
• Foreman 5.0 Schedule and Planning (TheForeman): https://community.theforeman.org/t/foreman-5-0-schedule-and-planning/46514
• E010 – Newsupdate 10/2025: Ubuntu 25.10, Python 3.14, Qualcomm kauft Arduino, openSUSE Leap 16, Unruhe bei RubyGems und Framework (Urlaub im Userspace): https://user.space/e010-newsupdate-10-2025-ubuntu-25-10-python-3-14-qualcomm-kauft-arduino-opensuse-leap-16-unruhe-bei-rubygems-und-framework/
• Accelerate innovation and govern integrity with Red Hat Satellite 6.19 (www.redhat.com): https://www.redhat.com/en/blog/accelerate-innovation-and-govern-integrity-red-hat-satellite-619
• Release notes for Red Hat Satellite 6.19 (Red Hat Documentation): https://docs.redhat.com/en/documentation/red_hat_satellite/6.19/html-single/release_notes/index
• orcharhino 7.8 Release Notes (orcharhino): https://orcharhino.com/en/resources/release-notes/orcharhino-7-8/
• 26.04 LTS release notes (Landscape): https://documentation.ubuntu.com/landscape/reference/release-notes/26-04-lts-release-notes/

TEAM PCP strikes again

• TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MT… (Socket): https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack
• npm-Wurm Shai-Hulud: Angriff der Klone (Security): https://www.heise.de/news/npm-Wurm-Shai-Hulud-Angriff-der-Klone-11299094.html

Kurznews

• Nach jahrelanger Blockade: Quelloffenes HDMI 2.1 kommt endlich für Linux (heise online): https://www.heise.de/news/Quelloffenes-HDMI-2-1-kommt-endlich-fuer-Linux-11280232.html
• Sovereign Tech Fund invests in KDE (LWN.net): https://lwn.net/Articles/1072565/
• Mastodon: Förderung für Arbeit an verschlüsselten Direktnachrichten und mehr (heise online): https://www.heise.de/news/Mastodon-Foerderung-fuer-Arbeit-an-verschluesselten-Direktnachrichten-und-mehr-11267063.html
• OpenBSD 7.9 (www.openbsd.org): https://www.openbsd.org/79.html
• OpenBSD 7.9 Released With Support For Up To 255 x86_64 CPU Cores, WiFi 6 (www.phoronix.com): https://www.phoronix.com/news/OpenBSD-7.9-Released
• Golem (www.golem.de): https://www.golem.de/news/magnesium-lenovo-aendert-seit-2006-bestehende-konstruktion-des-thinkpad-2604-208203.html

Veranstaltungstipps

• FrOSCon (@FrOSCon@bonn.social) (Bonn.social): https://bonn.social/@FrOSCon/116560295928133582
• Free and Open Source Software Conference (FrOSCon) (betterplace.org): https://www.betterplace.org/de/projects/175478
• E007 – FrOSCon 2025 und ein Jubiläum (Urlaub im Userspace): E007 – FrOSCon 2025 und ein Jubiläum (Urlaub im Userspace): https://user.space/e007-froscon-2025-und-ein-jubilaeum/
  24. Gulaschprogrammiernacht – Entropia (entropia.de): https://entropia.de/GPN24
• openSUSE Conference 2026 (openSUSE Events): https://events.opensuse.org/conferences/oSC26

Tool- und Medientipps

• Unsere Tooltipps: Tooltipps – Urlaub im Userspace (user.space): https://user.space/tooltipps/
• Git-Repository unserer Tooltipps: tooltipps (Codeberg.org): https://codeberg.org/userspace-podcast/tooltipps
• The Virtual OS Museum (The Virtual OS Museum): https://virtualosmuseum.org/
• Auferstanden aus Ruinen (Wartungsfenster): https://wartungsfenster.podigee.io/79-auferstanden-aus-ruinen
• Readeck: Home (Readeck): Readeck: Home (Readeck): https://readeck.org/
• GitHub – jdx/mise: dev tools, env vars, task runner (GitHub): https://github.com/jdx/mise
• GitHub – cedricp/ddt4all: OBD tool (GitHub): https://github.com/cedricp/ddt4all
• Jan Böhmermann – “Trau Dich, fahr elektrisch!” (YouTube): https://www.youtube.com/watch?v=aoFl60t8xr0