RSS 생중계

Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound).

Greg Kroah-Hartman has announced the release of the 5.4.302 stable kernel:

This is the LAST 5.4.y release. It is now end-of-life and should not be used by anyone, anymore. As of this point in time, there are 1539 documented unfixed CVEs for this kernel branch, and that number will only increase over time as more CVEs get assigned for kernel bugs.

For the curious, Kroah-Hartman has also provided a list of the unfixed CVEs for 5.4.302.

An anonymous reader quotes a report from GamesIndustry.biz: Japanese game makers are struggling to locate affordable commercial fonts after one of the country's leading font licensing services raised the cost of its annual plan from around $380 to $20,500 (USD). As reported by Gamemakers and GameSpark and translated by Automaton, Fontworks LETS discontinued its game license plan at the end of November. The expensive replacement plan -- offered through Fontwork's parent company, Monotype -- doesn't even provide local pricing for Japanese developers, and comes with a 25,000 user-cap, which is likely not workable for Japan's bigger studios. The problem is further compounded by the difficulties and complexities of securing fonts that can accurately transcribe Kanji and Katakana characters. UI/UX designer Yamanaka stressed that this would be particularly problematic for live service games; even if studios moved quickly and switched to fonts available through an alternate licensee, they will have to re-test, re-validate, and re-QA check content already live and in active use. The crisis could even eventually force some Japanese studios to rebrand entirely if their corporate identity is tied to a commercial font they can no longer afford to license.

Read more of this story at Slashdot.

China's private launch firm LandSpace is preparing the debut flight of its Zhuque-3 rocket, aiming to become the country's first to land a reusable orbital-class booster using a Falcon-9-style return profile. Ars Technica reports: Liftoff could happen around 11 pm EST tonight (04:00 UTC Wednesday), or noon local time at the Jiuquan Satellite Launch Center in northwestern China. Airspace warning notices advising pilots to steer clear of the rocket's flight path suggest LandSpace has a launch window of about two hours. When it lifts off, the Zhuque-3 (Vermillion Bird-3) rocket will become the largest commercial launch vehicle ever flown in China. What's more, LandSpace will become the first Chinese launch provider to attempt a landing of its first stage booster, using the same tried-and-true return method pioneered by SpaceX and, more recently, Blue Origin in the United States. Construction crews recently finished a landing pad in the remote Gobi Desert, some 240 miles (390 kilometers) southeast of the launch site at Jiuquan. Unlike US spaceports, the Jiuquan launch base is located in China's interior, with rockets flying over land as they climb into space. When the Zhuque-3 booster finishes its job of sending the rocket toward orbit, it will follow an arcing trajectory toward the recovery zone, firing its engines to slow for landing about eight-and-a-half minutes after liftoff. At least, that's what is supposed to happen. LandSpace officials have not made any public statements about the odds of a successful landing -- or, for that matter, a successful launch...

Read more of this story at Slashdot.

Bruce66423 shares a report from the Los Angeles Times: Tattoo ink doesn't just sit inertly in the skin. New research shows it moves rapidly into the lymphatic system, where it can persist for months, kill immune cells, and even disrupt how the body responds to vaccines. Scientists in Switzerland used a mouse model to trace what happens after tattooing. Pigments drained into nearby lymph nodes within minutes and continued to accumulate for two months, triggering immune-cell death and sustained inflammation. The ink also weakened the antibody response to Pfizer Inc. and BioNTech SE's COVID vaccine when the shot was administered in tattooed skin. In contrast, the same inflammation appeared to boost responses to an inactivated flu vaccine. "This work represents the most extensive study to date regarding the effect of tattoo ink on the immune response and raises serious health concerns associated with the tattooing practice," the researchers said. "Our work underscores the need for further research to inform public health policies and regulatory frameworks regarding the safety of tattoo inks." The findings have been published in the journal Proceedings of the National Academy of Sciences.

Read more of this story at Slashdot.

Anthropic has made its first acquisition by buying Bun, the engine behind its fast-growing Claude Code agent. The move strengthens Anthropic's push into enterprise developer tooling as it scales Claude Code with major backers like Microsoft, Nvidia, Amazon, and Google. Adweek reports: Claude Code is a coding agent that lets developers write, debug and interpret code through natural-language instructions. Claude Code had already hit $1 billion in revenue six months since its public debut in May, according to a LinkedIn post from Anthropic's chief product officer, Mike Krieger. The coding agent continues to barrel toward scale with customers like Netflix, Spotify, and Salesforce. Further reading: Meet Bun, a Speedy New JavaScript Runtime

Read more of this story at Slashdot.

An anonymous reader quotes a report from the New York Times: The San Francisco city attorney filed on Tuesday the nation's first government lawsuit against food manufacturers over ultraprocessed fare (source may be paywalled; alternative source), arguing that cities and counties have been burdened with the costs of treating diseases that stem from the companies' products. David Chiu, the city attorney, sued 10 corporations that make some of the country's most popular food and drinks. Ultraprocessed products now comprise 70 percent of the American food supply and fill grocery store shelves with a kaleidoscope of colorful packages. Think Slim Jim meat sticks and Cool Ranch Doritos. But also aisles of breads, sauces and granola bars marketed as natural or healthy. It is a rare issue on which the liberal leaders in San Francisco City Hall are fully aligned with the Trump administration, which has targeted ultraprocessed foods as part of its Make America Healthy Again mantra. Mr. Chiu's lawsuit, which was filed in San Francisco Superior Court on behalf of the State of California, seeks unspecified damages for the costs that local governments bear for treating residents whose health has been harmed by ultraprocessed food. The city accuses the companies of "unfair and deceptive acts" in how they market and sell their foods, arguing that such practices violate the state's Unfair Competition Law and public nuisance statute. The city also argues the companies knew that their food made people sick but sold it anyway.

Read more of this story at Slashdot.

A Waymo robotaxi struck a small unleashed dog in San Francisco -- just weeks after another Waymo killed a beloved neighborhood cat. The dog's condition is unknown. The Los Angeles Times reports: The incident occurred near the intersection of Scott and Eddy streets and drew a small crowd, according to social media posts. A person claiming to be one of the passengers posted about the accident on Reddit. "Our Waymo just ran over a dog," the passenger wrote. "Kids saw the whole thing." The passenger described the dog as between 20 and 30 pounds and wrote that their family was traveling back home after a holiday tree lighting event. The National Highway Traffic Safety Administration has recorded Waymo taxis as being involved in at least 14 animal collisions since 2021. "Unfortunately, a Waymo vehicle made contact with a small, unleashed dog in the roadway," a company spokesperson said. "We are dedicated to learning from this situation and how we show up for our community as we continue improving road safety in the cities we serve." The spokesperson added that Waymo vehicles have a much lower rate of injury-causing collisions than human drivers. Human drivers run into millions of animals while driving each year. "I'm not sure a human driver would have avoided the dog either, though I do know that a human would have responded differently to a 'bump' followed by a car full of screaming people," the Waymo passenger wrote on Reddit. One person who commented on the discussion said that Waymo vehicles should be held to a higher standard than human drivers, because the autonomous taxis are supposed to improve road safety. "The whole point of this is because Waymo isn't supposed to make those mistakes," the person wrote on Reddit.

Read more of this story at Slashdot.

During last month's KubeCon North America in Atlanta, Kubernetes maintainers announced the upcoming retirement of Ingress NGINX. "Best-effort maintenance will continue until March 2026," noted the Kubernetes SIG Network and the Security Response Committee. "Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered." In a recent op-ed for The Register, Steven J. Vaughan-Nichols reflects on the decision and speculates about what might have prevented this outcome: Ingress NGINX, for those who don't know it, is an ingress controller in Kubernetes clusters that manages and routes external HTTP and HTTPS traffic to the cluster's internal services based on configurable Ingress rules. It acts as a reverse proxy, ensuring that requests from clients outside the cluster are forwarded to the correct backend services within the cluster according to path, domain, and TLS configuration. As such, it's vital for network traffic management and load balancing. You know, the important stuff. Now this longstanding project, once celebrated for its flexibility and breadth of features, will soon be "abandonware." So what? After all, it won't be the first time a once-popular program shuffled off the stage. Off the top of my head, dBase, Lotus 1-2-3, and VisiCalc spring to my mind. What's different is that there are still thousands of Ingress NGINX controllers in use. Why is it being put down, then, if it's so popular? Well, there is a good reason. As Tabitha Sable, a staff engineer at Datadog who is also co-chair of the Kubernetes special interest group for security, pointed out: "Ingress NGINX has always struggled with insufficient or barely sufficient maintainership. For years, the project has had only one or two people doing development work, on their own time, after work hours, and on weekends. Last year, the Ingress NGINX maintainers announced their plans to wind down Ingress NGINX and develop a replacement controller together with the Gateway API community. Unfortunately, even that announcement failed to generate additional interest in helping maintain Ingress NGINX or develop InGate to replace it." [...] The final nail in the coffin was when security company Wix found a killer Ingress NGINX security hole. How bad was it? Wix declared: "Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, which could lead to complete cluster takeover." [...] You see, the real problem isn't that Ingress NGINX has a major security problem. Heck, hardly a month goes by without another stop-the-presses Windows bug being uncovered. No, the real issue is that here we have yet another example of a mission-critical open source program no one pays to support...

Read more of this story at Slashdot.

OpenAI has reportedly issued a "code red" on Monday, pausing projects like ads, shopping agents, health tools, and its Pulse assistant to focus entirely on improving ChatGPT. "This includes core features like greater speed and reliability, better personalization, and the ability to answer more questions," reports The Verge, citing a memo reported by the Wall Street Journal and The Information. "There will be a daily call for those tasked with improving the chatbot, the memo said, and Altman encouraged temporary team transfers to speed up development." From the report: The newfound urgency illustrates an inflection point for OpenAI as it spends hundreds of billions of dollars to fund growth and figures out a path to future profitability. It is also something of a full-circle moment in the AI race. Google, which declared its own "code red" after the arrival of ChatGPT, is a particular concern. Google's AI user base is growing -- helped by the success of popular tools like the Nano Banana image model -- and its latest AI model, Gemini 3, blew past its competitors on many industry benchmarks and popular metrics.

Read more of this story at Slashdot.

Apple does not plan to comply with India's mandate to preload its smartphones with a state-owned cyber safety app that cannot be disabled. According to Reuters, the order "sparked surveillance concerns and a political uproar" after it was revealed on Monday. From the report: In the wake of the criticism, India's telecom minister Jyotiraditya M. Scindia on Tuesday said the app was a "voluntary and democratic system," adding that users can choose to activate it and can "easily delete it from their phone at any time." At present, the app can be deleted by users. Scindia did not comment on or clarify the November 28 confidential directive that ordered smartphone makers to start preloading it and ensure "its functionalities are not disabled or restricted." Apple however does not plan to comply with the directive and will tell the government it does not follow such mandates anywhere in the world as they raise a host of privacy and security issues for the company's iOS ecosystem, said two of the industry sources who are familiar with Apple's concerns. They declined to be named publicly as the company's strategy is private. "Its not only like taking a sledgehammer, this is like a double-barrel gun," said the first source.

Read more of this story at Slashdot.

The UK government plans to ban political donations made in cryptocurrency over fears of anonymity, foreign influence, and traceability issues, though the ban won't be ready in time for the upcoming elections bill. The Guardian reports: The government's ambition to ban crypto donations will be a blow to Nigel Farage's Reform UK party, which became the first to accept contributions in digital currency this year. It is believed to have received its first registrable donations in cryptocurrency this autumn and the party has set up its own crypto portal to receive contributions, saying it is subject to "enhanced" checks. Government sources have said ministers believe cryptocurrency donations to be a problem, as they are difficult to trace and could be exploited by foreign powers or criminals. Pat McFadden, then a Cabinet Office minister, first raised the idea in July, saying: "I definitely think it is something that the Electoral Commission should be considering. I think that it's very important that we know who is providing the donation, are they properly registered, what are the bona fides of that donation." The Electoral Commission provides guidance on crypto donations but ministers accept any ban would probably have to come from the government through legislation. "Crypto donations present real risks to our democracy," said Susan Hawley, the executive director of Spotlight on Corruption. "We know that bad actors like Russia use crypto to undermine and interfere in democracies globally, while the difficulties involved in tracing the true source of transactions means that British voters may not know everyone who's funding the parties they vote for."

Read more of this story at Slashdot.

AWS is deepening its partnership with Nvidia by adopting "NVLink Fusion" in its upcoming Trainium4 AI chips. "The NVLink technology creates speedy connections between different kinds of chips and is one of Nvidia's crown jewels," notes Reuters. From the report: Nvidia has been pushing to sign up other chip firms to adopt its NVLink technology, with Intel, Qualcomm and now AWS on board. The technology will help AWS build bigger AI servers that can recognize and communicate with one another faster, a critical factor in training large AI models, in which thousands of machines must be strung together. As part of the Nvidia partnership, customers will have access to what AWS is calling AI Factories, exclusive AI infrastructure inside their own data centers for greater speed and readiness. Separately, Amazon said it is rolling out new servers based on a chip called Trainium3. The new servers, available on Tuesday, each contain 144 chips and have more than four times the computing power of AWS's previous generation of AI, while using 40% less power, Dave Brown, vice president of AWS compute and machine learning services, told Reuters. Brown did not give absolute figures on power or performance, but said AWS aims to compete with rivals -- including Nvidia -- based on price. "Together, Nvidia and AWS are creating the compute fabric for the AI industrial revolution - bringing advanced AI to every company, in every country, and accelerating the world's path to intelligence," Nvidia CEO Jensen Huang said in a statement.

Read more of this story at Slashdot.

An anonymous reader quotes a report from BleepingComputer: The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk. The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app. Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead. [...] A user who reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds. [...] The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel. All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.

Read more of this story at Slashdot.

Michael and Susan Dell pledged $6.25 billion to boost participation in the new "Trump Accounts" child investment program. "The historic gift has little precedent, with few single charitable commitments in the past 25 years exceeding $1 billion, much less multiple billions," notes the Associated Press. "Announced on GivingTuesday, the Dells believe it's the largest single private commitment made to U.S. children." From the report: Its structure is also unusual. Essentially, it builds on the "Trump Accounts" program (PDF), where the U.S. Department of the Treasury will deposit $1,000 into investment accounts set up by Treasury for American children born between Jan. 1, 2025 and Dec. 31, 2028. The Dells' gift will use the "Trump Accounts" infrastructure to give $250 to each qualified child under 10. Though the "Trump Accounts" became law as part of the president's signature legislation in July, the Dells say the accounts will not launch until July 4, 2026. Michael Dell said they wanted to mark the 250th anniversary of U.S. independence. [...] Under the new law, "Trump Accounts" are available to any American child under 18 with a Social Security number and their families can fund the accounts, which must be invested in an index fund that tracks the overall stock market. When the children turn 18, they can withdraw the funds to put toward their education, to buy a home or to start a business. The Dells will put money into the accounts of children 10 and younger who live in ZIP codes with a median family income of $150,000 or less and who won't get the $1,000 seed money from the Treasury. The Dells hope their gift will encourage families to claim the accounts and deposit more money into it, even small amounts, so it will grow over time along with the stock market. The report notes that the timed rollout of the $1,000 deposits gives Republicans a strategic political advantage by delivering money to voters during the 2026 midterms and halting the benefit right after the 2028 presidential election.

Read more of this story at Slashdot.

A Google Antigravity user says the AI-driven "vibe coding" tool accidentally wiped his entire D: drive while trying to clear a project cache. Google says it's investigating, but the episode adds to a growing list of AI tools behaving in ways that "would get a junior developer fired," suggests The Register. From the report: We reached out to the user, a photographer and graphic designer from Greece, who asked we only identify him as Tassos M because he doesn't want to be permanently linked online to what could "become a controversy or conspiracy against Google." [...] Tassos told Antigravity to help him develop software that's useful for any photographer who has to choose a few prime shots from a mountain of snaps. He wanted the software to let him rate images, then automatically sort them into folders based on that rating. According to his Reddit post, when Tassos figured out the AI agent had wiped his drive, he asked, "Did I ever give you permission to delete all the files in my D drive?". "No, you absolutely did not give me permission to do that," Antigravity responded. "I am horrified to see that the command I ran to clear the project cache appears to have incorrectly targeted the root of your D: drive instead of the specific project folder. I am deeply, deeply sorry. This is a critical failure on my part." Redditors, as they are wont to do, were quick to pounce on Tassos for his own errors, which included running Antigravity in Turbo mode, which lets the Antigravity agent execute commands without user input, and Tassos accepted responsibility. "If the tool is capable of issuing a catastrophic, irreversible command, then the responsibility is shared -- the user for trusting it and the creator for designing a system with zero guardrails against obviously dangerous commands," he opined on Reddit. As noted earlier, Tassos was unable to recover the files that Antigravity deleted. Luckily, as he explained on Reddit, most of what he lost had already been backed up on another drive. Phew. "I don't think I'm going to be using that again," Tassos noted in a YouTube video he published showing additional details of his Antigravity console and the AI's response to its mistake. Tassos isn't alone in his experience. Multiple Antigravity users have posted on Reddit to explain that the platform had wiped out parts of their projects without permission.

Read more of this story at Slashdot.

Zillow has removed climate risk scores from over a million home listings after real estate agents argued the data was scaring off buyers. TechCrunch reports: Zillow first added the data to the site in September 2024, saying that more than 80% of buyers consider climate risks when purchasing a new home. But last month, following objections from the California Regional Multiple Listing Service (CRMLS), Zillow removed the listings' climate scores. In their place is a subtle link to their records at First Street, the climate risk analytic startup that provides the data. "When buyers lack access to clear climate-risk information, they make the biggest financial decision of their lives while flying blind," First Street spokesperson Matthew Eby told TechCrunch via email. "The risk doesn't go away; it just moves from a pre-purchase decision into a post-purchase liability." First Street's climate risk scores first appeared on Realtor.com in 2020, where they remain. They also still appear on Redfin and and Homes.com. The New York-based startup has raised more than $50 million from investors including General Catalyst, Congruent Ventures, and Galvanize Climate Solutions, according to PitchBook. Art Carter, the CRMLS CEO, told The New York Times that "displaying the probability of a specific home flooding this year or within the next five years can have a significant impact on the perceived desirability of that property." He also questioned the accuracy of First Street's data, saying he didn't think that areas which haven't flooded in the last 40 to 50 years were likely to flood in the next five.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Wall Street Journal: The Trump administration has agreed to inject up to $150 million into a startup (source paywalled; alternative source) trying to develop more advanced semiconductor manufacturing techniques in the U.S., its latest bid to support strategically important domestic industries with government incentives. Under the arrangement, the Commerce Department would give the incentives to xLight, a startup trying to improve the critical chip-making process known as extreme ultraviolet lithography, the agency said in a Monday release. In return, the government would get an equity stake that would likely make it xLight's largest shareholder. The Dutch firm ASML is currently the only global producer of EUV machines, which can cost hundreds of millions of dollars each. XLight is seeking to improve on just one component of the EUV process: the crucially important lasers that etch complex microscopic patterns onto chemical-treated silicon wafers. The startup is hoping to integrate its light sources into ASML's machines. XLight represents a second act for Pat Gelsinger, the former chief executive of Intel who was fired by the board late last year after the chip maker suffered from weak financial performance and a stalled manufacturing expansion. Gelsinger serves as executive chairman of xLight's board. [...] The xLight deal uses funding from the 2022 Chips and Science Act allocated for earlier stage companies with promising technologies. It is the first Chips Act award in President Trump's second term and is a preliminary agreement, meaning it isn't finalized and could change. "This partnership would back a technology that can fundamentally rewrite the limits of chipmaking," Commerce Secretary Howard Lutnick said in the release.

Read more of this story at Slashdot.

Let's Encrypt has announced that it will be reducing the validity period of its certificates from 90 days to 45 days by 2028:

Most users of Let's Encrypt who automatically issue certificates will not have to make any changes. However, you should verify that your automation is compatible with certificates that have shorter validity periods.

To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we've introduced to help clients know when they need to renew their certificates. Consult your ACME client's documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide.

If your client doesn't support ARI yet, ensure it runs on a schedule that is compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer be sufficient. Acceptable behavior includes renewing certificates at approximately two thirds of the way through the current certificate's lifetime.

Manually renewing certificates is not recommended, as it will need to be done more frequently with shorter certificate lifetimes.

Steam's November 2025 survey shows Linux gaming climbed to its highest share in a decade "thanks to the success of the Steam Deck, the underlying Steam Play (Proton) software, and now further excitement thanks to the upcoming Steam Machine and Steam Frame," writes Phoronix's Michael Larabel. From the report: A decade ago in the early Steam days the initial use was around 3% and back then the Steam user-base in absolute terms was much smaller than it is today. Back in October Steam on Linux finally re-crossed that 3% threshold after for years being stuck in a 1~2% rut. Now the Steam Survey results were published minutes ago for November and they continue an upward trend for Linux. Steam on Linux is up to 3.2%, an increase of 0.15% for the month. One year ago Steam on Linux was at 2.03% last November, 1.91% for November 2023, and a decade ago for November 2015 was at just 0.98%. [...] Due to AMD APUs powering the Steam Deck, AMD CPUs continue to power nearly 70% of Linux gaming systems. Meanwhile under Windows, AMD has around a 42% CPU marketshare.

Read more of this story at Slashdot.