• Milestone

This is bug-fix release for 1.29.0.

Feature highlights✨:

• Accept .txt import of feed URLs in additional to e.g. OPML
• New CLI for automatic periodic SQLite export with retention
• More feed info: last received date, publication date

Bug fixes highlights 🐛:

• Fix cookies with some browsers
• Fix search in shared user queries with empty results

UI highlights 🖼:

• Improve Web browsers compatibility

This release has been made by @Alkarex, @Frenzie, @IEEE-754, @Inverle, @McFev, @ciro-mota, @cweiske, @polybjorn and newcomer @mzl2233

Full changelog:

• Features
  • Accept .txt import of feed URLs in additional to e.g. OPML #8818, #8837
  • New CLI for automatic periodic SQLite export with retention #8819
  • More feed info: last received date, publication date #8799
• Bug fixing
  • Fix cookies with some browsers #8867
  • Fix search in shared user queries with empty results #8863
  • Fix XML errors with loading invalid OPML in lib_opml library #8652, #8853,
    lib_opml#48, lib_opml#51
  • Fix ensure maximum number of feeds also with Dynamic OPML #8832
  • Fix click mark as read #8817
• UI
  • Improve browser compatibility to keep mobile navigation at the bottom #8833
  • Improve support of older/simpler Web browsers/engines such as SeaMonkey #8810,
    #8811, #8813,
  • Improve Swage theme #8842
  • Rename Nord theme to Nord #8805
  • Replace GIF spinner by CSS spinner #8804, #8812
  • Various UI and style improvements: #8800, #8816,
• I18n
  • Improve Brazilian Portuguese #8846
  • Improve Dutch #8868
  • Improve German #8840
  • Improve Polish #8854
  • Improve Russian #8861
  • Improve Traditional Chinese #8849
• Misc.
  • Update dev dependencies #8858, #8864

I was getting “<XF86AudioPlay> is undefined” in the status bar of Emacs displayed every 2-3 seconds. Nowhere else I noticed any misbehavior or problems, and also couldn’t find any related log entries. It didn’t stop, though didn’t want to reboot my system to see whether that would fix the problem, but it was driving me nuts.

Now, as a starting point I adjusted my sway configuration, to react to the XF86AudioPlay key press event:

bindsym XF86AudioPlay exec playerctl play-pause

After reloading sway, my music player started to play for 2-3 seconds, stopped playing, started again, etc. It wasn’t a Emacs bug, but something indeed seemed to send the XF86AudioPlay key event every 2-3 seconds. It wasn’t my USB keyboard or any stuck key on it, as verified also by unplugging it. So which device was causing this?

libinput from libinput-tools to the rescue:

% sudo libinput debug-events
[...]
-event12  KEYBOARD_KEY                 +0.000s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +0.000s  KEY_PLAYPAUSE (164) released
 event12  KEYBOARD_KEY                 +2.887s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +2.887s  KEY_PLAYPAUSE (164) released
 event12  KEYBOARD_KEY                 +5.773s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +5.774s  KEY_PLAYPAUSE (164) released
[...]

The `event12` device was sending this event, what’s behind this?

% sudo udevadm info /dev/input/event12
P: /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
M: event12
R: 12
J: c13:76
U: input
D: c 13:76
N: input/event12
L: 0
S: input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: DEVPATH=/devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
E: DEVNAME=/dev/input/event12
E: MAJOR=13
E: MINOR=76
E: SUBSYSTEM=input
E: USEC_INITIALIZED=12468722
E: ID_INPUT=1
E: ID_INPUT_KEY=1
E: ID_INPUT_SWITCH=1
E: ID_PATH=pci-0000:00:1f.3-platform-skl_hda_dsp_generic
E: ID_PATH_TAG=pci-0000_00_1f_3-platform-skl_hda_dsp_generic
E: XKBMODEL=pc105
E: XKBLAYOUT=us
E: XKBOPTIONS=lv3:ralt_switch,compose:rctrl
E: BACKSPACE=guess
E: LIBINPUT_DEVICE_GROUP=0/0/0:ALSA
E: DEVLINKS=/dev/input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: TAGS=:power-switch:
E: CURRENT_TAGS=:power-switch:

% sudo udevadm info -a /dev/input/event12 | grep -iE 'kernels|drivers|name'
    KERNELS=="input17"
    DRIVERS==""
    ATTRS{name}=="sof-hda-dsp Headphone"
    KERNELS=="card0"
    DRIVERS==""
    KERNELS=="skl_hda_dsp_generic"
    DRIVERS=="skl_hda_dsp_generic"
    KERNELS=="0000:00:1f.3"
    DRIVERS=="sof-audio-pci-intel-tgl"
    KERNELS=="pci0000:00"
    DRIVERS==""

Behind this event12 is sof-hda-dsp Headphone, and evtest confirms that:

% sudo evtest
No device specified, trying to scan all of /dev/input/event*
Available devices:
/dev/input/event0:      AT Translated Set 2 keyboard
/dev/input/event1:      Sleep Button
/dev/input/event10:     ThinkPad Extra Buttons
/dev/input/event11:     sof-hda-dsp Mic
/dev/input/event12:     sof-hda-dsp Headphone
/dev/input/event13:     sof-hda-dsp HDMI/DP,pcm=3
/dev/input/event14:     sof-hda-dsp HDMI/DP,pcm=4
/dev/input/event15:     sof-hda-dsp HDMI/DP,pcm=5
/dev/input/event16:     Yubico YubiKey OTP+FIDO+CCID
/dev/input/event17:     Apple Inc. Magic Keyboard with Numeric Keypad
/dev/input/event18:     Apple Inc. Magic Keyboard with Numeric Keypad
[...]
Select the device event number [0-24]: ^C

We can even get further information:

% sudo evtest /dev/input/event12
Input driver version is 1.0.1
Input device ID: bus 0x0 vendor 0x0 product 0x0 version 0x0
Input device name: "sof-hda-dsp Headphone"
Supported events:
  Event type 0 (EV_SYN)
  Event type 1 (EV_KEY)
    Event code 114 (KEY_VOLUMEDOWN)
    Event code 115 (KEY_VOLUMEUP)
    Event code 164 (KEY_PLAYPAUSE)
    Event code 582 (KEY_VOICECOMMAND)
  Event type 5 (EV_SW)
    Event code 2 (SW_HEADPHONE_INSERT) state 0
Properties:
Testing ... (interrupt to exit)
Event: time 1779295060.175766, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 1
Event: time 1779295060.175766, -------------- SYN_REPORT ------------
Event: time 1779295061.951168, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295061.951168, -------------- SYN_REPORT ------------
Event: time 1779295061.951194, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295061.951194, -------------- SYN_REPORT ------------
Event: time 1779295064.548671, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295064.548671, -------------- SYN_REPORT ------------
Event: time 1779295064.548689, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295064.548689, -------------- SYN_REPORT ------------
Event: time 1779295067.437172, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295067.437172, -------------- SYN_REPORT ------------
Event: time 1779295067.437187, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295067.437187, -------------- SYN_REPORT ------------
Event: time 1779295070.323775, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295070.323775, -------------- SYN_REPORT ------------
Event: time 1779295070.323790, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295070.323790, -------------- SYN_REPORT ------------
Event: time 1779295073.200350, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295073.200350, -------------- SYN_REPORT ------------
Event: time 1779295073.200373, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295073.200373, -------------- SYN_REPORT ------------
Event: time 1779295076.076228, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295076.076228, -------------- SYN_REPORT ------------
Event: time 1779295076.076250, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295076.076250, -------------- SYN_REPORT ------------
Event: time 1779295078.961740, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295078.961740, -------------- SYN_REPORT ------------
Event: time 1779295078.961754, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295078.961754, -------------- SYN_REPORT ------------
Event: time 1779295081.850156, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295081.850156, -------------- SYN_REPORT ------------
Event: time 1779295081.850175, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295081.850175, -------------- SYN_REPORT ------------
Event: time 1779295083.306612, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 0
Event: time 1779295083.306612, -------------- SYN_REPORT ------------

So when I plug in my headphone (see the `SW_HEADPHONE_INSERT` event), the unexpected behavior starts, unplugging stops the problem.
Good! But what was totally unexpected for me: my headphone, being a Beyerdynamic DT-990 Pro, does not have any keys. 8-)

As it turned out, the headphone jack seemed to have been not entirely clean. The analog side of the jack triggers a behavior within the audio codec, where it seems to interpret the fluctuating impedance as a play button of the headset, being pressed, again and again.

I cleaned the jack of my headphone and my XF86AudioPlay problem is gone, case closed.

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. Red Hat, Inc. has announced the availability of Red Hat Enterprise Linux (RHEL) 10.2 and 9.8, updated builds in RHEL's current and legacy branches: "Red Hat Enterprise Linux (RHEL) 10.2 and 9.8 are here, evolving the operating system from a foundation to a powerful engine for critical applications,....

Following the series of various Linux exploits of the last three weeks, the bug of today is PinTheft [CVE-2026-43494] which is local root privilege escalations.

The vulnerability can be mitigated by unloading and blocking rds modules, linux-vulnerability-mitigation as of 20260519-1 (uploaded to sid, trixie-fastforward-backports and people.debian.org/~daniel) does that automatically for you.

Updates:

• default Debian kernels (bullseye, bookworm, trixie, and testing/unstable, experimental) are not directly affected because autoloading of the rds modules is disabled by rds-Disable-auto-loading-as-mitigation-against-local.patch

• Added references to CVE-2026-43494

In 2025, Apple prevented over $2.2 billion in potentially fraudulent transactions, adding to a total of more than $11.2 billion in the past six years.

5.46.1 (2026-05-20)

🔥 Bug fix

• FK violation publishing self-relation parent & child in one release (#26147)
• move session-manager jwt check from register to bootstrap (#25412)
• admin: remove year 2041 limit on date/datetime pickers (#26209)
• content-manager: fix getMainField context for component list/edit configure views (#25509, #26124)
• database: respect nested sort in populate for join-table relations (#26361)
• graphql: inherit publication state for i18n localizations (#22163)
• migrations: guard inverseJoinColumn access in discard-drafts migration (#26331)
• review-workflows: add assignee and review stage to list view filters (#26171)
• review-workflows: message when single stage (#26229)
• upgrade: use pnpm install when project prefers pnpm (#26246)
• upgrade: align scoped @strapi packages in devDependencies (#26248)

⚙️ Chore

• sonarcloud security review (#25949)
• deps: bump ip-address from 10.1.0 to 10.2.0 (#26222)
• deps: bump @protobufjs/utf8 from 1.1.0 to 1.1.1 (#26311)
• deps: bump axios from 1.15.1 to 1.15.2 (#26177)
• deps: bump fast-xml-builder from 1.1.4 to 1.2.0 (#26253)
• deps: bump fast-uri from 3.0.1 to 3.1.2 (#26254)
• eslint: migrate .eslintrc + .eslintignore to .eslintrc.cjs (#26216)

🚨 Security

• deps: upgrade multiple dependencies (#26326)

❤️ Thank You

• Adrien L @Adzouz
• Andrei L @unrevised6419
• Ben Irvin
• Garrett Heaver @garrettheaver
• jmichalec-vl
• Maksim Zhukau @MaksZhukov
• Simen @Eventyret
• Simon Norris @cache-your-dreams
• Westley Marchment

[0.16.6] - 2026-05-20

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Added 58 new DNS provider integrations (see dns-update crate for details).
• DNS updater: Log DNS record types and values.
• Sieve: Allow User Sieve scripts to access orcpt.
• MTA: Log when messages are rejected or discarded by the spam classifier.

Changed

• Bump JMAP File Storage to draft-ietf-jmap-filenode-14.
• Accept password hashes with $ or { prefixes as secure secrets.

Fixed

• DAV: acl-principal-prop-set REPORT enforced the wrong privilege.
• JMAP: Thread/get did not filter by per-mailbox ACLs on shared accounts.
• IMAP: UID FETCH N:* could miss messages moved into a SELECTed mailbox by another connection.
• DNS updater:
  • Skip v=spf1 a -all records for apex domains.
  • RFC2136 TSIG: regression related to multiplexer.
  • Route53: Chunk TXT records when they exceed 255 characters.
• ACME:
  • Update defaultCertificateId when renewing a certificate that is currently set as default.
  • Perform DNS-01 authorizations sequentially to avoid race conditions in some DNS providers.
• Allow internal TLDs and special characters in e-mail addresses.
• Websocket: Perform case insensitive matching during upgrade.
• LDAP: Synchronize accounts when expanding mailing list recipients.
• Sieve: replace action adds an extra From header.
• ACL: Orphaned ACL entries for deleted accounts cause JMAP session errors.

---

Check binary attestation here

The Stable channel has been updated to 148.0.7778.178/179 for Windows/Mac  and 148.0.7778.178 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 16 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[N/A][504551032] Critical CVE-2026-9111: Use after free in WebRTC. Reported by Google on 2026-04-20

[N/A][503551154] Critical CVE-2026-9110: Inappropriate implementation in UI. Reported by Google on 2026-04-20

[$11000][489791425] High CVE-2026-9112: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-05

[$3000][489585044] High CVE-2026-9113: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04

[N/A][495798630] High CVE-2026-9114: Use after free in QUIC. Reported by Google on 2026-03-24

[N/A][495999481] High CVE-2026-9115: Insufficient policy enforcement in Service Worker. Reported by Google on 2026-03-25

[N/A][497436273] High CVE-2026-9116: Insufficient policy enforcement in ServiceWorker. Reported by Google on 2026-03-29

[N/A][497542537] High CVE-2026-9117: Type Confusion in GFX. Reported by Google on 2026-04-01

[N/A][498702233] High CVE-2026-9118: Use after free in XR. Reported by Google on 2026-04-14

[N/A][502661101] High CVE-2026-9119: Heap buffer overflow in WebRTC. Reported by Google on 2026-04-17

[N/A][504620824] High CVE-2026-9120: Use after free in WebRTC. Reported by Google on 2026-04-20

[N/A][496280532] Medium CVE-2026-9126: Use after free in DOM. Reported by Google on 2026-03-25

[TBD][488064108] Medium CVE-2026-9121: Out of bounds read in GPU. Reported by David Korczynski (Adalogics)  on 2026-02-26

[TBD][489579953] Medium CVE-2026-9122: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04

[N/A][495988507] Medium CVE-2026-9123: Heap buffer overflow in Chromecast. Reported by Google on 2026-03-25

[N/A][496375695] Medium CVE-2026-9124: Insufficient validation of untrusted input in Input. Reported by Google on 2026-03-29

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista

Google Chrome