Bugfix Release
Power Profiles (tlp-pd)
- Fix Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859)
- Version 1.8.0 and older are not affected
- Ensure that all processes that change the power profile or the daemon's log level are authenticated, either by a desktop user session or as root
- Limit the number of stacked profile holds (tlpctl launch) to 16
- Make profile hold cookies unpredictable, to prevent unrelated users from releasing an active profile hold
Check out the full changelog for a remaining fix!
For information regarding packaging, please refer to https://linrunner.de/tlp/developers/packaging.html.