The6.4.9,6.1.44,5.15.125,5.10.189,5.4.252,4.19.290, and4.14.321stable kernel updates have all been released; they are dominated by fixesfor the latest round ofspeculative-execution vulnerabilities.Do note the warning attached to each of these releases:
Security updates have been issued by Debian (libhtmlcleaner-java and thunderbird), Red Hat (dbus, kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), SUSE (chromium, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, kernel-firmware, libqt5-qtbase, libqt5-qtsvg, librsvg, pcre2, perl-Net-Netmask, qt6-base, and thunderbird), and Ubuntu (firefox).
The Linux Containers project hasannounced the addition ofIncus, which is a fork of LXD5.16 started by Aleksa Sarai. Incus was created in response to Canonical's removal of LXD from LinuxContainers.
Return-orientedprogramming (ROP) has, for some years now, been a valuable tool forthose who would subvert a system's security. It is thus not surprisingthat a lot of effort has gone into thwarting ROP attacks, which depend oncorrupting the call stack with a carefully chosen set of return addresses,at both the hardware and software levels. One result of this work isshadow stacks, which can detect corruption of the call stack, allowing theoperating system to react accordingly. The 64-bit Arm implementation ofshadow stacks is called "guarded control stack" (GCS); patches implementingsupport for this feature are currently under discussion.
Security updates have been issued by Debian (burp, chromium, ghostscript, openimageio, pdfcrack, python-werkzeug, thunderbird, and webkit2gtk), Fedora (amanda, libopenmpt, llhttp, samba, seamonkey, and xen), Red Hat (thunderbird), Slackware (mozilla and samba), and SUSE (perl-Net-Netmask, python-Django1, trytond, and virtualbox).
Bram Moolenaar, the creator of the vim editor, passedaway on August3. "Bram dedicated a large part of his life toVIM and he was very proud of the VIM community that you are all partof." He will be missed.
The big kernel lock (BKL) is a distant memory now but, for years, it wasone of the more intractable problems faced by the kernel developmentcommunity. The end of the BKL does not mean that the kernel is withoutproblematic locks, however. In recent times, some attention has been paidto the software-interrupt (or "bottom half") lock, which can create latencyproblems, especially on realtime systems. Frederic Weisbecker is taking anew tack in his campaign to cut this lock down to size, with an approachbased on how the BKL was eventually removed.
Security updates have been issued by CentOS (bind and kernel), Debian (cjose, firefox-esr, ntpsec, and python-django), Fedora (chromium, firefox, librsvg2, and webkitgtk), Red Hat (firefox), Scientific Linux (firefox and openssh), SUSE (go1.20, ImageMagick, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, kernel, openssl-1_1, pipewire, python-pip, and xtrans), and Ubuntu (cargo, rust-cargo, cpio, poppler, and xmltooling).
The kernel community has never had a smooth relationship with the purveyorsof proprietary kernel modules. Developers tend to strongly dislike thosemodules, which cannot be debugged or fixed by anybody other than theircreator, and many see them as a violation of the kernel's license and theircopyrights on the code. Nonetheless, proprietary modules are tolerated,within bounds. A recent patch from Christoph Hellwig suggests that thosebounds are about to be tightened slightly, in a somewhat surprising way.
Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim).
The Python global interpreter lock (GIL) has long been a barrier toincreasing the performance of programs by using multiple threads-the GILserializes access to the interpreter's virtual machine such that only one threadcan be executing Python code at any given time. There are other mechanismsto provide concurrency for the language, but the specter of the GIL-and its reality aswell-have often been cited as a major negative for Python. Back in October2021, Sam Gross introduceda proof-of-concept, no-GIL version of thelanguage. It was met with a lot of excitement at the time, butseemed to languish to a certain extent for more than a year; now, the PythonSteering Council has announced its intent to accept theno-GIL feature. It will still be some time before it lands in areleased Python version-and there is the possibility that it all has to berolled back at some point-but there are several companies backing theeffort, which gives it all a good chance to succeed.
Google's Project Zero has spent some time studying the Arm memory taggingextension (MTE), support for which wasmerged into the 5.10 kernel, and postedthe results:
The Asahi Linux project, which isworking to create a Linux distribution for Apple hardware, has announcedthat its new "flagship" distribution will be based on Fedora Linux.
Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox).
Kernel testing is a perennial topic at Linux-related conferences and the KernelCI project is one of the larger testingplayers. It does its own testing but also coordinates with various othertesting systems and aggregates their results. At the2023 EmbeddedOpen Source Summit (EOSS), KernelCI developer Nikolai Kondrashov gave apresentation on the testing framework, its database, and how others can getinvolved in the project. He also had some thoughts on where KernelCI isfalling short of its goals and potential, along with some ideas of ways toimprove it.
Version 2.38 ofthe GNU C Library has been released. This release consists mostly ofrelatively small changes, including improved support for working withbinary integer constants, some new printf() formatting options,libmvec support for 64-bit Arm systems, the strlcpy() andstrlcat() string functions, and more. See the release notesfor the details.
Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk).
Version 29.1 of the Emacs editor has been released. There is a long listof changes, including integration with the Tree-sitterincremental parsing library, the ability to access SQLite databases, "pure GTK" display support (which enables Wayland support), and a lot more; see theNEWS file for all the details.
Version 3.2 of the GNU COBOL compiler is out. "The amount of featuresare too much to note, but you can skip over the attached NEWS file toinvestigate them." These new features include improved support forCOBOL dialects, performance improvements, better GDB debugging support, andmore.
It is well understood that concurrency makes programming problems harder;the high level of concurrency inherent in kernel development is one of thereasons why kernel work can be challenging. Things can get even worse,though, if concurrent access happens in places where the code is notexpecting it. The long story accompanying thisshort patch from Christian Brauner is illustrative of the kind ofproblem that can arise when assumptions about concurrency prove to beincorrect.
The Python Steering Council has announcedits intent to accept PEP703 (Making the Global Interpreter Lock Optional in CPython), withinitial support possibly showing up in the 3.13 release. There are stillsome details to work out, though.
For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li hasposted a detailedwriteup of the bug and how it can be exploited.
One of the longstanding strengths of Linux, and a key to its early success,is its ability to interoperate with other systems. That interoperabilityincludes filesystems; Linux supports a wide range of filesystem types,allowing it to mount filesystems created by many other operating systems.Some of those filesystem implementations, though, are better maintainedthan others; developers at both the kernel and distribution levels arecurrently considering, again, how to minimize the security risks presentedby the others.
Systemd 254 has been released. As usual, there is a long list of changes,including a new list-paths command for systemctl, theability to send POSIX signals to services, a "soft reboot" feature thatrestarts user space while leaving the kernel in place, improved support for"confidentialvirtual machines", and a lot more.The announcement also notes the support for split-/usr systemswill be removed in the next release, and support for version-one controlgroups and for SystemV service scripts will be deleted in the nearfuture as well.
The fchmodat()system call on Linux hides a little secret: it does not actually implementall of the functionality that the man page claims (and that POSIXcalls for). As a result, C libraries have to do a bit of a complicatedworkaround to provide the API that applications expect. That situationlooks likely to change with the 6.6 kernel, though, as the result of this patchseries posted by Alexey Gladkov.
The 6.4.7, 6.1.42, 5.15.123, 5.10.188, and 5.4.251 stable kernels have been released. Asusual, they all contain lots of important fixes; users of those seriesshould upgrade.
The U-Boot"universal boot loader" is used extensively in the embedded-Linux world.At the 2023 EmbeddedOpen Source Summit (EOSS), Simon Glass gave a presentation (slides,YouTube video) onthe status of the project, with a focus on new features added over the lastseveral years. He also wanted to talk about complexity in the firmwareworld, which he believes is increasing, and how U-Boot can help manage thatcomplexity. The talk was something of a grab bag of ideas and changesthroughout the increasingly large footprint of the project.
The extensible scheduler class enables thecreation of CPU schedulers in BPF. After the fourthversion of this series was greeted with relative silence, Tejun Heo asked aboutthe status of this work:
There was something of a space theme that pervaded the Embedded LinuxConference (ELC) portion of the 2023 EmbeddedOpen Source Summit (EOSS), which is an umbrella event for varioussub-conferences related to embedded open-source development. That maypartly be because one of the organizers of EOSS (and ELC), Tim Bird,described himself as "a bit of a space junkie"; he made that observationduring a panel session that he led on embedded Linux in space. Bird andfour panelists discussed various aspects of the use of Linux inspace-related systems, including where it has been used, thecharacteristics and challenges of aerospace deployments, certification ofLinux for aerospace use, and more.
Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh).
Greg Kroah-Hartman has released six new stable kernels to address the Zenbleed vulnerability for AMD processors: 6.4.6, 6.1.41,5.15.122, 5.10.187, 5.4.250, and 4.19.289. "All AMD processor users of the[...] kernel series who have not updated their microcode to the latest version, must upgrade."
Tavis Ormandy reports on a vulnerability that he has found in "all Zen 2 class processors"from AMD. (Wayback Machine link as the original site is overloaded.) It canallow local attackers to recover data used in string operations; "If you remove the first word from the string 'hello world',what should the result be? This is the story of how we discovered that theanswer could be your root password!" The report has lots of details,including an exploit; AMD has released a microcodeupdate to address the problem.
The kernel's address-space layout randomization is intended to make lifeharder for attackers by changing the placement of kernel text and data ateach boot. With this randomization, an attacker cannot know ahead of timewhere a vulnerable target will be found on any given system. There aretechniques, though, that can be effective without knowing precisely where agiven object is stored. As a way of hardening systems against suchattacks, the kernel will be gaining yet another form of randomization.
Version1.3 of the Inkscape drawing editor has been released. "With version1.3 of Inkscape, you'll find improved performance, several new features,and a solid set of improvements to a few existing ones". Changesinclude a new shape-builder tool, a "document resources" dialog for themanagement of drawings, a new pattern editor, and more.
Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk).
Linus has released 6.5-rc3 for testing."Things continue to look pretty normal - there's nothing here that wouldseem to stand out, with both the commit counts and the diffs looking prettymuch normal for rc3".Meanwhile, Greg Kroah-Hartman has released the large6.4.5,6.1.40, and5.15.121stable updates; each contains another set of important fixes.
LWN.net