LWN.net

Security researcher RyotaKhas shared a series of vulnerabilities that all have to do with how Gitinterfaces with externalcredential managers. In short, while Git guards against newline characters(\n) being injected into a repository's URL, some programming languagesalso treat carriage return characters (\r) as being newlines. Adding acarriage return to a repository's URL can cause Git and the credential managerto disagree on how the URL should be parsed, ultimately resulting in Gitcredentials being sent to the wrong host. Malicious repositories could includeGit submodules with malformed URLs, triggering the bug. Only password-based authenticationwith an external credential manager isvulnerable to this attack; SSH-based authentication remains secure. The Git projecthas chosen to consider this a vulnerability in Git, given the large amount ofexternal software affected. The project has fixed the bug on its end byreleasing updates for all supported versions that bancarriage returns in URLs entirely.Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:

Earthstar is a privacy-oriented,offline-first, LGPL-licensed database intended to support distributedapplications. Unlike other distributed storage libraries, itfocuses on providing mutable data with human-meaningful names and modificationtimes, which gives it an interface similar to many non-distributedkey-value databases.Now, the developers are looking at switching to a new synchronizationprotocol - one that is general enough that it might see wider adoption.

Ubuntu will be moving its "official realtime communicationschannels" from IRC to Matrix, beginning March1,2025, followinga discussionon the ubuntu-devel mailing list.

Security updates have been issued by AlmaLinux (bzip2, gimp:2.8, keepalived, mariadb:10.11, mariadb:10.5, python-jinja2, and redis), Debian (iperf3, libtar, and pdns-recursor), Fedora (abseil-cpp, dotnet8.0, dotnet9.0, golang, libsoup3, and vaultwarden), Oracle (gimp:2.8, iperf3, keepalived, kernel, redis:7, and unbound), Red Hat (libsoup), SUSE (amazon-ssm-agent, go1.22, go1.23, iperf, java-21-openjdk, nginx, openvpn, and python311-asteval), and Ubuntu (kernel, libmicrodns, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-azure, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-lowlatency, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-azure, linux-gcp, linux-oem-6.11, linux-raspi, linux-realtime, linux, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-oem-6.8, rsync, and tcpreplay).

This year's edition of the Free and OpenSource Software Developers' European Meeting (FOSDEM) begins onFebruary1 in Brussels. The event is widely regarded as one ofthe most important open-source conferences. One of the reasons thatFOSDEM is held in high esteem by the community is its non-commercialnature. It does accept sponsors, butsponsorships come with few perks and no "pay-for-play" speakingslots. Thus, the scheduling of a keynote by JackDorsey-primarily known for his role in co-founding Twitter, andcurrently CEO and chairman of FOSDEM sponsor Block,Inc.-raised eyebrows and led to plans for a protest. Thekeynote has since been removed from the schedule, but there are stilla number of lingering questions.

Security updates have been issued by Debian (git and openjpeg2), Mageia (virtualbox), SUSE (podman), and Ubuntu (clamav, frr, libreoffice, linux-xilinx-zynqmp, and quagga).

The DistroWatchJanuary 27 edition includes this interesting tidbit:

The Go language is designed to make iteasy for developers to import otherGo packages and compile everything into a static binaryfor simple distribution. Unfortunately, this complicates things forthose who package Go programs for Linux distributions, such as Fedora,that have guidelines which require dependencies to be packagedseparately. Fedora's Go special interestgroup (SIG) is asking for relief and a loosening of the bundlingguidelines to allow Go packagers to bundle dependencies into thepackages that need them, otherwise known as vendoring. So far, theparticipants in the discussion have seemed largely in favor of theidea.

Security updates have been issued by AlmaLinux (git-lfs, java-17-openjdk, java-21-openjdk, kernel, and python-jinja2), Debian (git and git-lfs), Fedora (buildah, chromium, containers-common, freeipa, glibc, golang, mediawiki, pam-u2f, podman, and rsync), Mageia (glibc, iperf, openssl, phpmyadmin, and poppler), Oracle (firefox, git-lfs, grafana, java-17-openjdk, java-21-openjdk, kernel, python-jinja2, and redis:6), and SUSE (chromium, go1.22-1.22.11-1.1, go1.23-1.23.5-1.1, go1.24-1.24rc2-1.1, java-11-openjdk, kernel, libopenssl-3-devel, libQt6Bluetooth6, nodejs18, nodejs20, python311-azure-storage-blob, qt6-connectivity, and ruby3.4-rubygem-nokogiri-1.18.2-1.1).

Last year, LWN examined the changes lined up forRust's 2024 edition. Now, with the editionready to be stabilized in February,it's time to look back at the edition process and see what wassuccessfully adopted, which new changes were added, and what still remains towork on. A surprising amount of new work was proposed, implemented, andstabilized during the year.

Security updates have been issued by Debian (chromium and python-django), Fedora (git-lfs and pam-u2f), Mageia (golang), Red Hat (java-11-openjdk with Extended Lifecycle Support, java-17-openjdk, and java-21-openjdk), SUSE (cheat, dante, docker-stable, grafana, and kernel), and Ubuntu (cacti, cyrus-imapd, HTMLDOC, and PCL).

Greg Kroah-Hartman has released the 6.12.11, 6.6.74, 6.1.127, and 5.15.177 stable kernels. They all containimportant fixes, as is the usual case.

A "uretprobe" is a dynamic, user-space tracepoint injected by the kernelinto a running process; this documenttersely describes their use. Among other things, uretprobes are used bythe perf utility to time function calls. The 6.11 kernel saw asignificant change to uretprobes that improved their performance, but thatchange is also creating trouble for some users. The best way to solve theproblem is not entirely clear.

As of this writing, just over 4,300 non-merge changesets have been pulledinto the mainline repository for the 6.14 release. Many of the pullrequests this time around include remarks saying that activity has beenrelatively low this time around, presumably due to the holidays. So those4,300 changesets are probably closer to the merge-window halfway point thanusual. Much of the work merged thus far looks more like incrementalimprovements than major new initiatives, but there still have been a numberof interesting changes in the mix.

Security updates have been issued by AlmaLinux (redis:6), Debian (frr and git-lfs), Fedora (SDL2_sound and webkit2gtk4.0), Gentoo (firefox, GPL Ghostscript, libgsf, libuv, PHP, Qt, QtWebEngine, and Yubico pam-u2f), Mageia (chromium-browser-stable), SUSE (helmfile, nvidia-modprobe, qt6-webengine, ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1, ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1, ruby3.4-rubygem-actiontext-8.0-8.0.1-1.1, ruby3.4-rubygem-actionview-8.0-8.0.1-1.1, ruby3.4-rubygem-activejob-8.0-8.0.1-1.1, ruby3.4-rubygem-activerecord-8.0-8.0.1-1.1, ruby3.4-rubygem-activestorage-8.0-8.0.1-1.1, ruby3.4-rubygem-rails-8.0-8.0.1-1.1, and ruby3.4-rubygem-railties-8.0-8.0.1-1.1), and Ubuntu (bluez, openjpeg2, and python-django).

Inside this week's LWN.net Weekly Edition:

The FreeBSD Foundationhas announced that it has undertaken a project to deliver zero-trustbuilds commissioned by the Sovereign Tech Agency (STA).

The proposal to add a more general facility for string formatting toPython, which we looked at in August 2024,has changed a great deal since, so it merits another look. Thechanges take multiple forms: a new title for PEP750 ("Template Strings"), a different mechanism for creating and using templates,a new Template type to hold them, and several additional authors for the PEP.Meanwhile, one controversial part of the original proposal, lazy evaluationof the interpolated values, has been changed so that it requires anexplicit opt-in (via lambda);template strings are a generalization of f-strings and lazy evaluation was seen by someas a potentially confusing departure from their behavior.

The computer mouse is a wonderful invention, but for the past fewmonths I've been working to use mine as little as possible forproductivity and ergonomic reasons. It should not be surprising thatthere are quite a few open-source applications, utilities, andconfiguration options that are either designed to or incidentallyassist in creating a keyboard-driven desktop. This includes tiling windowmanagement with PaperWM, the Vimium browser extension, Input Remapper, and more.

The Vox Pupuli project hasannounced the first release of OpenVox, a"soft-fork" of the Puppetautomation framework. The intention to fork was announcedin December2024.

Version10.0 of the Wine Windows compatibility layer is out. "This releaserepresents a year of development effort and over 6,000 individualchanges". Those changes include full support for the Arm64ECarchitecture, better high-DPI display support, Wayland enabled by default,and more.

Security updates have been issued by Debian (snapcast), Fedora (python-jinja2), Mageia (rsync), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, gh, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nvidia-open-driver-G06-signed, and pam_u2f), and Ubuntu (linux-oem-6.11 and vim).

On January14, Nick Taitannounced the discovery of six vulnerabilities inrsync, the popular file-synchronization tool. While software vulnerabilities arenot uncommon, themost serious one he announced allows for remote code executionon servers that run rsyncd - and possibly other configurations.The bug itself is fairly simple, but this event provides a nice opportunity todig into it, show why it is so serious, and consider waysthe open-source community can prevent such mistakes in thefuture.

The series of singleton stable kernel updates continues with 6.6.73, which reverts three changes that werecausing problems for users of the overlayfs filesystem.

Security updates have been issued by AlmaLinux (grafana), Debian (libebml, poco, redis, sympa, tiff, and ucf), Fedora (rsync), Mageia (dcmtk, git, proftpd, and raptor2), Red Hat (grafana, iperf3, kernel, microcode_ctl, and redis), SUSE (chromium, dhcp, git, libqt5-qtwebkit, and pam_u2f), and Ubuntu (python3.10, python3.8 and python3.12).

The 6.13 development cycle ended on January19 with the releaseof the 6.13 kernel. This cycle was, on its surface, one of the slowest wehave seen in some time; the LWN merge-window summaries (part1, part2) and the KernelNewbies 6.13 pagecan be consulted for a refresher on all it contains. Here, instead, wewill take our usual look at where all of those changes came from.

Version3.2.0 of the Dilloweb browser has been released about a month after its 25thanniversary. Notable new features in 3.2.0 include SVG support formath formulas, optional support for WebP images, and more.

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp).

Linus has releasedthe 6.13 kernel. "So nothing horrible or unexpected happened lastweek, so I've tagged and pushed out the final 6.13 release."Significant features in this release includethe lazy preemption model for CPUscheduling, Arm64 GuardedControl Stack support,the PIDFD_GET_INFO() operation,multi-grainfile timestamps,beginning atomic write support for the ext4and XFS filesystems,the setxattrat(), getxattrat(), listxattrat(),and removexattrat() system calls,privatestacks for BPF programs,anew mechanism for adding guard pages to a memory mapping,the removal of the reiserfs filesystem,and more. See the LWN merge-window summaries (part1, part2) and the KernelNewbies 6.13 pagefor more information.

Version 16.1 of the GDB debugger is out. There are a lot of changes,including watchpoints for tagged data pointers, a new script to print thestack trace of a running process, better Intel Processor Trace support, andmore.

Greg Kroah-Hartman has released the 6.1.126 stable kernel to fix buildfailures with the 6.1.125 stablerelease.

A reminder has gone out that the deadline for proposals for the 2025 LinuxStorage, Filesystem, Memory Management and BPF Summit is February1;anybody wanting to attend will need to make themselves known before then.The reminder also says that there will be no remote participation option(or live streams) this year.

The idea of adding None-aware operators to Python has sprung up onceagain. These would make traversing structures with None values in themeasier, by short-circuiting lookups when a None is encountered. Almostexactly a year ago, LWN covered the previous attempt to bringthe operators to Python, but there have been periodic discussions stretching back to2015 and possibly before. This time Noah Kim has taken up the cause. After some debate, heeventually settled on redrafting the existing PEP to have a more limited scope,which might finally see it move past the cycle of debate, resurrection, and abandonment thatit has been stuck in for most of the last decade.

The6.12.10,6.6.72, and6.1.125 stable kernels have been released onthe expected schedule.

Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm).

The kernel is, on its face, a single large development project, butinternally it is better viewed as 100 or so semi-independent projects allcrammed into one big tent. Within those projects, there is a fair amountof latitude about how changes are managed, and some subsystems are usingthat freedom in the search for more efficient ways of working. In the end,though, all of these sub-projects have to work together and interface withkernel-wide efforts, including the stable-release and CVE-assignmentprocesses. For some time, there has been friction between the directrendering (DRM, or graphics) subsystem and the stable maintainers; thatfriction recently burst into view in a way that shows some of thelimitations of how the kernel community manages patches.

Security updates have been issued by AlmaLinux (fence-agents, raptor2, and rsync), Debian (chromium), Fedora (rsync and seamonkey), Mageia (openjpeg2), Red Hat (tuned), Slackware (git), SUSE (dcmtk, dnsmasq, govulncheck-vulndb, libQtWebKit4, libraptor-devel, opera, python311-Pillow, python311-translate-toolkit, rsync, and SDL2_sound-devel), and Ubuntu (linux-raspi-5.4, neomutt, and python2.7).

Inside this week's LWN.net Weekly Edition:

The Ghostty terminal emulatorproject has generated a surprising amount of interest, even beforecode was released to the public. This is in part due to the highprofile of its creator, HashiCorp founderMitchell Hashimoto. Its development was conducted behind closed doorsfor beta testing, until version1.0 was releasedon December 26 under the MITlicense. While far from finished, Ghostty is ready for day-to-dayuse and might be of interest to those who spend significant amounts oftime at the command line.

Version11.0.0 of the libvirt virtualizationAPI has been released. Notable changes in this release includethe ability to export virtiofs filesystems inread-only mode, the addition of support for vlan tagging and trunkingof network interfaces with the network, qemu, and lxc drivers, as wellas a number of bug fixes.

We have just now received word of the passingof Helen Borrie, a longtime contributor to the Firebird relationaldatabase project.

Linux Mint version22.1, a long-term-support (LTS) release with support until 2029, is nowavailable. Notable changes in this release include a transition to Aptkit for backgroundpackage management tasks, Captain to installDebian packages, and a new default theme with improved Waylandcompatibility. See the release notes forknown issues.

Nick Taitannounced on theoss-security mailing list thatrsync, the widely used file transfer program, had a number of serious vulnerabilities.Users can mitigate all six vulnerabilities by upgrading toversion 3.4.0, which was released on January 14. While all users should upgrade, servers that use rsyncd areespecially impacted:

Security updates have been issued by Arch Linux (rsync), Debian (rsync), Fedora (perl-Net-OAuth and redis), Red Hat (ipa, raptor2, rsync, and tuned), Slackware (rsync), SUSE (apache2-mod_jk, git, kernel, rclone, rsync, and webkit2gtk3), and Ubuntu (git, linux-azure-5.4, pdns, pdns-recursor, python-django, rlottie, and rsync).

The Mastodon project has announcedthat founder Eugen Rochko will be transferring "key Mastodonecosystem and platform components (including name and copyrights,among other assets)" to a new non-profit organization:

TuxFamily is aFrench free-software-hosting service that has been in operation since1999. It is a non-profit that accepts "any projectreleased under a free license", whether that is a software licenseor a free-content license, such as CC-BY-SA. It is also,unfortunately, slowly dying due to hardware failures and lack ofinterest. For example, the site's download servers are currentlyoffline with no plan to restore them.

The ptrace()system call allows a suitably privileged process to modify another in alarge number of ways. Among other things, ptrace() can interceptsystem calls and make changes to them, but such operations can be fiddlyand architecture-dependent. This patch series fromDmitry Levin seeks to improve that situation by adding a newptrace() operation to make changes to another process's systemcalls in an architecture-independent manner.

Security updates have been issued by AlmaLinux (kernel, NetworkManager, and thunderbird), Fedora (golang-github-aws-sdk-2, golang-github-aws-smithy, golang-github-ncw-swift-2, rclone, and thunderbird), Mageia (ceph, firefox, and thunderbird), Oracle (kernel, NetworkManager, and thunderbird), Red Hat (fence-agents and raptor2), SUSE (dpdk, firefox, frr, grafana, operator-sdk, perl-Module-ScanDeps, proftpd, python311-mistune, redis, thunderbird, valkey, and yq), and Ubuntu (hplip and webkit2gtk).

Hans de Goede has posted anupdate about his work to support IPU6 cameras on Fedora andsubmitting fixes upstream.

Chimera Linux is a new distributiondesigned to be "simple, transparent, and easy to pick up". Thedistribution is built from scratch, andrecently announced its first beta release. While the documentation andinstallation process are both a bit rough, the project already provides ausable desktop with plenty of useful software - one built primarily ontools adopted from BSD.