Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip).
The 5.14 merge window closed with the 5.14-rc1release on July 11. By that time, some 12,981 non-merge changesets hadbeen pulled into the mainline repository; nearly 8,000 of those arrivedafter the first LWN 5.14 merge-window summarywas written. This merge window has thus seen fewer commits than itspredecessor, which saw 14,231 changesets before the 5.13-rc1 release. Thatsaid, there is still a lot of interesting work that has found its way intothe kernel this time around.
Version 4.3of the Solus "home computing" distribution has been released. "Thisrelease delivers new desktop environment updates, software stacks, andhardware enablement."
The 5.12.16,5.10.49,5.4.131,4.19.197,4.14.239,4.9.275, and4.4.275stable kernels have been released. Each contains a relatively small set ofimportant fixes.
The Tor project, which provides tools for internet privacy and anonymity, has announced a rewrite of the Tor protocols in Rust, called Arti. It is not ready for prime time, yet, but based on a grant from Zcash Open Major Grants (ZOMG), significant work is ongoing; the plan is "to try bring Arti to a production-quality client implementation over the next year and a half". The C implementation is not going away anytime soon, but the idea is that Arti will eventually supplant it. The project sees a number of benefits from using Rust, including:
Computing devices are wonderful; they surely must be, since so manyof us have so many of them. The proliferation of computers leads directlyto a familiar problem, though: the files we want are always on the wrongmachine. One solution is synchronization services that keep a set of filesup to date across a multitude of machines; a number of companies havecreated successful commercial offerings based on such services. Some ofus, though, are stubbornly resistant to the idea of placing our data in thehands of corporations and their proprietary systems. For those of us whowould rather stay in control of our data, systems like Syncthing offer a possible solution.
Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd).
While it has often been said that there is no such thing as bad publicity,the new owners of the Audacityaudio-editor project may beg to differ. The project has only recentlyweathered the controversies around its acquisition by the Muse Group,proposed telemetry features, and imposition ofa new license agreement on its contributors. Now, the posting of a newprivacy policy has set off a new round of criticism, with some accusing theproject of planning to ship spyware. Thesituation with Audacity is not remotely as bad as it has been portrayed,but it is a lesson on what can happen when a project loses the trust of itsuser community.
Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi).
On July 4, the Rust for Linux projectpostedanother version of its patch set adding support for the language to thekernel. It would seem that the project feels that it is ready to be considered formerging into the mainline. Perhaps a bigger question lingers, though: is the kerneldevelopment community ready for Rust? That part still seems to be up in the air.
Sasha Levin has released stable kernels 5.13.1, 5.12.15, 5.10.48, and 5.4.130. They all contain a small set ofimportant fixes and users should upgrade.
Security updates have been issued by Fedora (glibc), Gentoo (doas, firefox, glib, schismtracker, and tpm2-tss), Mageia (httpcomponents-client), openSUSE (virtualbox), Red Hat (linuxptp), Scientific Linux (linuxptp), and Ubuntu (libuv1 and php7.2, php7.4).
A discussion on the python-ideas mailing list touched on a number ofinteresting topics, from the problems with misspelled attribute namesthrough the design of security-sensitive interfaces and to the use of the__slots__ attribute of objects. The latter may not be all thatwell-known (or well-documented), but could potentially fix the problem athand, though not in a backward-compatible way. The conversation revolvesaround the ssl modulein the standard library, which has been targeted forupgrades, more than once, over the years—with luck, the maintainers may find time for some upgrades relatively soon.
The Virtuozzo team has announcedthe release of VzLinux 8.4; its fork of RHEL. "Thanks for noticing that we are fixing bugs so quickly (24 hours) and that you think VzLinux is stable and enterprise ready. To those who have asked if we will be following a similar path as CentOS, shifting its focus to Stream, the answer is: there are no plans for us to go this route, VzLinux will remain free to download, use and distribute.See the releasenotes for details.
Security updates have been issued by Arch Linux (python-django), Debian (libuv1, libxstream-java, and php7.3), Fedora (rabbitmq-server), Gentoo (glibc, google-chrome, libxml2, and postsrsd), openSUSE (libqt5-qtwebengine and roundcubemail), SUSE (python-rsa), and Ubuntu (djvulibre).
The addition of system calls to the Linux kernel is a routine affair; ithappens during almost every merge window. The removal of system calls,instead, is much more uncommon. That appears likely to happensoon, though, as discussions proceed on the removal of bdflush().Read on for a look at the purpose and history of this obscure system call and tolearn whether you will miss it (you won't).
Security updates have been issued by Arch Linux (electron11, electron12, istio, jenkins, libtpms, mediawiki, mruby, opera, puppet, and python-fastapi), Debian (djvulibre and openexr), Fedora (dovecot, libtpms, nginx, and php-league-flysystem), Gentoo (corosync, freeimage, graphviz, and libqb), Mageia (busybox, file-roller, live, networkmanager, and php), openSUSE (clamav-database, lua53, and roundcubemail), Oracle (389-ds:1.4, kernel, libxml2, python38:3.8 and python38-devel:3.8, and ruby:2.5), and SUSE (crmsh, djvulibre, python-py, and python-rsa).
Version 3.6of the Darktable raw photo editor has been released. "The darktableteam is proud to announce our second summer feature release, darktable3.6. Merry (summer) Christmas! This is the first of two releases this yearand, from here on, we intend to issue two new feature releases each year,around the summer and winter solstices." The list of new featuresis long, including a new color-balance module, a "censorize" module forpartial pixelization of images, a new demosaic algorithm, and more.
As of this writing, just under 5,000 non-merge changesets have been pulledinto the mainline repository for the 5.14 development cycle. That is lessthan half of the patches that have been queued up in linux-next, so it isfair to say that this merge window is getting off to a bit of a slowstart. Nonetheless, a fair number of significant changes have been merged.
Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang).
The core scheduling feature has been underdiscussion for over three years. For those who need it, the waitis over at last; core scheduling was merged for the 5.14 kernel release.Now that this work has reached a (presumably) final form, a look at why this featuremakes sense and how it works is warranted. Core scheduling is not foreverybody, but it may prove to be quite useful for some user communities.
Security updates have been issued by Debian (htmldoc, ipmitool, and node-bl), Fedora (libgcrypt and libtpms), Mageia (dhcp, glibc, p7zip, sqlite3, systemd, and thunar), openSUSE (arpwatch, go1.15, and kernel), SUSE (curl, dbus-1, go1.15, and qemu), and Ubuntu (xorg-server).
A new project from Mozilla, which is meant to help researchers collectbrowsing data, but only with the informed consent of the browser-user, is taking a lot ofheat, perhaps in part because the company can never seem to do anythingright, at least in theeyes of some. Mozilla Rally wasannouncedon June 25 as joint venture between the company and researchers atPrinceton University "to enable crowdsourced science for publicgood". The idea is that users can volunteer to give academic studies access tothe same kinds of browser data that is being tracked in some browserstoday. Whether the privacy safeguards are strong enough—and if there is sufficient reason for users to sign up—remains to be seen.
Stable kernels 5.12.14, 5.10.47, 5.4.129, 4.19.196, 4.14.238, 4.9.274, and 4.4.274 have been released. They all containimportant fixes and users should upgrade.
Security updates have been issued by Debian (fluidsynth), Fedora (libgcrypt and tpm2-tools), Mageia (nettle, nginx, openvpn, and re2c), openSUSE (kernel, roundcubemail, and tor), Oracle (edk2, lz4, and rpm), Red Hat (389-ds:1.4, edk2, fwupd, kernel, kernel-rt, libxml2, lz4, python38:3.8 and python38-devel:3.8, rpm, ruby:2.5, ruby:2.6, and ruby:2.7), and SUSE (kernel and lua53).
Over at the Project Zero blog, Felix Wilhelm posted a lengthy account of a vulnerability he found in the Linux kernel's KVM (Kernel-based virtual machine) subsystem:
Embedded devices need regular software updates in order to even beminimally safe on today's internet. Products that have reached their "endof life", thus are no longer being updated, are essentially ticking timebombs—it is only a matter of time before they are vulnerable toattack. That situation played out in June for owners of WesternDigital (WD) My Book Live network-attached storage (NAS) devices; what wasmeant to be a disk for home users accessible via the internet turned into a black hole when a remotecommand-execution flaw was used to delete all of the data stored there. Orso it seemed at first.
Security updates have been issued by Debian (klibc and libjdom2-java), Mageia (bash, glibc, gnutls, java-openjdk, kernel, kernel-linus, leptonica, libgcrypt, openjpeg2, tor, and trousers), openSUSE (bouncycastle, chromium, go1.16, and kernel), Oracle (docker-engine docker-cli and qemu), Red Hat (kpatch-patch), and SUSE (arpwatch, go1.16, kernel, libsolv, microcode_ctl, and python-urllib3, python-requests).
The KernelCI continuous-integration project heldits first hackfest recently. Developers from the KernelCI team,Google, and Collabora worked to improve many different aspects of KernelCItesting capabilities. There are plans for more hackfests.
As expected, the 5.13 development cycle turned out to be a busy one, with16,030 non-merge changesets being pulled into the mainline over aperiod of nine weeks. The 5.13release happened on June 27, meaning that it must be time for our traditional look at the provenance of the codethat was merged for this kernel.
Security updates have been issued by Debian (bluez, intel-microcode, tiff, and xmlbeans), Fedora (openssh and php-phpmailer6), openSUSE (freeradius-server, java-1_8_0-openjdk, live555, openexr, roundcubemail, tor, and tpm2.0-tools), SUSE (bouncycastle and zziplib), and Ubuntu (linux-kvm and thunderbird).
Over on the Mozilla blog, the company has announced a new platform, Mozilla Rally, that "puts users in control of their data and empowers them to contribute their browsing data to crowdfund projects for a better Internet and a better society". Rally comes out of work that Mozilla did with Professor Jonathan Mayer's research group at Princeton University .
The mmap()system call creates a mapping for a range of virtual addresses; ithas a long list of options controlling just how that mapping should work.Ming Lin is proposingthe addition of yet another option, called MAP_NOSIGBUS, whichchanges the kernel's response when a process accesses an unmapped address.What this option does is relatively easy to understand; why it is useful takes a bit more explanation.
Security updates have been issued by Arch Linux (chromium, dovecot, exiv2, helm, keycloak, libslirp, matrix-appservice-irc, nginx-mainline, opera, pigeonhole, tor, tpm2-tools, and vivaldi), Debian (libgcrypt20), Fedora (pdfbox), Mageia (graphicsmagick, matio, and samba and ldb), openSUSE (dovecot23, gupnp, libgcrypt, live555, and ovmf), SUSE (gupnp, libgcrypt, openexr, and ovmf), and Ubuntu (ceph and rabbitmq-server).
It has been well over three years now since theSpectre hardware vulnerabilities were disclosed, but Spectre is truly a gift that keeps ongiving. Writing correct and secure code is hard enough when the hardwarebehaves in predictable ways; the problem gets far worse when processors cando random and crazy things. For an illustration of the challengesinvolved, one need look no further than the BPF vulnerability described inthisadvisory, which was fixed in the 5.13-rc7 release.
There is an ongoing effort to "modernize" the kernel-development process;so far, the focus has been on providing bettertools that can streamline the usual email-based workflow. But that"email-based" part has proven to be problematic for some potentialcontributors, especially those who might want to simply submit a small bugfix and are not interested in getting set up with that workflow. Theproject-hosting "forge" sites, like GitHub and GitLab, provide a nearlyfrictionless path for these kinds of one-off contributions, but they donot mesh well—at all, really—with most of mainline kernel development.There is some ongoing work that may change all of that, however.
At the behest of the Linux Foundation, a security-oriented review of thekernel project's release-signing and key-management practices was done; thereport from this work has now been published.
LWN.net