LWN.net

Greg Kroah-Hartman has announced the release of the 5.5.8, 5.4.24,and 4.19.108 stable kernels. There arefixes throughout the tree, as usual; users should upgrade.

Like many larger free-software projects, openSUSE has an elected board that is charged with handling various non-technical tasks: organizing events,dealing with conduct issues, managing the project's money, etc. Sitting onsuch a board is usually a relatively low-profile activity; developmentcommunities tend to pay more attention to technical contributions thanother types of service. Every now and then, though, board-related issuesburst into prominence; that is the case now in the openSUSE project, whichwill be holding a special election after the abrupt resignation ofone-third of its board.

KubeCon + CloudNativeCon Europe 2020, which was originally scheduled for March 30-April 2 in Amsterdam, has been postponed until July or August due to COVID-19 concerns. In addition, KubeCon + CloudNativeCon China 2020, scheduled for July in Shanghai, has been canceled "due to the uncertainty around travel to China and our ability to assemble the speakers, sponsors, and attendees necessary for a successful event". It seems likely that these are not the last conferences that will be affected in our communities.

Security updates have been issued by CentOS (http-parser and xerces-c), Debian (tomcat7), Fedora (opensmtpd), openSUSE (openfortivpn and permissions), Red Hat (http-parser, openstack-octavia, python-waitress, and sudo), Slackware (ppp), and SUSE (kernel).

The LWN.net Weekly Edition for March 5, 2020 is available.

By most accounts, the freedesktop.org (fd.o) GitLab instance has beena roaring success; lots of projects are using it, including Mesa, Linux kernelgraphics drivers, NetworkManager, PipeWire, and many others. Inaddition, a great deal ofcontinuous-integration (CI) testing is being done on a variety of projectsunder the fd.o umbrella. That success has come at a price, however. Arecent message from the X.Org Foundation, which mergedwith fd.o in 2019, has made it clear that the current situation is untenable from a financialperspective. Given its current resources, X.Org cannot continue coveringthose costs beyond another few months.

Sam Hartman has announced that he will not run for a second term as DebianProject Leader at this time. "TL;DR: Overall, being DPL has beenincredibly rewarding. I have enjoyed working with you all, and haveenjoyed the opportunity to contribute to the Debian Project. I hope to beDPL again some year, but 2020 is the wrong year for me and for the project.So I will not nominate myself this year, but hope to do so some futureyear."

Security updates have been issued by Debian (libzypp), Fedora (opensmtpd and thunderbird), openSUSE (nodejs8), Red Hat (http-parser, kpatch-patch, and xerces-c), SUSE (cloud-init, compat-openssl098, kernel, postgresql96, python, and yast2-rmt), and Ubuntu (python-django and rake).

Handling time zones is a pretty messy affair overall, but language runtimes mayhave even bigger problems. As a recent discussion on the Python discussionforum shows, there are considerations beyond those that an operatingsystem or distribution needs to handle. Adding support for the IANA time zonedatabase to the Python standard library, which would allow using nameslike "America/Mazatlan" to designate time zones, is more complicated thanone might think—especially for a language trying to support multiple platforms.

Security updates have been issued by Debian (linux-4.9, proftpd-dfsg, rrdtool, and zsh), Fedora (kernel), openSUSE (cacti, cacti-spine, mariadb, and ppp), Red Hat (kernel, qemu-kvm, qemu-kvm-ma, and ruby), Slackware (seamonkey), SUSE (kernel, libpng16, ovmf, python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, and python36), and Ubuntu (libpam-radius-auth, OpenSMTPD, and ppp).

The kernel development process is based on trust at many levels — trust indevelopers, but also in the infrastructure that supports the community. Insome cases, that trust may not be entirely deserved; most of us have longsince learned not to trust much of anything that shows up in email, forexample, but developers still generally trust that emailed patches will be whatthey appear to be. In his ongoing effort to bring more security to kerneldevelopment, Konstantin Ryabitsev has proposed apatch attestation scheme that could help subsystem maintainers verifythe provenance of the patches showing up in their mailboxes.

Security updates have been issued by Arch Linux (chromium and webkit2gtk), Debian (collabtive, dojo, firebird2.5, gst-plugins-base0.10, libapache2-mod-auth-openidc, openjdk-7, php5, python-bleach, and rrdtool), Fedora (kernel, kernel-headers, kernel-tools, mingw-openjpeg2, and openjpeg2), Mageia (hiredis, kernel, rsync, wireshark, and zsh), openSUSE (cacti, cacti-spine, libexif, proftpd, python-azure-agent, python3, and webkit2gtk3), Oracle (ppp), SUSE (permissions), and Ubuntu (libarchive).

The 5.6-rc4 kernel prepatch has beenreleased. "Fairly reasonably sized rc4, and the diffstat looks nice and flattoo (which basically means 'lots of small changes') except for anetfilter ipset fix that ended up being somewhat big and involved dueto locking changes."

The Netdev 0x14 conference, scheduled to begin March 17 in Vancouver,has been postponed due to coronavirus concerns; it has been tentativelyrescheduled for June 16 to 19 at the same location.

The5.5.7,5.4.23,4.19.107,4.14.172,4.9.215, and4.4.215stable kernels have all been released; each contains another set ofimportant fixes.

One of the basic rules of kernel-module development is that modules canonly access symbols (functions and data structures) that have beenexplicitly exported. Even then, many symbols are restricted so that onlymodules with a GPL-compatible license can access them. It turns out,though, that there is a readily available workaround that makes it easy fora module to access any symbol it wants. That workaround seems likely to beremoved soon despite some possible inconvenience for some out-of-treeusers; the reason why that is happening turns out to be relativelyinteresting.

Security updates have been issued by CentOS (java-1.7.0-openjdk and ppp), Debian (libimobiledevice, libusbmuxd, and pure-ftpd), Fedora (caddy, firejail, golang-github-gorilla-websocket, golang-vitess, hugo, mingw-libpng, php, and proftpd), openSUSE (chromium, enigmail, ipmitool, libsolv, libzypp, zypper, weechat, and yast2-rmt), Oracle (java-1.7.0-openjdk and ppp), Red Hat (java-1.7.0-openjdk and ppp), Scientific Linux (java-1.7.0-openjdk and ppp), and SUSE (java-1_8_0-ibm, kernel, mariadb, mariadb-100, openssl, php5, python, rsyslog, and texlive-filesystem).

Thispatch from Johannes Weiner seemed like a straightforward way to improvememory-reclaim performance; without it, the virtual filesystem layer throwsaway memory that the memory-management subsystem thinks is still worthkeeping. But that patch quickly ran afoul of a feature (or "misfeature"depending on who one asks) from the distant past,one which goes by the name of "high memory". Now, more than 20 years after itsaddition, high memory may bebrought down low, as developers consider whether it should be deprecatedand eventually removed from the kernel altogether.

Security updates have been issued by CentOS (kernel, ksh, python-pillow, and thunderbird), Debian (opensmtpd, proftpd-dfsg, and rake), Fedora (NetworkManager-ssh), openSUSE (chromium), and SUSE (libexif, mariadb, ovmf, python3, and squid).

The LWN.net Weekly Edition for February 27, 2020 is available.

The "kernel runtime security instrumentation" (KRSI) patch set has beenmaking the rounds over the past few months; the idea is to use the Linuxsecurity module (LSM) hooks as a way to detect, and potentially deflect,active attacks against a running system.It does so by allowing BPF programs to be attached to the LSM hooks. That hascaused some concern in the past about exposing thesecurity hooks as external kernel APIs, which makes them potentiallysubject to the "don't break user space" edict. But there has been no real objectionto the goals of KRSI. The fourth versionof the patch set was postedby KP Singh on February 20; the concerns raised this time are aboutits impact on the LSM infrastructure.

Security updates have been issued by Debian (python-pysaml2), Mageia (clamav, graphicsmagick, opencontainers-runc, squid, and xmlsec1), Oracle (kernel, ksh, python-pillow, systemd, and thunderbird), Red Hat (rh-nodejs12-nodejs), Scientific Linux (ksh, python-pillow, and thunderbird), and SUSE (nodejs6, openssl, ppp, and squid).

BPF has exploded within the Linux worldover the last few years, growing from its networking roots into the go-to tool for running customin-kernel programs. Its role seems to expand with every kernel releaseinto diverse areas such as security and device control. But none of thatis the focus of a relatively new book from Brendan Gregg, BPFPerformance Tools; it looks, instead, at how BPF provides visibility intothe guts of the kernel. Finding performance bottlenecks ofvarious sorts on (generally large) production systems is an area where BPFand the tool set that has grown up around it can excel; Gregg's bookdescribes that landscape in great depth.

Version19 of the Arch-based Manjaro distribution is out."The Xfce edition remains our flagship offering and has received theattention it deserves. Only a few can claim to offer such a polished,integrated and leading-edge Xfce experience. With this release we ship Xfce4.14 and have mostly focused on polishing the user experience with thedesktop and window manager. Also we have switched to a new theme calledMatcha. A new feature Display-Profiles allows you to store one or moreprofiles for your preferred display configuration. We also have implementedauto-application of profiles when new displays are connected."

The Free Software Foundation has announcedthat it is planning to launch a public code hosting and collaborationplatform later this year. "We plan on contributing improvementsupstream for the new forge software we choose, to boost its score on [GNUethical repository] criteria. Our tech team is small for the size of thenetwork we maintain, and we don't have any full-time developers who workfor the FSF, so we are limited in the amount of time we can spend on thesoftware we choose. We'll communicate with the upstream developers torequest improvements and help clarify any questions related to the ethicalrepository criteria."

Security updates have been issued by Debian (curl and otrs2), Fedora (NetworkManager-ssh and python-psutil), Mageia (ipmitool, libgd, libxml2_2, nextcloud, radare2, and upx), openSUSE (inn and sudo), Oracle (kernel, ksh, python-pillow, and thunderbird), Red Hat (curl, kernel, nodejs:10, nodejs:12, procps-ng, rh-nodejs10-nodejs, ruby, and systemd), SUSE (dpdk, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libexif, libvpx, nodejs10, nodejs8, openssl1, pdsh, slurm_18_08, python-azure-agent, python3, and webkit2gtk3), and Ubuntu (libapache2-mod-auth-mellon, libpam-radius-auth, and rsync).

Filesystems, by design, hide a lot of complexity from users. At times,though, those users need to be able to look inside the black box and extractinformation about what is going on within a filesystem. Answering thisneed is David Howells, the creator of a number of filesystem-orientedsystem calls; in thispatch set he tries to add three more, one of which we have seen beforeand two of which are new.

The 5.6-rc3 kernel prepatch is out fortesting. Linus says: "Fairly normal rc3 as far as I can tell. We'veseen bigger, but we've seen smaller ones too. Maybe this is slightly on the low side ofaverage at this time, which would make sense since this was a smallermerge window. Anyway, too much noise in the signal to be sure eitherway."

Stable kernels 5.5.6, 5.4.22, and 4.19.106 have been released. They all have alarge set of important fixes.

Security updates have been issued by Debian (libpam-radius-auth, pillow, ppp, proftpd-dfsg, and python-pysaml2), Fedora (firefox, glib2, hiredis, http-parser, libuv, mingw-openjpeg2, nghttp2, nodejs, openjpeg2, python-pillow, skopeo, and webkit2gtk3), Mageia (patch, postgresql, and systemd), Red Hat (ksh, nodejs:10, openjpeg2, python-pillow, systemd, and thunderbird), and SUSE (java-1_7_1-ibm, libsolv, libzypp, zypper, pdsh, slurm_18_08, and php53).

The perf_event_open()system call is a complicated beast, requiring a fair amount of study tomaster. This call also has some interesting security implications: it canbe used to obtain a lot of information about the running system, and thecomplexity of the underlying implementation has made it more than usuallyprone to unpleasant bugs. In current kernels, the security controls aroundperf_event_open() are simple, though: if you have theCAP_SYS_ADMIN capability, perf_event_open() is availableto you (though the system administrator can make it available without anyprivilege at all). Somecurrent work to create a new capability for the perf events subsystem wouldseem to make sense, raising the question of why adding new capabilitiesisn't done more often.

Security updates have been issued by CentOS (openjpeg2), Debian (cloud-init, jackson-databind, and python-reportlab), Red Hat (ksh, python-pillow, systemd, and thunderbird), Slackware (proftpd), SUSE (java-1_7_0-ibm, nodejs10, and nodejs12), and Ubuntu (ppp and squid, squid3).

To a great extent, memory management is based on making predictions: whichpages of memory will a given process need in the near future?Unfortunately, it turns out that predictions are hard, especially when theyare about future events. In the absence of useful information sent back fromthe future, memory-management subsystems are forced to rely on observationsof recent behavior and an assumption that said behavior is likelyto continue. The kernel's memory-management decisions areopaque to user space, though, and often result in less-than-optimalperformance. A pair of patch sets from SeongJae Park tries to make memory-usage patterns visible to user space, and to letuser space change memory-management decisions in response.

Security updates have been issued by Debian (netty and netty-3.9), Fedora (ceph, dovecot, poppler, and webkit2gtk3), openSUSE (inn and rmt-server), Oracle (openjpeg2), Red Hat (rabbitmq-server), Scientific Linux (openjpeg2), SUSE (dnsmasq, rsyslog, and slurm), and Ubuntu (php7.0).

The LWN.net Weekly Edition for February 20, 2020 is available.

Stable kernels 5.5.5, 5.4.21, and 4.19.105 have been released, with the usualset of important fixes.

At this point, most of the kernel work to avoidthe year-2038 apocalypse has been completed. Said apocalypse could occur when time counted in seconds since 1970 overflows a 32-bit signed value(i.e. time_t). Work in the GNU C Library (glibc) and other Clibraries is well underway as well. But the "fun" is just beginning for distributions,especially those that support 32-bit architectures, as a recent Debiandiscussion reveals. One of the questions is: how much effort should bemade to support 32-bit architectures as they fadefrom use and 2038 draws nearer?

The Linux Foundation's Core Infrastructure Initiative and Harvard University's Lab for Innovation Science have teamed up on a census of the most critical open-source components in today's production applications. The report [PDF], titled "Vulnerabilities in the core", identified more than 200 projects and details 20 of them. More information can be found in the press release and, of course, the report."This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security."

Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, ksh, and sudo), Debian (php7.0 and python-django), Fedora (cacti, cacti-spine, mbedtls, and thunderbird), openSUSE (chromium, re2), Oracle (firefox, java-1.7.0-openjdk, and sudo), Red Hat (openjpeg2 and sudo), Scientific Linux (java-1.7.0-openjdk and sudo), SUSE (dbus-1, dpdk, enigmail, fontforge, gcc9, ImageMagick, ipmitool, php72, sudo, and wicked), and Ubuntu (clamav, linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-azure, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-lts-xenial, linux-aws, and qemu).

The idea behind kernel address-space layoutrandomization (KASLR) is to make it harder for attackers to find codeand dataof interest to use in their attacks by loading the kernel at a randomlocation. But a single random offset is used for the placement of thekernel text, which presents a weakness: if the offset can be determined foranything within the kernel, the addresses of other parts of the kernel are readilycalculable. A new "finer-grained" KASLR patch set seeks to remedy thatweakness for the text section of the kernel by randomly reordering thefunctions within the kernel code at boot time.

A bit belatedly, Kees Cook looks at some security-relevant changes in Linux 5.4 in a blog post. He lists a small handful of changes, including:"After something on the order of 8 years, Linux can now draw a bright line between 'ring 0' (kernel memory) and 'uid 0' (highest privilege level in userspace). The 'kernel lockdown' feature, which has been an out-of-tree patch series in most Linux distros for almost as many years, attempts to enumerate all the intentional ways (i.e. interfaces not flaws) userspace might be able to read or modify kernel memory (or execute in kernel space), and disable them. While Matthew Garrett made the internal details fine-grained controllable, the basic lockdown LSM can be set to either disabled, 'integrity' (kernel memory can be read but not written), or 'confidentiality' (no kernel memory reads or writes). Beyond closing the many holes between userspace and the kernel, if new interfaces are added to the kernel that might violate kernel integrity or confidentiality, now there is a place to put the access control to make everyone happy and there doesn’t need to be a rehashing of the age old fight between 'but root has full kernel access' vs 'not in some system configurations'."

Security updates have been issued by Arch Linux (systemd and thunderbird), Debian (clamav, libgd2, php7.3, spamassassin, and webkit2gtk), Fedora (kernel, kernel-headers, and sway), Mageia (firefox, kernel-linus, mutt, python-pillow, sphinx, thunderbird, and webkit2), openSUSE (firefox, nextcloud, and thunderbird), Oracle (firefox and ksh), Red Hat (curl, java-1.7.0-openjdk, kernel, and ruby), Scientific Linux (firefox and ksh), SUSE (sudo and xen), and Ubuntu (clamav, php5, php7.0, php7.2, php7.3, postgresql-10, postgresql-11, and webkit2gtk).

The idea of an ID-shifting virtual filesystem that would remap user andgroup IDs before passing requests through to an underlying real filesystemhas been around for a few years but has never made it into the mainline. Implementationshave taken the form of shiftfs and shifting bind mounts. Now there is yetanother approach to the problem under consideration; this one involvesa theoretically simpler approach that makesalmost no changes to the kernel's filesystem layer at all.

Security updates have been issued by Debian (evince, postgresql-9.4, and thunderbird), Fedora (ksh and libxml2), openSUSE (hostapd and nextcloud), Red Hat (chromium-browser, firefox, flash-plugin, and ksh), and SUSE (firefox and thunderbird).

The NetBSD 9.0 release is out. "This is the seventeenth major release of the NetBSD operating systemand brings significant improvements in terms of hardware support,quality assurance, security, along with new features and hundreds ofbug fixes." Significant new features include Arm64 support, bettervirtualization support, kernel address-space layout randomization, andmore; see the releasenotes for details.

The 5.6-rc2 kernel prepatch is out fortesting. Linus says: "More than half the rc2 patch is actuallyDocumentation updates, because the kvm docs got turned into RST.Another notable chunk is just tooling updates, which is about 50/50perf updates (much of it due to header file syncing) and - again -kvm".

OpenSSH 8.2 is out. This release removes support for the ssh-rsa keyalgorithm, which may disrupt connectivity to older servers; see theannouncement for a way to check whether a given server can handle newer,more secure algorithms. Also new in this release is support for FIDO/U2Fhardware tokens.

The5.5.4,5.4.20,4.19.104,4.14.171,4.9.214, and4.4.214stable kernels have all been released; each contains a relatively large setof important fixes.

Back in November 2019, Mike Rapoport madethe case that there is too much address-space sharing in Linuxsystems. This sharing can be convenient and good for performance, but inan era of advanced attacks and hardware vulnerabilities it also facilitatessecurity problems. At that time, he proposed a number of possible changesin general terms; he has now come back with a patchimplementing a couple of address-space isolation options for the memfd mechanism. This work demonstrates thesort of features we may be seeing, but some of the hard work has been leftfor the future.

Security updates have been issued by Debian (debian-security-support, postgresql-11, and postgresql-9.6), Fedora (cutter-re, firefox, php-horde-Horde-Data, radare2, and texlive-base), openSUSE (docker-runc), Oracle (kernel), Red Hat (sudo), and Ubuntu (firefox).