LWN.net

Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), Oracle (kernel, oVirt 4.4 ovirt-engine, and thunderbird), SUSE (chromedriver, chromium, cups-filters, ffmpeg-7, frr, Mesa, openssl-3, openvpn, pcp, and redis), and Ubuntu (firefox and ruby-webrick).

Linus has released 6.12-rc2 for testing.

Akamaireleased a report pointing out that therecently-reported CUPS vulnerability(original disclosure)could be used to drive distributed denial-of-service (DDoS) attacks as well. Even if an attacker cannot gain remote control over a computer, they can still cause it to fetch a URL of their choice - potentially getting free DDoS amplification.

Rust has a plethora of smart-pointer types, including reference-countedpointers, which have special support in the compiler to make themeasier to use. The Rust-for-Linux project would like to reap those same benefitsfor its smart pointers, which need to be written by hand to conform totheLinux kernelmemory model. Xiangfei Dingpresented at Kangrejos about the work to enable customsmart pointers to function the same as built-in smart pointers.

The6.11.2,6.10.13,and6.6.54 stable kernels have been released.They contain important fixes, and upgrading is, as always, recommended.

The SUSE Security Team Blog has a detailedreport on its discovery of a privilege escalation in theoath-toolkit,which provides libraries and utilities for managing one-time password(OTP) authentication.

Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip).

Cameras were never the simplest of devices for Linux to support; they havea wide range of operating parameters and can generate high rates of data.In recent years, though, they have become increasingly complex, stressingthe ability of the kernel's mediasubsystem to manage them. At the 2024 Linux Plumbers Conference, developers fromthat subsystem and beyond gathered to discuss the state of affairs and howcomplex camera devices should be supported in the future.

Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15).

The LWN.net Weekly Edition for October 3, 2024 is available.

The open-source vector-graphics editor, Inkscape, is expected to release version1.4in October. The release represents an evolutionary step for the program, whichbrings new features, user-interface improvements, new and improvedfile-format support, and important changes to the code base. The changes inthis release should improve the user experience for both casual andprofessional designers, and make Inkscape more compatible with proprietaryvector-graphics software, including Adobe Illustrator and AffinityDesigner.

BPF Type Format (BTF),BPF's debugging information format, has undergone rapid evolution to matchthe evolving needs of BPF programs. Jose Marchesi spoke at Kangrejos about someof that work - and how it could impact Rust, specifically. He discussed debuginformation, kernel-specific relocations, and the planned changes to kernelstack unwinding. Each of these will require some amount of work to fullysupport in Rust, but preliminary signs look promising.

Version24.1 of the Arch-based Manjarodistribution is now available with the 6.10 Linux kernel,GNOME46.5, KDEPlasma6.1 and KDEGear24.08:

Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim).

Version 7.1 ofthe FFmpeg audio/video toolkit has been released. Important changes inthis release include the VVC decoder reaching stable status, andinclusion of support for MV-HEVC decoding (which is generated byrecent phones and VR headsets), as well as support for Vulkan encodingwith H264 and HEVC. See the announcement and changelogfor full details.

Version131.0 of the Firefox browser has been released. Changes include theability to temporarily grant permissions to sites and a preview that popsup when hovering over tabs.

One concern that has often been expressed about the Rust language is thatthere is only one compiler for it. That makes it hard to say what thestandard version of the language is and restricts the architectures thatcan be targeted by Rust code to those that the available compiler supports.Adding a Rust frontend to GCC would do much to address those concerns; atthe 2024 GNU ToolsCauldron, Pierre-Emmanuel Patry gave an update on the state of thatwork and what its objectives are.

Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5).

Tathagata Roy has been working to make theCoccinelle tool that is used (among other things)to automate the refactoring of C code work on Rustcode as well. Roy gave apresentation at Kangrejos about that work,including the creative approaches necessary to work with Rust's more complicatedcontrol flow and syntax.

Linus Torvalds released6.12-rc1 and closed the 6.12 merge window on September29; at thatpoint, 11,260 non-merge change sets had been pulled into the mainline forthe 6.12 release. That is the lowest number of merge-window changes since5.17-rc1 in January 2022, which brought in 11,068 changesets. Nonetheless,6.12 brings a number of interesting changes, many of which were included inthe roughly 4,500 changes merged since thesummary of the first half of the 6.12 merge window was written.

WordPress is the world's mostpopular opensource blogging and contentmanagement platform. In its20plus years of existence, WordPress has been something of a posterchild for open source, similar to Linux and Firefox. It introduced theconcept of open source to millions of bloggers, smallbusiness owners,and others who have deployed WordPress to support their webpublishingneeds. Unfortunately, it is now in the spotlight due to an increasinglyugly dispute between two companies, Automattic and WPEngine, that has spilled over intothe WordPress community.

The 6.11.1, 6.10.12, 6.6.53, and 6.1.112 stable kernels have been released.Each contains important fixes and users of those series should upgrade.

The most recent major release of the Tcl/Tk language and graphical-user-interface toolkit, Tcl/Tk 9.0, has been released, a mere 27 years after the 8.0 major release in 1997. There have been plenty of releases in the interim, though, as can be seen in the Tcl chronology. The 9.0 release brings 64-bit data values, better Unicode support, the ability to use zip files as filesystems, a switch to use epoll() or kqueue() where they are available, SVG support in Tk, access to notifications and other desktop-platform services in Tk, and lots more. For more information, see the release notes for Tcl and Tk that can be downloaded as Markdown files from the announcement page. (Thanks to Matt Bradley.)

Security updates have been issued by AlmaLinux (cups-filters, net-snmp, and osbuild-composer), Debian (booth, cups, cups-filters, python-asyncssh, ruby-httparty, ruby-loofah, ruby-rails-html-sanitizer, tryton-server, unbound, and wireshark), Fedora (chromium, cjson, cups, cups-browsed, libcupsfilters, and libppd), Gentoo (Apache HTTPD, Docker, HashiCorp Consul, IcedTea, nginx, tmux, and yt-dlp), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, & java-latest-openjdk and libreoffice), Red Hat (git-lfs, grafana, and osbuild-composer), and SUSE (chromedriver, chromium, coredns, json-java-20240303, kernel, libmozjs-128-0, maven-archetype, python3, python312, and quagga).

The Arch Linux project has announced that Valve will be helping thedistribution with a couple of important initiatives:

Linus has released 6.12-rc1 and closed themerge window for this release.

Micha Gorny describesthe challenges involved in transitioning Gentoo to year-2038-safe timerepresentations:

In the wake of the XZbackdoor, the Debian project has revisited some of thepatches included in its OpenSSHpackages to improve security. The outcome of this is that the projectwill be splitting out support for Kerberos key exchange into aseparate set of packages, though not until after the Debian13("trixie") release expected next year. The impact on Debian usersshould be minimal, but it is an interesting look into the changesLinux distributions make to upstream software as well as some of thelong-term consequences of those choices.

Security updates have been issued by Debian (chromium and trafficserver), Fedora (chromium), Mageia (apache-mod_jk, gnome-shell, kernel, kmod-xtables-addons, and kmod-virtualbox, kernel-linus, and python3), Oracle (container-tools:ol8, dovecot, emacs, expat, firefox, git-lfs, gtk3, kernel, nano, net-snmp, osbuild-composer, python3, python3.11, python3.12, ruby:3.3, and virt:ol and virt-devel:rhel), Slackware (boost), SUSE (kernel), and Ubuntu (configobj, cups, cups-browsed, cups-filters, libcupsfilters, and libppd).

Security researcher Simone Margaritelli has reported a new vulnerability in CUPS, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:

Danilo Krummrich gave a talk at Kangrejos 2024 focusing on the question of howthe Rust-for-Linux project could improve at getting device and driverabstractions upstream. As a case study, he used some of his recent work thatattempts to make it possible to write a PCI driver entirely in Rust. Therewasn't time to go into as much detail as he would have liked, but he diddemonstrate that it is possible to interface with the kernel's module loader ina way that is much harder toscrew up than the current standard approach in C.

Version17 of the PostgreSQL database has been released.

The online-privacy-focused Torproject has announcedthat it has "joined forces and merged operations" with the Tails OS Linux distribution.

The extensible scheduler class (sched_ext)enables the implementation of CPU schedulers as a set of BPF programsloaded from user space; it first hit the mailing lists in late 2022.Sched_ext has engendered its share of controversy since, but is currentlyslated to be part of the 6.12 kernel release. At the 2024 Linux Plumbers Conference, the growingsched_ext community held one of its first public gatherings; sched_extwould appear to have launched a new burst of creativity in schedulerdesign.

Security updates have been issued by AlmaLinux (container-tools:rhel8, dovecot, emacs, expat, git-lfs, go-toolset:rhel8, golang, grafana, grafana-pcp, gtk3, kernel, kernel-rt, nano, python3, python3.11, python3.12, and virt:rhel and virt-devel:rhel), Debian (mediawiki and puredata), Fedora (chisel), Mageia (glib2.0, gtk+2.0 and gtk+3.0, and python-astropy), Red Hat (git-lfs, grafana, grafana-pcp, kernel, and kernel-rt), SUSE (kubernetes1.24, kubernetes1.25, kubernetes1.26, kubernetes1.27, kubernetes1.28, opensc, and python36), and Ubuntu (apparmor, apr, ca-certificates, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, openjpeg2, ruby-rack, and tomcat8, tomcat9).

Here's apost on the Google Security Blog on how switching to a memory-safelanguage can quickly reduce vulnerabilities in a project, even if a largebody of older code persists.

The LWN.net Weekly Edition for September 26, 2024 is available.

The Vanilla OS project haspublished ablog post to answer questions that users have raised since the release of Vanilla OS 2. The post has information about the update strategy for the distribution,an enterpriseversion with support, and plans for an experimental version calledVanilla OS Vision.

In March, Danilo Krummrich announced the newNova GPU driver - a successor to Nouveau for controlling NVIDIA GPUs.At Kangrejos 2024, Krummrich gave apresentation about what it is, why it's needed, and where it'sgoing next. Hearing about the needs of the driver provoked extended discussionon related topics, including what level of safety is reasonable to expect fromdrivers, given that they must interact with the hardware.

The "Linus and Dirk show" has been a fixture at Open Source Summit for aslong as the conference has existed; it started back when the conference wascalled LinuxCon. Since Linus Torvalds famously does not like to givetalks, as he said during this year's edition at Open Source Summit Europe(OSSEU) in Vienna, Austria, he and Dirk Hohndel have been sitting down for aninformal chat on a wide range of topics as a keynote session. That way,Torvalds does not need to prepare, but also does not know what topicswill be brought up, which makes it "so much more fun for one of us", Hohndelsaid with a grin. The topics this time ranged from the just-released6.11kernel and the upcoming Linux6.12, through Rust for the kernel, to the recurring topic of succession andthe graying of Linux maintainers.

Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).

Almost a decade ago KDEe.V.,the non-profit organization that supports KDE, started a process forselecting goals to help the community unite behind a common vision for where theproject should go in the near future. KDErecently wrapped up its 2022-2024 cycle and announced the goals for 2024-2026 at Akademy on September7, in Wurzburg,Germany. This time around, KDE will be looking to streamline itsapplication-development experience, improve support for input devices,and bring in new contributors.

Version10.0.0 of the HarfBuzztext-shaping engine has been released. Notable changes in this releaseinclude Unicode16.0.0 support, adding Cairo script as an output format forhb-view, and a number of bug fixes.

The project to enable the writing of kernel code in Rust has been underwayfor several years, and each kernel release includes more Rust code. Evenso, some developers have expressed frustration at the time it takes to getnew functionality merged, and an air of uncertainty still hangs overthe project. At the 2024 Maintainers Summit, Miguel Ojeda led a discussionon the status of Rust in the kernel and whether the time had come to stopconsidering it an experimental project. There were not answers to all of thequestions, but it seems clear that Rust in the kernel will continuesteaming ahead.

Security updates have been issued by Gentoo (GCC, Hunspell, Tor, and ZNC), SUSE (apr-devel, cargo-c, chromedriver, firefox, kernel, libecpg6, libmfx, onefetch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python310-azure-identity, python39, qemu, rage-encryption, stgit, and system-user-zabbix), and Ubuntu (kernel, linux-ibm-5.15, linux-oracle-5.15, linux-xilinx-zynqmp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, and py7zr).

Version 1.0.0 of Hy, a Lisp dialect that is embedded in Python, has been releasedafter nearly 12 years in development. This is the first stable release of the project:

Dirk Behme led a second session, back-to-back withhis session on error handling atKangrejos 2024, discussing providing better guidance for users of the kernel'sRust abstractions. Just after that,Carlos Bilbao and Miguel Ojeda had their own time slot dedicated to collectingresources that could be of use to someone trying to come up to speedon kernel development inRust. The attendees provided a lot of guidance in both sessions, anddiscussed what they could do to make things easier for people comingfrom non-Rust backgrounds.

Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15).

Konstantin Ryabitsev started a session on development tooling at the 2024Maintainers Summit by saying that he does not want to be a "wrecking ball".If a given workflow is working for people, he does not want to try to forceany sort of change. That said, he has ideas for how he can continue hiswork on providing better tooling for the development community.

The SUSE Security Team Blog has a detailed review of the Performance Co-Pilot (PCP) 6.2.1 release: