LWN.net

ZDNet reportsthat two more malicious modules have been removed from the Python PackageIndex. "The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names.The first is 'python3-dateutil,' which imitated the popular 'dateutil'library. The second is 'jeIlyfish' (the first L is an I), which mimickedthe 'jellyfish' library." The latter of the two had been in PyPIfor nearly a year.

Firefox 71 is available. New features include improvements to the Lockwiseintegrated password manager and native MP3 decoding. The releasenotes have more details.

Security updates have been issued by Arch Linux (intel-ucode and libtiff), Debian (exiv2), Oracle (SDL), Red Hat (kernel, patch, and python-jinja2), and Ubuntu (graphicsmagick, linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-lts-xenial, linux-aws, and sqlite3).

Mark Wielaard has posted asummary of the discussion thus far on the governance of the GNUproject. "The mentoring and apprenticeship discussion focused on theGNU maintainers as being the core of the GNU project. But as was pointedout there are also webmasters, translators, infrastructure maintainers(partially paid FSF staff and volunteers), education and conferenceorganizers, etc. All these people are GNU stakeholders. And how we organizegovernance of the GNU project should also involve them."

The 5.5 merge window got underway immediately after the release of the 5.4 kernel onNovember 24. The first week has been quite busy despite the USThanksgiving holiday landing in the middle of it. Read on for a summary ofwhat the first 6,300 changesets brought for the next major kernel release.

Security updates have been issued by Debian (389-ds-base, asterisk, file, nss, proftpd-dfsg, ssvnc, and tnef), Fedora (chromium, djvulibre, freeradius, ImageMagick, jhead, kernel, phpMyAdmin, python-pillow, and rubygem-rmagick), Mageia (bzip2, chromium-browser-stable, curl, dbus, djvulibre, glib2.0, glibc, gnupg2, httpie, libreoffice, libssh2, mosquitto, nginx, python-sqlalchemy, unbound, and zipios++), openSUSE (bluez, clamav, cpio, freerdp, openafs, phpMyAdmin, strongswan, and webkit2gtk3), Red Hat (samba and SDL), Scientific Linux (389-ds-base), and SUSE (haproxy, python-Django, and tightvnc).

Version 7.4.0 of the PHP language has been released. New features includetypedproperties,arrowfunctions,weakreferences, and more; see the release announcementand migrationguide for more information.

The5.4.1,5.3.14,4.19.87,4.14.157,4.9.204, and4.4.204stable kernels have all been released; they contain a relatively large setof important fixes and updates. For good measure,4.9.205 and4.4.205followed a full 30 seconds later with one problematic patch reverted.

On the Redox site, creator Jeremy Soller gives an update on the Unix-like operating system written in Rust. It is running on a System76 Galaga Pro laptop: "This particular hardware has full support for the keyboard, touchpad, storage, and ethernet, making it easy to use with Redox." Meanwhile, he and the other Redox developers have been focusing on making it self-hosting: "Building Redox OS on Redox OS has always been one of the highest priorities of the project. Rustc seems to be only a few months of work away, after which I can begin to improve the system while running on it permanently, at least on one machine. With Redox OS being a microkernel, it is possible that even the driver level could be recompiled and respawned without downtime, making it incredibly fast to develop for. With this in place, I would work more efficiently on porting more software and tackling more hardware support issues, such as filling in the USB stack and adding graphics drivers.But, more importantly than what I will be able to do, is the contributions by others that will be unlocked by having a fully self-hosted, microkernel Operating System written in Rust, Redox OS."

Security updates have been issued by Debian (libvpx and vino), Fedora (grub2 and nss), and SUSE (cloud-init, libarchive, libtomcrypt, ncurses, and ucode-intel).

Security updates have been issued by Debian (haproxy and libvorbis), Fedora (mod_auth_mellon and xen), Oracle (389-ds-base, kernel, and tcpdump), SUSE (bsdtar, java-11-openjdk, java-1_7_0-openjdk, and libxml2), and Ubuntu (nss and python-psutil).

Security updates have been issued by Debian (bsdiff, libvpx, tiff, and xmlrpc-epi), Fedora (freeimage, imapfilter, kernel, mingw-freeimage, and thunderbird), openSUSE (cups and djvulibre), Oracle (SDL), SUSE (ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud, freerdp, mailman, and slurm), and Ubuntu (ruby2.3, ruby2.5).

The Linux kernel scheduler is a complicated beastand a lot of effort goes into improving it during every kernel releasecycle. The 5.4 kernel release includes a few improvements to the existingSCHED_IDLE scheduling policy that can help users improve thescheduling latency of their high-priority (interactive) tasks if they usethe SCHED_IDLE policy for the lowest-priority (background)tasks. Read on for a description of this work contributed by Viresh Kumar.

Security updates have been issued by Debian (libxdmcp, nss, php-imagick, and ruby2.1), openSUSE (java-11-openjdk), Red Hat (389-ds-base, kernel, kernel-rt, python-jinja2, qemu-kvm-ma, and tcpdump), SUSE (bluez, clamav, cpio, cups, gcc9, libpng16, libssh2_org, mailman, sqlite3, squid, strongswan, tiff, and webkit2gtk3), and Ubuntu (redmine).

Stable kernels 5.3.13, 4.19.86, 4.14.156, 4.9.203, and 4.4.203 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (chromium, enigmail, isc-dhcp, libice, libofx, and pam-python), Fedora (chromium, ghostscript, mingw-cfitsio, mingw-gdal, mingw-libidn2, and rsyslog), Gentoo (adobe-flash, chromium, expat, and firefox), openSUSE (apache2-mod_perl, haproxy, java-11-openjdk, and ncurses), Oracle (ghostscript, kernel, php:7.2, php:7.3, and sudo), Red Hat (chromium-browser, python27-python, and SDL), and Ubuntu (dpdk and libvpx).

Linus has released the 5.4 kernel."Not a lot happened this last week, which is just how I likeit". Significant features in this release includethe haltpollCPU governor,the iocost (formerly io.weight) I/Ocontroller,the EROFS filesystem,an implementation of the exFAT filesystemthat may yet be superseded by a better version,the fs-verity file integrity mechanism,support for the BPFcompile once, run everywhere mechanism,the dm-clonedevice mapper target,the virtiofsfilesystem,kernel lockdown support (at last),kernel symbol namespaces, and a newrandom-number generator meant to solve theearly-boot entropy problem.See the KernelNewbies 5.4page for a lot more details.

When virtiowas merged in Linux v2.6.24, its author, Rusty Russell, described the goal as being for "common drivers to be efficiently usedacross most virtual I/O mechanisms". Today, much progress has been made toward that goal, with virtiosupported by multiple hypervisors and guest drivers shipped by many operatingsystems. But these applications of virtio are implemented in software, whereasMichael Tsirkin's "VirtIOwithout the Virt" talk at KVM Forum 2019 laid out howto implement virtio in hardware.

Security updates have been issued by Fedora (dpdk, mingw-djvulibre, mingw-hunspell, mingw-ilmbase, mingw-OpenEXR, php-symfony, php-symfony3, and rsyslog), openSUSE (chromium and squid), SUSE (aspell, cups, djvulibre, and dpdk), and Ubuntu (djvulibre).

Over on the Project Zero blog, Maddie Stone has a lengthy post about a zero-day exploit that was found and fixed in the Android Binder interprocess communication mechanism. The post details the search for the problem, which was apparently being used in the wild, its fix, and how it can be exploited. This is all part of an effort to "make zero-day hard"; one of the steps the project is taking is to disseminate more information on these bugs. "Complete detailed analysis of the 0-days from the point of view of bug hunters and exploit developers and share it back with the community. Transparency and collaboration are key. We want to share detailed root cause analysis to inform developers and defenders on how to prevent these types of bugs in the future and improve detection. We hope that by publishing details about the exploit and its methodology, this can inform threat intelligence and incident responders. Overall, we want to make information that’s often kept in silos accessible to all."

Fedora's Modularityinitiative has been no stranger to controversy since its inception in 2016. Among other things, therewere enough problems with the original design that Modularity went back to the drawing board in early 2018.Modularity has since been integrated with both the Fedora and Red HatEnterprise Linux (RHEL) distributions, but the controversy continues, withsome developers asking whether it's time for yet another redesign — or toabandon the idea altogether. Over the last month or so, several lengthy,detailed, and heated threads have explored this issue; read on for youreditor's attempt to integrate what was said.

Greg Kroah-Hartman has announced the release of the 5.3.12, 4.19.85, and 4.14.155 stable kernels. As usual, theycontain fixes throughout the kernel tree; users of those series should upgrade.

Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb).

The LWN.net Weekly Edition for November 21, 2019 is available.

The idea of stacking (or chaining) Linuxsecurity modules (LSMs) goes back 15 years (at least) at this point; progresshas definitely been made along the way, especially in the last decade or so. It has been possible tostack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) forsome time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may notseem like a truly important feature, but there is a use case where it ispretty clearly needed: containers. Longtime LSM stacker (and Smackmaintainer) Casey Schauflergave a presentation at the 2019Linux Security Summit Europe to report on the status and plans forallowing arbitrary LSM stacking.

Security updates have been issued by Debian (redmine), Fedora (libidn2), Mageia (clamav, ghostscript, kernel, kernel-linus, libexif, libjpeg, mariadb, microcode, and systemd), and openSUSE (libjpeg-turbo).

A key tenet in KVM is to reuse as much Linux infrastructure as possibleand focus specifically on processor virtualization. Back in 2007, thismeant a smaller code base and less friction with the other kernelsubsystems, especially when compared with other virtualization technologiessuch as Xen. This led to KVM being merged into the mainline with relativeease. A talk at this year's KVM Forum looks at ways to better protectguests, perhaps by moving away from that tenet.

SystemTap 4.2 is out. This release features "support for generatingbacktraces of different contexts; improved backtrace tapset to include filenames and line numbers; eBPF support extensions including raw tracepointaccess, prometheus exporter, procfs probes and improved loopingstructures".

The 13th KVMForum virtualization conference took place in Lyon, France in October2019. One might think that development may have finished on the KernelVirtual Machine (KVM) module that was merged in Linux 2.6.20 in 2007, butthis year's conference underscored the amount of work still being done,particularly on side-channel attack mitigation, I/O device assignment withVFIO and mdev, footprint reduction with micro virtual machines (VMs), andwith the ability to run VMs nested within VMs. Many talks also involved the virtual machinemonitor (VMM) user-space programs that use the KVM kernel module—of whichQEMU is the most widely used.

Security updates have been issued by Debian (python-psutil, slurm-llnl, symfony, and thunderbird), Fedora (gd and ghostscript), and SUSE (ceph, haproxy, java-11-openjdk, and ncurses).

The arm64 architecture is found at the core of many, if not most, mobiledevices; that means that arm64 devices are destined to be the target ofattackers worldwide. That has led to a high level of interest intechnologies that can harden these systems. There are currently severalsuch technologies, based in both hardware and software, that are beingreadied for the arm64 kernel; read on for a survey on what iscoming.

Stable kernels 4.9.202 and 4.4.202 have been released. They both containimportant fixes and users should upgrade.

Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa).

As expected, 5.4-rc8 was released onNovember 17 rather than the final 5.4 release."I'm not entirely sure we need an rc8, because last week was prettycalm despite the Intel hw workarounds landing. So I considered justmaking a final 5.4 and be done with it, but decided that there's noreal downside to just doing the rc8 after having a release cycle thattook a while to calm down."

One of the many responsibilities of the operating system is to helpprocesses keep secrets from each other. Operating systems often fail inthis regard, sometimes due to factors — such as hardware bugs and user-spacevulnerabilities — that are beyond their direct control. It is thusunsurprising that there is an increasing level of interest in ways toimprove the ability to keep data secret, perhaps even from the operatingsystem itself. The MAP_EXCLUSIVEpatch set from Mike Rapoport is one example of the work that is being donein this area; it also shows that the development community has not yetreally begun to figure out how this type of feature should work.

Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, ImageMagick, kernel, libjpeg-turbo, openconnect, and squid), and Ubuntu (ghostscript, imagemagick, and postgresql-common).

Kees Cook catchesup with the security improvements in the 5.3 kernel."In recent exploits, one of the steps for making the attacker’s lifeeasier is to disable CPU protections like Supervisor Mode Access (andExecute) Prevention (SMAP and SMEP) by finding a way to write to CPUcontrol registers to disable these features. For example, CR4 controls SMAPand SMEP, where disabling those would let an attacker access and executeuserspace memory from kernel code again, opening up the attack to muchgreater flexibility. CR0 controls Write Protect (WP), which when disabledwould allow an attacker to write to read-only memory like the kernel codeitself. Attacks have been using the kernel’s CR4 and CR0 writing functionsto make these changes (since it’s easier to gain that level of executecontrol), but now the kernel will attempt to 'pin' sensitive bits in CR4and CR0 to avoid them getting disabled. This forces attacks to do more workto enact such register changes going forward."

The Yocto Project recentlyannounced its 3.0 release, maintaining the spring/fall cadence it has followed for thepast nine years. As well as the expected updates, it contains new thinking ongetting the best of two worlds: source builds and prebuilt binaries. Thisfits well into a landscape where reproducibility and software traceability,all the way through to device updates, are increasingly important to handlecomplex security issues.

Security updates have been issued by Arch Linux (kernel, linux-lts, and linux-zen), CentOS (kernel, sudo, and thunderbird), Debian (linux-4.9), Fedora (samba), openSUSE (apache2-mod_auth_openidc, kernel, qemu, rsyslog, and ucode-intel), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and microcode_ctl), and Ubuntu (kernel, libjpeg-turbo, linux, linux-hwe, linux-oem, linux, linux-hwe, linux-oem-osp1, and qemu).

The LWN.net Weekly Edition for November 14, 2019 is available.

Digging into the email that provides the cornerstone of Linux kerneldevelopment is an endeavor that has become more popular over the last fewyears. There are some practical reasons for analyzing thekernel mailing lists and for correlating that information with the patchesthat actually reach the mainline, including tracking the path thatpatches take—or don't take. Three researchers reported on some effortsthey have made on kernel email analysis at the 2019Embedded Linux Conference Europe (ELCE), held in late October in Lyon, France.

The Bytecode Alliance is anindustry partnership with the aim of forging WebAssembly’s outside-the-browserfuture by collaborating on implementing standards and proposing newones. The newlyformed alliance has "a vision of a WebAssembly ecosystem that issecure by default, fixing cracks in today’s softwarefoundations". The alliance is currently working on a standaloneWebAssembly runtime, two use-case specific runtimes, runtime components,and language tooling.

This year saw the second edition of the AutomatedTesting Summit (ATS) and the first that was open to all. Last year's ATS was an invitation-onlygathering of around 35 developers (that was described in an LWN article),while this year's event attractedaround 50 attendees; both were held in conjunction with theEmbedded Linux Conference Europe (ELCE), in Edinburgh, Scotland for 2018and in Lyon, France this year. The basic problem has not changed—morecollaboration is needed between the different kernel testing systems—butthe starting points have been identified and work is progressing, albeitslowly. Part of the problem, of course, is that all of these testingefforts have their own constituencies and customers, who must be kept upand running, even while any of this collaborative development is going on.

Security updates have been issued by Debian (dpdk, intel-microcode, kernel, libssh2, qemu, and webkit2gtk), Fedora (apache-commons-beanutils, bluez, iwd, kernel, kernel-headers, kernel-tools, libell, and microcode_ctl), openSUSE (gdb), Oracle (kernel), Red Hat (kernel and kernel-rt), SUSE (dhcp, evolution, kernel, libcaca, python, python-xdg, qemu, sysstat, ucode-intel, and xen), and Ubuntu (dpdk, intel-microcode, kernel, linux, linux-aws, linux-kvm, linux, linux-lts-trusty, linux-azure, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-kvm, linux-oem-osp1, linux-oracle, linux-raspi2, linux-lts-xenial, linux-aws, linux-raspi2, and webkit2gtk).

A set of patches has just been pushed into the mainline repository (andstable updates) for yetanother set of hardware vulnerabilities. "TSX async abort" (or TAA)exposes information through the usual side channels by way of internalbuffers used with the transactional memory (TSX) instructions. Mitigationis done by disabling TSX or by clearing the relevant buffers when switchingbetween kernel and user mode. Given that this is not the first problemwith TSX, disabling it entirely is recommended; a microcode update may beneeded to do so, though. This commit containsdocumentation on this vulnerability and its mitigation.There are also fixes for another vulnerability:it seems that accessing a memory address immediately after the size of thepage containing it was changed (from a regular to a huge page, forexample) can cause the processor to lock up. This behavior is consideredundesirable by many. The vulnerability onlyexists for pages marked as executable; the mitigation is to force allexecutable pages to be the regular, 4K page size.

Stable kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201, and 4.4.201 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar).

Many community-based Linux distributions have made the decision to switchto systemd, and most of those decisions were accompanied by lengthy,sometimes acrimonious mailing-list discussions. No distribution had aharder time of it than Debian, though, where arguments raged through muchof 2013 before the Debian Technical Committee decided on systemd in early 2014. Thereafter,it is fair to say,appetite for renewing the init-system discussion has been low. Now,though, the topic has returned to the fore andit would appear that the project is heading toward a new generalresolution to decide at what level init systems other than systemd shouldbe supported.

The Free Software Foundation's Respects Your Freedom program provides acertification for hardware that supports your freedom. A new website listing certified products has beenlaunched. "In 2012, when we announced the first certification,we hosted information about the program and retailers as a simple page onthe Free Software Foundation (FSF) Web site. With only one retailer sellingone device, this was certainly satisfactory. As the program grew, we addedeach new device chronologically to that page, highlighting the newestcertifications. We are now in a place where eight different retailers havegained nearly fifty certifications [...]. With so many devices available, across so many different device categories, it was getting more difficult for users to find what they were looking for in just a plain chronological list."

Stable kernels 5.3.10, 4.19.83, 4.14.153, 4.9.200, and 4.4.200 have been released.They all contain important fixes and users should upgrade.