LWN.net

Security updates have been issued by Debian (poppler), Fedora (koji and libofx), Gentoo (adobe-flash), Oracle (kernel), Red Hat (qemu-kvm-rhev and sensu), and Scientific Linux (firefox).

The LWN.net Weekly Edition for April 12, 2018 is available.

A "simple" utility to make a system beep is hardly the first place one wouldcheck for security flaws, but the strange case of the "Holey Beep"should perhaps lead to some rethinking. A Debian advisory for the beep utility, which was followedby another for Debian LTS, led to aseemingly satirical site publicizingthe bug (and giving it the "Holey Beep" name). But that site also exploitsa new flaw in the GNUpatch program—and the increased scrutiny on beep hasled to more problems being found.

The Python Package Index (PyPI) isthe principal repository of libraries for the Python programming language,serving more than 170 million downloads each week. Fifteen years after PyPIlaunched, a new edition is in beta at pypi.org, with features like bettersearch, a refreshed layout, and Markdown README files(and with some old features removed, like viewing GPG package signatures). StartingApril 16, users visiting the site or running pip install willbe seamlessly redirected to the new site. Two weeks after that, the legacy site isexpected to be shut down and the team will turn toward newfeatures; in the meantime, it is worth a look at what the new PyPI bringsto the table.

Security updates have been issued by Debian (pcs), Fedora (drupal7), openSUSE (git and mercurial), Red Hat (firefox and qemu-kvm-rhev), SUSE (libvirt and xen), and Ubuntu (patch).

Car manufacturers, like most companies, navigate a narrow lane between thebenefits of using free and open-source software and the perceived or realimportance of hiding their trade secrets. Many are usingfree software in some of the myriad software components that make up amodern car, and even work in consortia to develop free software. At therecent LibrePlanetconference, free-software advocate Jeremiah Foster covered progress in theautomotive sector and made an impassioned case for more free software in theirembedded systems.Subscribers can read on for a report on the talk by guest author Andy Oram.

Red Hat has announcedthe general availability of Red Hat Enterprise Linux 7.5. This versionfeatures enhanced hybrid cloud security and compliance, improved storageperformance and efficiency, simplified management, and production-readyLinux containers. RHEL 7.5 is available for x86, IBM Power, IBM z Systems, and 64-bit Arm. This release also brings support for single-host KVM virtualization and Open Container Initiative (OCI)-formatted runtime environment and base image to IBM z Systems.

The 3.18.104 kernel has been released witha single bugfix. If you had build errors in 3.18.103 then this update isfor you, otherwise there is no need to upgrade.

Security updates have been issued by CentOS (libvorbis and thunderbird), Debian (pjproject), Fedora (compat-openssl10, java-1.8.0-openjdk-aarch32, libid3tag, python-pip, python3, and python3-docs), Gentoo (ZendFramework), Oracle (thunderbird), Red Hat (ansible, gcc, glibc, golang, kernel, kernel-alt, kernel-rt, krb5, kubernetes, libvncserver, libvorbis, ntp, openssh, openssl, pcs, policycoreutils, qemu-kvm, and xdg-user-dirs), SUSE (openssl and openssl1), and Ubuntu (python-crypto, ubuntu-release-upgrader, and wayland).

Jim Gettys refutesthe claim that the early designers of Internet software were notconcerned about security. "Government export controls crippledInternet security and the design of Internet protocols from the verybeginning: we continue to pay the price to this day".

Several security vulnerabilities were found in Etherpad and version1.6.4 has been released with fixes. The vulnerabilities includearbitrary code execution and information disclosure. Site admins are urgedto update Etherpad to 1.6.4 as soon as possible.

Security updates have been issued by Arch Linux (openssl and zziplib), Debian (ldap-account-manager, ming, python-crypto, sam2p, sdl-image1.2, and squirrelmail), Fedora (bchunk, koji, libidn, librelp, nodejs, and php), Gentoo (curl, dhcp, libvirt, mailx, poppler, qemu, and spice-vdagent), Mageia (389-ds-base, aubio, cfitsio, libvncserver, nmap, and ntp), openSUSE (GraphicsMagick, ImageMagick, spice-gtk, and wireshark), Oracle (kubernetes), Slackware (patch), and SUSE (apache2 and openssl).

The Linux network stack does not lack for features; it also performs wellenough for most uses. At the highest network speeds, though, any overheadat all is too much; that has driven the most demanding users towardspecialized, user-space networking implementations that can outperform thekernel for highly constrained tasks. The express data path (XDP)development effort is an attempt to win those users back, with some apparentsuccess so far. With the posting of the AF_XDP patch set by Björn Töpel,another piece of the XDP puzzle is coming into focus.

The4.16.1,4.15.16,4.14.33,4.9.93,4.4.127, and3.18.103stable kernels have all been released; each contains a fairly long list ofimportant fixes.

As the 4.17 merge window opened, it seemedpossible that the kernel lockdown patch set could be merged at last.That was before the linux-kernel mailing list got its hands on the issue.What resulted was not one of the kernel community's finest moments. But itdid result in a couple of evident conclusions: kernel lockdown will almostcertainly not bemerged for 4.17, but something that looks very much like it is highlylikely to be accepted in a subsequent merge window.

Security updates have been issued by Debian (sharutils), Fedora (firefox, httpd, and mod_http2), openSUSE (docker-distribution, graphite2, libidn, and postgresql94), Oracle (libvorbis and thunderbird), Red Hat (libvorbis, python-paramiko, and thunderbird), Scientific Linux (libvorbis and thunderbird), SUSE (apache2), and Ubuntu (firefox, linux-lts-xenial, linux-aws, and ruby1.9.1, ruby2.0, ruby2.3).

As of this writing, 5,392 non-merge changesets have been pulled into themainline repository for the 4.17 release. The 4.17 merge window is thusoff to a good start, but it is far from complete. The changes pulled thusfar cover a wide part of the core kernel as well as the networking, driver,and filesystem subsystems.

Security updates have been issued by Arch Linux (drupal), Debian (openjdk-7), Fedora (exempi, gd, and tomcat), SUSE (python-paramiko), and Ubuntu (kernel, libvncserver, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-lts-trusty, and linux-raspi2).

The LWN.net Weekly Edition for April 5, 2018 is available.

It has been known for quite some time that Python 2 will reach its endof life in 2020—after being extended by five years from its original 2015expiry. After that, there will be no support, bug fixes, or security patches forPython 2, at least from the Python Software Foundation and the coredevelopers. Some distributions will need to continue to support the finalPython 2 release, however, since their support windows extend pastthat date; the enterprise and long-term support distributions willlikely be supporting it well into the 2020s and possibly beyond. But evenshorter-support-cycle distributions need to consider their plan for asweeping change of this sort—in less than two years.

Security updates have been issued by Debian (apache2, ldap-account-manager, and openjdk-7), Fedora (libuv and nodejs), Gentoo (glibc and libxslt), Mageia (acpica-tools, openssl, and php), SUSE (clamav, coreutils, and libvirt), and Ubuntu (kernel, libraw, linux-hwe, linux-gcp, linux-oem, and python-crypto).

The Linux Foundation and Nitrokey have announceda program whereby anybody who appears in the kernel's MAINTAINERS file orwho has a kernel.org email address can obtain a free Nitrokey Start crypto card. Theintent, of course, is that kernel developers will use these devices tosafeguard their GnuPG keys and, as a result, improve the security of thekernel development process as a whole. "A digital smartcard tokenlike Nitrokey Start contains a cryptographic chip that is capable ofstoring private keys and performing crypto operations directly on the tokenitself. Because the key contents never leave the device, the operatingsystem of the computer into which the token is plugged in is not able toretrieve the private keys themselves, therefore significantly limiting theways in which the keys can be leaked or stolen."See this LWN article for a look at crypto cards.

One of the trickiest aspects to concurrency in the kernel is waiting for aspecific event to take place. There is a wide variety of possible events,including a process exiting, the last reference to a data structure goingaway, a device completing an operation, or a timeout occurring.Waiting is surprisingly hard to get right — race conditions abound to trapthe unwary — so the kernel hasaccumulated a large set of wait_event_*() macros to make the task easier. Anattempt to add a new one, though, has led to the generalization of specifictypes of waits for 4.17.

Many large institutions, especially government agencies, would like todistribute their software—including the software of the vendors with whomthey contract—as free software. They have a variety of reasons, rangingfrom the hope that opening the code will boost its use, all the way toa mature understanding of the importance of community, transparency, andfreedom. There are special steps institutions can take to help ensure success,some stemming from best practices performed by many free-software projectsand others specific to large organizations. At the 2018 LibrePlanet conference,Cecilia Donnelly laid out nine principles for the successful creation and maintenance of a software project under thesecircumstances.

Security updates have been issued by Debian (beep and jruby), Fedora (libvncserver), and Ubuntu (openjdk-7 and openjdk-8).

Version 2.17.0 of the Git source-code management system is out. Itincludes a long list of relatively minor tweaks. "Since Git 1.7.9,'git merge' defaulted to --no-ff (i.e. even when the side branch beingmerged is a descendant of the current commit, create a merge commit insteadof fast-forwarding) when merging a tag object. This was appropriatedefault for integrators who pull signed tags from their downstreamcontributors, but caused an unnecessary merges when used by downstreamcontributors who habitually 'catch up' their topic branches with taggedreleases from the upstream. Update 'git merge' to default to --no-ff onlywhen merging a tag object that does *not* sit at its usual place inrefs/tags/ hierarchy, and allow fast-forwarding otherwise, to mitigate theproblem."

The GnuCash 3.0 release is out. "The headline item for this release is that GnuCash now uses the Gtk+-3.0Toolkit and the WebKit2Gtk API. This change was forced on us by some majorLinux distributions dropping support for the WebKit1 API." Thisrelease also includes some new reports, a rewritten CSV importer, andmore. LWN looked at GnuCash from abusiness-accounting point of view in August 2017.

The OpenBSD 6.3 release is out. "The release was scheduled for April15, but since all the components are ready ahead of schedule it is beingreleased now." This release includes mitigation for the Meltdownvulnerability but not for Spectre on x86.

The UEFI secure boot mechanism is intended to protect the system againstpersistent malware threats — unpleasant bits of software attached to theoperating system or bootloader that will survive a reboot. While Linuxhas supported secure boot for some time, proponents have long said thatthis support is incomplete in that it is still possible for the root userto corrupt the system in a number of ways. Patches that attempt toclose this hole have been circulating for years, but they have beencontroversial at best. This story may finally come to a close, though, ifLinus Torvalds accepts the "kernel lockdown" patch series during the 4.17merge window.

Security updates have been issued by Debian (dovecot, irssi, libevt, libvncserver, mercurial, mosquitto, openssl, python-django, remctl, rubygems, and zsh), Fedora (acpica-tools, dovecot, firefox, ImageMagick, mariadb, mosquitto, openssl, python-paramiko, rubygem-rmagick, and thunderbird), Mageia (flash-player-plugin and squirrelmail), Slackware (php), and Ubuntu (dovecot).

Linus has released the 4.16 kernel, asexpected. "We had a number of fixes and cleanups elsewhere, but noneof it made me go 'uhhuh, better let this soak for another week'".Some of the headline changes in this release include initial support forthe Jailhousehypervisor, the usercopy whitelistinghardening patches, some improvements to the deadline scheduler and, ofcourse, a lot of Meltdown and Spectre mitigation work.

The stable kernel update machine continues to generate releases:4.15.15,4.14.32,4.9.92, and4.4.126 are now available with another setof important fixes.

Terminals have a special place in computing history, surviving alongwith the command line in the face of the rising ubiquity of graphicalinterfaces. Terminal emulators have replacedhardwareterminals, which themselves were upgrades from punched cards and toggle-switch inputs. Modern distributions now ship with asurprising variety of terminal emulators. While some people may behappy with the default terminal provided by their desktop environment,others take great pride at using exotic software for running theirfavorite shell or text editor. But as we'll see in this two-part series,not all terminals are created equal: they vary wildly in terms of functionality, size, andperformance.

Security updates have been issued by Debian (memcached, openssl, openssl1.0, php5, thunderbird, and xerces-c), Fedora (python-notebook, slf4j, and unboundid-ldapsdk), Mageia (kernel, libvirt, mailman, and net-snmp), openSUSE (aubio, cacti, cacti-spine, firefox, krb5, LibVNCServer, links, memcached, and tomcat), Slackware (ruby), SUSE (kernel and python-paramiko), and Ubuntu (intel-microcode).

The kernel development community has consistently resisted adding anyformal notion of what a "container" is to the kernel. While the neededbuilding blocks (namespaces, control groups, etc.) are provided, it is upto user space to assemble the pieces into the sort of containerimplementation it needs. This approach maximizes flexibility and makes itpossible to implement a number of different container abstractions, but italso can make it hard to associate events in the kernel with the containerthat caused them. Audit container IDs are an attempt to fix that problemfor one specific use case; they have not been universally well received inthe past, but work on this mechanism continues regardless.

The Rust team has announcedthe release of Rust 1.25.0. "The last few releases have beenrelatively minor, but Rust 1.25 contains a bunch of stuff! The first one isstraightforward: we’ve upgraded to LLVM 6from LLVM 4. This has a number of effects, a major one being a step closerto AVR support." See the releasenotes for details.

Greg Kroah-Hartman has announced the release of the 4.15.14, 4.14.31, 4.9.91, and 4.4.125 stable kernels. As usual, theycontain a wide array of fixes throughout the kernel tree; users shouldupgrade.

Security updates have been issued by Debian (drupal7, graphicsmagick, libdatetime-timezone-perl, thunderbird, and tzdata), Fedora (gd, libtiff, mozjs52, and nmap), Gentoo (thunderbird), Red Hat (openstack-tripleo-common, openstack-tripleo-heat-templates and sensu), SUSE (kernel, libvirt, and memcached), and Ubuntu (icu, librelp, openssl, and thunderbird).

The LWN.net Weekly Edition for March 29, 2018 is available.

It has only been a few years since DNF replaced Yum as the default Fedorapackage-management tool; that was done for Fedora 22 in 2015, thoughDNF had been available for several earlier Fedora releases. Since thattime, DNF development has proceeded; it started a move from Python/C to all C in2016 and has made multiple releases over the years. From an outsider'sperspective, no major changes seem necessary, which makes the announcementof DNF 3, and a move to C++, a bit surprising to some.

We may need Tor, "the onion router",more than we ever imagined. Authoritarian states are blocking more and more websites and snoopingon their populations online—even routine tracking of our onlineactivities can reveal information that can be used to underminedemocracy. Thus, there was strong interest in the "State of the Onion"panel at the 2018 LibrePlanet conference, wherefour contributors to the Tor project presented a progress update covering thepast few years.Subscribers can read on for a report on the panel by guest author Andy Oram.

The Drupal security team has sent out a "highly critical"alert: "A remote code execution vulnerability exists withinmultiple subsystems of Drupal 7.x and 8.x. This potentially allowsattackers to exploit multiple attack vectors on a Drupal site, which couldresult in the site being completely compromised." This seems worthavoiding; updating to the current version is the way to do that. There isan FAQ pagewith a little more information.

Per Bothner has released DomTerm 1.0. Since DomTerm was coveredhere in January 2016, many features have been added or enhanced. (Seethis articleon opensource.com.)DomTerm is a mostly-xterm-compatible terminal emulator, but the output canbe graphics, rich text, and other html, so it is suitable as a REPL for aprogram like gnuplot. Other major features include screen/tmux-style tiling and detachablesessions, readline-style input editing (integrated with mouse andclipboard), and opening an editor when clicking an error message.

The security-focused distribution Qubes OS has releasedversion 4.0. "This release delivers on the features we promised inour announcementof Qubes 4.0-rc1, with some course corrections along the way, such asthe switch from HVM to PVH for most VMs in response to Meltdownand Spectre. For more details, please see the full Release Notes."

Many people have seen music visualizations before, whether in a musicplayer on their computer, at a live concert, or possibly on a home stereosystem. Those visualizations may have been generated using the open-sourcemusic-visualization software library that is part of projectM.Software-based abstract visualizers first appeared along with early MP3 music players as asort of nifty thing to watch along with listening to your MP3s. One ofthe most powerful and innovative of these was a plugin for Winamp known asMilkDrop, which wasdeveloped by a Nullsoft (and later NVIDIA) employee named Ryan Geiss. The plugin wasextensible by using visualizationequation scripts (also known as "presets").Subscribers can read on for a look at projectM by guest author (andprojectM maintainer) Mischa Spiegelmock.

Security updates have been issued by CentOS (slf4j), Debian (firefox-esr, mupdf, net-snmp, and samba), Fedora (apache-commons-compress, calibre, chromium, glpi, kernel, libvncserver, libvorbis, mozjs52, ntp, slurm, sqlite, and wireshark), openSUSE (librelp), SUSE (librelp, LibVNCServer, and qemu), and Ubuntu (firefox and zsh).

Kernel developers go to some lengths to mark read-only data so that it canbe protected by the system's memory-management unit.Memory that cannot be changed cannot be altered by an attacker to corrupt thesystem. But the kernel's mechanisms for managing read-only memory do notwork for memory that must be initialized after the initial system bootstraphas completed. A patch set from Igor Stoppaseeks to change that situation by creating a new API just forlate-initialized read-only data.

Kubernetes 1.10 has been released. "This newest version stabilizes features in 3 key areas, including storage, security, and networking. Notable additions in this release include the introduction of external kubectl credential providers (alpha), the ability to switch DNS service to CoreDNS at install time (beta), and the move of Container Storage Interface (CSI) and persistent local volumes to beta."

Techdirt reportsthat the US Court of Appeals for the Federal Circuit (CAFC) has resurrectedOracle's copyright claim against Google for its use of the Java APIs inAndroid. "Honestly, the most concerning part of the whole thing ishow much of a mess CAFC has made of the whole process. The court ruledcorrectly originally that APIs are not subject to copyright. CAFC threwthat out and ordered the court to have a jury determine the fair usequestion. The jury found it to be fair use, and even though CAFC hadordered the issue be heard by a jury, it now says 'meh, we disagree withthe jury.' That's... bizarre."

Security updates have been issued by Debian (firefox-esr, irssi, and librelp), Gentoo (busybox and plib), Mageia (exempi and jupyter-notebook), openSUSE (clamav, dhcp, nginx, python-Django, python3-Django, and thunderbird), Oracle (slf4j), Red Hat (slf4j), Scientific Linux (slf4j), Slackware (firefox), SUSE (librelp), and Ubuntu (screen-resolution-extra).