Security updates have been issued by Arch Linux (firefox and python-django), Debian (dnsmasq, firefox-esr, imagemagick, and linux-4.9), Fedora (haproxy), openSUSE (bitcoin, firefox, and texlive), SUSE (openslp), and Ubuntu (apache2).
At the 2018 X.Org DevelopersConference (XDC) in A Coruña, Spain, Daniel Stone gave an update on thestatus of freedesktop.org,which serves multiple projects as a hosting site for code, mailing lists,specifications, and more. As its name would imply, it started out with a focus on freedesktops and cross-desktop interoperability, but it lost that focus—alongwith its focus in general—along the way. He recapped the journey of fd.o (as it is often known) and unveiledsome idea of where it may be headed in the future.
Security updates have been issued by Fedora (elfutils), Gentoo (firefox), Red Hat (instack-undercloud, openstack-tripleo-heat-templates and openstack-nova), Slackware (mozilla), SUSE (ghostscript, ImageMagick, kernel, mgetty, qemu, and unzip), and Ubuntu (firefox, haproxy, kernel, liblouis, and webkit2gtk).
Back in the halcyon days of the previous century, those with a technicalinclination often became overly acquainted with modems—not just the strange sounds theymade when connecting, but the ATcommands that were used to control them. While the AT command set isstill in use (notably for GSM networks), it is generallyhidden these days. But some security researchers have found that Android phonesoften make AT commands available via their USB ports, which is somethingthat can potentially be exploited by rogue USB devices of various sorts.
One of the most common tasks carried out by device drivers is settingup DMA operations for data transfers between main memory and the device. Often,data read into memory from one device will be immediately written, unchanged,to another device. Common examples include carrying the image between thecamera and screen on a mobile phone, or downloading files to be saved on adisk. Those transfers have an impact on the CPU even if it does not use thedata directly, due to higher memory use and effects likecache trashing. There are cases where it is possible to avoid usage of thesystem memory completely, though. A patch set (posted by Logan Gunthorpe withcontributions by Christoph Hellwig and Steve Wise)has been in the works for some time that addresses this case for PCIdevices using peer-to-peer (P2P) transfers, with a focus on offering anoffload option for the NVMe fabrics target subsystem.
The Linux Security Module (LSM) subsystem allows securitymodules to hook into many low-level operations within the kernel; modulescan use those hooks to examine each requested operation and decide whetherit should be allowed to proceed or not. In theory, just about everylow-level operation is covered by an LSM hook; in practice, there are somegaps. A discussion regarding one of those gaps — low-levelioctl() operations on XFS filesystems — has revealed a thornyproblem and a significant difference of opinion on what the correctsolution is.
Security updates have been issued by Arch Linux (lib32-libxml2, libxml2, mosquitto, and ntp), Debian (kernel and strongswan), Fedora (firefox), openSUSE (zsh), Oracle (kernel), Red Hat (ceph-iscsi-cli), SUSE (openssl-1_0_0), and Ubuntu (kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, and strongswan).
Version1.0 of the Stratis storage-management system (covered here in May) has been released."After two years of development, Stratis 1.0 has stabilized itson-disk metadata format and command-line interface, and is ready for morewidespread testing and evaluation by potential users." See the FAQ for moreinformation.
Security updates have been issued by Arch Linux (mediawiki), CentOS (389-ds-base, firefox, flatpak, kernel, mod_perl, nss, spice and spice-gtk, and spice-gtk and spice-server), Debian (389-ds-base, ghostscript, mosquitto, and python3.5), Fedora (ca-certificates, firefox, glusterfs, kernel-headers, kernel-tools, libxkbcommon, udisks2, and zchunk), Mageia (firefox), openSUSE (gd, gnutls, mgetty, openssl, and yast2-smt), Oracle (firefox and kernel), Scientific Linux (firefox), SUSE (libX11 and openssl-1_1), and Ubuntu (bind9 and ghostscript).
The 4.19-rc6 kernel prepatch is out."As always, please go test and report any problems. It all 'justworks' on my systems, and I have not heard of any major outstanding issuesas of this point in time."
One of the key aspects of hardening the user-space side of an operatingsystem is to provide mechanisms for restricting which parts of thefilesystem hierarchy a given process can access. Linux has a number ofmechanisms of varying capability and complexity for this purpose, but otherkernels have taken a different approach. Over the last few months, OpenBSDhas inaugurated a new system call named unveil() for thistype of hardening that differs significantly from the mechanisms found inLinux.
Nuitka is a compilerfor the Python 2.7 and 3.7 languages; version 0.6.0 isnow available. "This release adds massive improvements for optimization and a couple of bug fixes.It also indicates reaching the mile stone of doing actual type inference,even if only very limited." At this point, the claim is that allPython language features have been implemented, so the focus is shiftingtoward optimization.
Security updates have been issued by Debian (libxml2 and python2.7), Fedora (hylafax+, lcms2, libbson, moodle, mozilla-noscript, visualboyadvance-m, and yum-utils), openSUSE (dom4j and php7), Oracle (firefox), Red Hat (firefox and qemu-kvm-rhev), SUSE (gnutls, kernel, openssl, smt, smt, yast2-smt, xorg-x11-libX11, and yast2-smt), and Ubuntu (mutt).
Security updates have been issued by Debian (asterisk, otrs2, and strongswan), Fedora (kernel-headers, moodle, ntp, visualboyadvance-m, and yaml-cpp), Mageia (rsyslog), openSUSE (ant, libzypp, zypper, shadow, and tiff), Oracle (389-ds-base, flatpak, kernel, nss, and openssl), Red Hat (rh-perl524-mod_perl and rh-perl526-mod_perl), Scientific Linux (389-ds-base, flatpak, kernel, and nss), SUSE (firefox, gd, glibc, kernel, mgetty, php7, and wireshark), and Ubuntu (udisks2).
The BBC talkedwith Linus Torvalds about recent events. "Will everybody behappy? No. People who don't like my blunt behaviour even when I'm not beingactively nasty about it will just see that as 'look, nothing changed'. I'mtrying to get rid of my outbursts, and be more polite about things, buttechnically wrong is still technically wrong, and I won't start acceptingbad code just to make people feel better about themselves."
The kernel address sanitizer (KASAN) is akernel debugging tool meant to catch incorrect use of kernel pointers. Itis an effective tool, if the number of KASAN-based bug reports showing upon the mailing lists is any indication. The downside of KASAN is asignificant increase in the amount of memory used by a running system. Thesoftware-tag-basedmode proposed by Andrey Konovalov has the potential to address thatproblem, but it brings some limitations of its own.
For anybody who has been concerned by the talk from a few outsiders aboutrevoking GPL licensing, thisnew section in the Software Freedom Conservancy's copyleft guide isworth a read.Thus, anyone downstream of the contributor (which is anyone using thecontributor’s code), has an irrevocable license from the contributor. Acontributor may claim to revoke their grant, and subsequently sue forcopyright infringement, but a court would likely find the revocation wasineffective and the downstream user had a valid license defense to a claimof infringement.Nevertheless, for purposes of argument, we will assume that for some reasonthe GPLv2 is not enforceable against the contributor, or that theirrevocable license can be revoked. In that case, the application ofpromissory estoppel will likely mean that the contributor still cannotenforce their copyright against downstream users.
The dust has begun to settle after the abrupt decisions by Linus Torvaldsto take a break from kernel maintainership and to adopt a code of conductfor the community as a whole. Unsurprisingly, the development community,most of which was not consulted prior to the adoption of this code, has alot of questions about it and a number of concerns. While many of theanswers to those questions will be a while in coming, a few things arebeginning to come into focus.
Jann Horn describesCVE-2018-17182, a locally exploitable memory-management bug in thekernel, in great detail. "Fundamentally, this bug can be triggeredby any process that can run for a sufficiently long time to overflow thereference counter (about an hour if MAP_FIXED is usable) and has theability to use mmap()/munmap() (to manage memory mappings) and clone() (tocreate a thread). These syscalls do not require any privileges, and theyare often permitted even in seccomp-sandboxed contexts, such as the Chromerenderer sandbox (mmap, munmap, clone), the sandbox of the main gVisor hostcomponent, and Docker's seccomp policy."
When last we looked at the WireGuard VPN code and its progresstoward mainline inclusion, said progress was impeded by disagreements aboutthe new "Zinc"cryptographic library that is added by the WireGuard patches. Since thatAugust look, several more versions of WireGuard and Zinc have been posted; it would seem that Zinc is gettingcloser to being accepted. Once that happens, the networking developers arepoised to review that portion of the code, which likely will leadto WireGuard in the kernel some time in the next development cycle or two.
Stable kernels 4.18.10, 4.14.72, 4.9.129, 4.4.158, and 3.18.123 have been released. They all containimportant fixes throughout the tree and users should upgrade.
Security updates have been issued by Debian (python2.7 and python3.4), openSUSE (php5-smarty3), Oracle (389-ds-base, flatpak, kernel, and nss), Red Hat (389-ds-base, chromium-browser, flatpak, kernel, kernel-alt, kernel-rt, nss, and qemu-kvm-ma), and SUSE (ant, dom4j, kernel, and wireshark).
Security updates have been issued by Arch Linux (strongswan and zsh), Debian (dom4j and polarssl), openSUSE (apache2, gd, gnutls, GraphicsMagick, nodejs8, php7, and shadow), Oracle (mod_perl), Red Hat (mod_perl), Scientific Linux (mod_perl), SUSE (ant, gd, gnutls, java-1_8_0-ibm, libXcursor, mgetty, pam_pkcs11, php7, python-paramiko, shadow, and tiff), and Ubuntu (strongswan).
The 4.19-rc5 kernel prepatch has beenreleased by Greg Kroah-Hartman. "As almost everyone knows, it's beenan 'interesting' week from a social point-of-view. But from the technicalside, -rc5 looks totally normal."
The kernel's namespace abstraction allowsdifferent groups of processes to have different views of the system. Thisfeature is most often used with containers; it allows each container tohave its own view of the set of running processes, the network environment,the filesystem hierarchy, and more. One aspect of the system that remainsuniversal, though, is the concept of the system time. The recently postedtimenamespace patch set (from Dmitry Safonov with a lot of work by AndreiVagin) seeks to change that.
The Ubuntu blog has announced the release of version 1.0.0 of the Mir display server. "Whether for building a device or for writing a shell for the desktop, Mir can give you a graphics stack that is fast, light, and secure. The Mir graphical stack works across different graphics platforms and driver models and is easy to integrate into your kiosk, digital signage, or purpose built graphical solution. It was first conceived over 6 years ago as part of an initiative by Canonical to unify the graphical environment across all devices, including desktop, TV, and mobile devices and continues to be developed with new features and modern standards."
Security updates have been issued by Debian (hylafax, sympa, and texlive-bin), Fedora (curl and gitolite3), Mageia (bouncycastle, ghostscript, and libx11), openSUSE (webkit2gtk3), Oracle (spice and spice-gtk and spice-gtk and spice-server), Red Hat (rubygem-smart_proxy_dynflow, spice and spice-gtk, and spice-gtk and spice-server), Scientific Linux (spice and spice-gtk and spice-gtk and spice-server), and SUSE (ImageMagick, kernel, liblouis, openslp, and python-paramiko).
Security updates have been issued by Debian (glusterfs, php5, reportbug, and suricata), openSUSE (chromium and exempi), Red Hat (openstack-rabbitmq-container), SUSE (couchdb, crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui, gdm, OpenStack, pango, and webkit2gtk3), and Ubuntu (bind9, lcms, lcms2, and lcms2).
A story in The New Yorker magazine may help explain some of the timing of the recent upheavals in kernel-land. Longtime followers of kernel development will find the article to be a mixed bag—over the top in spots, fairly accurate elsewhere. "Torvalds’s decision to step aside came after The New Yorker asked him a series of questions about his conduct for a story on complaints about his abusive behavior discouraging women from working as Linux-kernel programmers. In a response to The New Yorker, Torvalds said, 'I am very proud of the Linux code that I invented and the impact it has had on the world. I am not, however, always proud of my inability to communicate well with others—this is a lifelong struggle for me. To anyone whose feelings I have hurt, I am deeply sorry.'"
Android's ProjectTreble is meant as a way to reduce the fragmentation in the Androidecosystem. It also makes porting Android 8 ("Oreo"—the first versionto mandate Treble) more difficult, according to Fedor Tcymbal. Hedescribed the project and what it means for silicon and device vendors in atalk atOpenSource Summit North America 2018 in Vancouver, Canada.
Facebook runs a lot of programs and it tries to pack as many as it can ontoeach machine. That means running close to—and sometimes beyond—theresource limits on any given machine. How the system reacts when, for example,memory is exhausted, makes a big difference in Facebook getting its workdone. Tejun Heo came to 2018 Open Source Summit North America to describe the resource controlwork that has been done by the team he works on at Facebook.
Version 7.0.0 of the LLVM compiler suite is out."It is the result of the community's workover the past six months, including: function multiversioning in Clangwith the 'target' attribute for ELF-based x86/x86_64 targets, improvedPCH support in clang-cl, preliminary DWARF v5 support, basic supportfor OpenMP 4.5 offloading to NVPTX, OpenCL C++ support, MSan, X-Rayand libFuzzer support for FreeBSD, early UBSan, X-Ray and libFuzzersupport for OpenBSD, UBSan checks for implicit conversions, manylong-tail compatibility issues fixed in lld which is now productionready for ELF, COFF and MinGW, new tools llvm-exegesis, llvm-mca anddiagtool".The list of new featuresis long; see theoverall release notes,theClang release notes,theClang tools release notes, and theLLD linker release notes for more information.
A couple of surprising things happened in the kernel community onSeptember 16: Linus Torvalds announcedthat he was taking a break from kernel development to focus on improvinghis own behavior, and the longstanding "code of conflict" was replacedwith a code of conduct based on the ContributorCovenant. Those two things did not quite come packaged as a set, butthey are clearly not unrelated. It is atime of change for the kernel project; there will be challenges to overcomebut, in the end, less may change than many expect or fear.
Security updates have been issued by Fedora (ghostscript, icu, nspr, nss, nss-softokn, nss-util, and okular), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, OpenStack Platform, openstack-neutron, and openstack-nova), and Ubuntu (clamav and php5, php7.0, php7.2).
The PostgreSQL community has, after an extended discussion, announced theadoption of a codeof conduct "which is intended toensure that PostgreSQL remains an open and enjoyable project for anyone tojoin and participate in".
Versity Software has announced that it has released ScoutFS under GPLv2. "ScoutFS is the first GPL archiving file system ever released, creating aninherently safer and more user friendly option for storing archival datawhere accessibility over very large time scales, and the removal of vendorspecific risk is a key consideration."
SpamAssassin 3.4.2 is out, the first release from this spam-filteringproject since 3.4.1 came out in April 2015. It fixes some remotelyexploitable security issues, so SpamAssassin users probably want toupdate in the near future. "The exploit has been seen in the wild but not believe to have beenpurposefully part of a Denial of Service attempt. We are concerned thatthere may be attempts to abuse the vulnerability in the future. Therefore, we strongly recommend all users of these versions upgrade toApache SpamAssassin 3.4.2 as soon as possible."
Behavioral changes can make desktop users grumpy; that is doubly true forchanges that arrive without notice and possibly risk data loss. Such asituation recently arose in the Fedora 29 development branch in theform of a new "suspend-then-hibernate" feature. This feature will almostcertainly be turned off before Fedora 29 reaches an official release,but the discussion and finger-pointing it inspired reveal somesignificant differences of opinion about how this kind of change should bemanaged.
Linus has released 4.19-rc4 and made a setof announcements that should really be read in their entirety."I actually think that 4.19 is looking fairly good,things have gotten to the 'calm' period of the release cycle, and I'vetalked to Greg to ask him if he'd mind finishing up 4.19 for me, sothat I can take a break, and try to at least fix my own behavior."
Linux Journal covers the new Academy Software Foundation (ASWF), which is a project aimed at open-source collaboration in movie-making software that was started by theAcademy of Motion Picture Arts and Sciences (AMPAS) and the Linux Foundation. "Still at the early stages, the ASWF has yet to develop any of its own projects, but there is interest in having them host a number of very popular projects, such as Industrial Light & Magic’s OpenEXR HDR image file format, color management solution OpenColorIO, and OPenVDB, which is used for working with those hard-to-handle objects like clouds and fluids.Along with promoting cooperation on the development of a more robust set of tools for the industry, one of the goals of the organization moving forward is to put out a shared licensing template that they hope will help smooth the tensions over licensing. It follows that with the growth of projects, navigating the politics over usage rights is bound to be a tricky task."
LWN.net