LWN.net

Hardware memory encryption is, or will soon be, available on multiplegeneric CPUs. In its absence, data is stored — and passes between thememory chips and the processor — in the clear. Attackers may be able toaccess it by using hardware probes or by directly accessing the chips, which isespecially problematic with persistent memory. One new memory-encryptionoffering is Intel's Multi-KeyTotal Memory Encryption (MKTME) [PDF]; AMD's equivalent is called Secure Encrypted Virtualization(SEV). The implementation of support for thisfeature is in progress for the Linux kernel. Recently, Alison Schofield proposed a user-space API for MKTME, provokinga long discussion on how memory encryption should beexposed to the user, if at all.

Security updates have been issued by Debian (drupal7), Fedora (electrum and perl-Email-Address), Mageia (gthumb), openSUSE (gitolite, kernel, krb5, libunwind, LibVNCServer, live555, mutt, wget, and zeromq), SUSE (krb5, mariadb, nodejs4, nodejs8, soundtouch, and zeromq), and Ubuntu (irssi).

The kernel's page cache works to improve performance by minimizing disk I/Oand increasing the sharing of physical memory. But, like otherperformance-enhancing techniques that involve resources shared acrosssecurity boundaries, the page cache can be abused as a way to extractinformation that should be kept secret. A recent paper [PDF] by Daniel Grussand colleagues showed how the page cache can be targeted for a number ofdifferent attacks, leading to an abrupt change in how themincore() system call works at the endof the 5.0 merge window. But subsequent discussion has made it clearthat mincore() is just the tip of the iceberg; it is unclear whatwill really need to be done to protect a system against page-cache attacksor what the performance cost might be.

Stable kernels 4.20.3, 4.19.16, 4.14.94, 4.9.151, and 4.4.171 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by CentOS (libvncserver), Debian (sssd), Fedora (kernel and kernel-headers), Red Hat (ansible, openvswitch, pyOpenSSL, python-django, and redis), and Ubuntu (policykit-1).

The LWN.net Weekly Edition for January 17, 2019 is available.

Low-end devices bound for developing countries, such as those running the Android Go edition, lack encryption support because the hardware doesn't provide anycryptographic acceleration. That means users in developing countries haveno protection for the data on their phones. Google would like to changethat situation. The company worked on adding the Speck cipher to thekernel, but decided against using itbecause of opposition due to Speck's origins at the US NationalSecurity Agency (NSA). As a replacement, the Adiantum encryption mode wasdeveloped; it has been merged for Linux 5.0.

Security updates have been issued by Debian (systemd and wireshark), Fedora (openssh, php-horde-Horde-Form, and unrtf), Mageia (aria2, libvncserver, x11vnc, and nss), Oracle (kernel and libvncserver), Scientific Linux (libvncserver), SUSE (kernel, soundtouch, webkit2gtk3, and wget), and Ubuntu (libcaca and policykit-1).

While the kernel has had support for asynchronousI/O (AIO) since the 2.5development cycle, it has also had people complaining about AIO for aboutthat long. The current interface is seen as difficult to use andinefficient; additionally, some types of I/O are better supported thanothers. That situation may be about to change with the introduction of a proposednew interface from Jens Axboe called "io_uring". As might be expectedfrom the name, io_uring introduces just what the kernel needed more than anything else:yet another ring buffer.

It is that time of year again: Google is lookingfor mentor projects for the 2019 Summer of Code. "GSoC is aglobal program that draws university student developers from around theworld to contribute to open source. Each student spends three monthsworking on a coding project, with the support of volunteer mentors, forparticipating open source organizations from late May to August. Last year1,264 students worked with 206 open source organizations." Theapplication deadline is February 6.

"User tracking" is generally contentious in free-software communities—evenif the "tracking" is not really intended to do so. It is oftendistributions that have the most interest in counting their users, butLinux users tend to be more privacy conscious than users of more mainstreamdesktop operating systems. The Fedora project recently discussed how tocount its users and ways to preserve their privacy while doing so.

Security updates have been issued by Arch Linux (irssi and systemd), CentOS (systemd), Debian (xen and zeromq3), Fedora (gnutls, kernel, kernel-headers, kernel-tools, and nbdkit), Oracle (libvncserver and systemd), Red Hat (libvncserver), and Ubuntu (haproxy, libarchive, and php-pear).

An advisory from Harry Sintonen describes several vulnerabilities in thescp clients shipped with OpenSSH, PuTTY, and others. "Manyscp clients fail to verify if the objects returned by the scp server matchthose it asked for. This issue dates back to 1983 and rcp, on which scp isbased. A separate flaw in the client allows the target directory attributesto be changed arbitrarily. Finally, two vulnerabilities in clients mayallow server to spoof the client output." The outcome is that ahostile (or compromised) server can overwrite arbitrary files on the clientside. There do not yet appear to be patches available to address theseproblems.

Security updates have been issued by Arch Linux (python-django and python2-django), Debian (sqlite3, systemd, and vlc), Fedora (mingw-nettle and polkit), Mageia (graphicsmagick, python-django, spice-vdagent, and to), openSUSE (aria2, discount, gpg2, GraphicsMagick, gthumb, haproxy, irssi, java-1_7_0-openjdk, java-1_8_0-openjdk, libgit2, LibVNCServer, and sssd), Red Hat (systemd), Scientific Linux (systemd), Slackware (irssi and zsh), SUSE (LibVNCServer and sssd), and Ubuntu (gnome-bluetooth and systemd).

The second 5.0 prepatch is out for testing."So the merge window had somewhat unusual timing with the holidays,and I was afraid that would affect stragglers in rc2, but honestly, thatdoesn't seem to have happened much. rc2 looks pretty normal."

The stable-kernel machine has churned out another set of releases:4.20.2,4.19.15,4.14.93,4.9.150,4.4.170, and3.18.132have all been released with a large set of important fixes.

In January 2038, the 32-bit time_t value used on many Unix-likesystems will run out of bits and be unable to represent the current time.This may seem like a distant problem, but, as Tom Scott recently observed,the year-2038 apocalypse is now closer to the present than the year-2000problem. The fact that systems being deployed now will still be operatingin 2038 adds urgency to the issue as well. The good news is that work has been underway for years to prepareLinux for this date, so there should be no need to call developers out ofretirement in 2037 in a last-minute panic. Some of the final steps in thistransition for the core kernel have been posted, and seem likely to bemerged for 5.1.

Version5.0 of the Metasploit penetration-testing framework is out."Metasploit 5.0 offers a new data service, introduces fresh evasioncapabilities, supports multiple languages, and builds upon the Framework’sever-growing repository of world-class offensive security content. We’reable to continue innovating and expanding in no small part thanks to themany open source users and developers who make it a priority to share theirknowledge with the community. You have our gratitude."

Security updates have been issued by Arch Linux (systemd and wireshark-cli), Debian (libsndfile and tmpreaper), Fedora (beep, electrum, gnutls, haproxy, krb5, mupdf, php-horde-Horde-Image, python-django, and wget), Mageia (libarchive and terminology), openSUSE (libraw, polkit, and singularity), SUSE (haproxy, java-1_8_0-openjdk, LibVNCServer, and webkit2gtk3), and Ubuntu (exiv2, gnupg2, and webkit2gtk).

What if you announced a board election and nobody ran? That is the quandarythe openSUSE project facedas recently as January 4, when the nomination deadline loomed andno candidates for the three open seats had come forward. The situation hassince changed, and openSUSE members will have a wide slate of candidates tochoose from. But the seeming reticence to come forward may well be areflection of some unresolved tensions that exploded into a flame warseveral months ago.

Qualys has sent out a security advisory describing three stack-overrunvulnerabilities in systemd-journald. "We developed an exploit for CVE-2018-16865 and CVE-2018-16866 thatobtains a local root shell in 10 minutes on i386 and 70 minutes onamd64, on average. We will publish our exploit in the near future.To the best of our knowledge, all systemd-based Linux distributions arevulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora28 and 29 are not exploitable because their user space is compiled withGCC's -fstack-clash-protection."

Security updates have been issued by Debian (libcaca), Fedora (beep and libgxps), Mageia (krb5, live, ffmpeg, mplayer, and vlc, and mbedtls), SUSE (helm-mirror, java-1_7_0-openjdk, and systemd), and Ubuntu (nss and python-django).

The LWN.net Weekly Edition for January 10, 2019 is available.

<p>Python has always touted itself as a "batteries included" language; itsstandard library contains lots of useful modules, often more than enough tosolve many types of problems quickly. From time to time, though, some havestarted to rethink that philosophy, to reduce or restructure the standardlibrary, for a variety of reasons. A discussion at the end of November on the python-dev mailing list revived that debateto some extent.

The4.20.1,4.19.14,4.14.92, and4.9.149stable kernels have been released; each contains a relatively large set ofimportant fixes.

Security updates have been issued by Arch Linux (elfutils, polkit, and tar), Debian (python-django and ruby-loofah), and Mageia (ansible, avidemux, coreutils, discount, nettle, openafs, opensc, and qtbase5).

Many projects have adopted the "GitHub style" of development over the lastfew years, though, of course, there are some high-profile exceptions that still use patches and mailing lists. Many projects are leery of puttingall of their project metadata into a proprietary service, with limitedmeans of usefully retrieving it should that be necessary, which is whyGitLab (which is at least "open core") has been gaining some traction. A recently announcedeffort looks to kind of bridge the gap; Drew DeVault's sr.ht ("the hacker's forge")combines elements of both styles of development in a "100% free and open source softwareforge". It looks to be an ambitious project, but itmay also suffer from a lack of "social network" effects, which is part ofwhat sustains GitHub as the forge of choice today, it seems.

Version 5.0 of the Bash shell has been released."The most notable new features are several new shell variables: BASH_ARGV0,EPOCHSECONDS, and EPOCHREALTIME. The `history' builtin can remove ranges ofhistory entries and understands negative arguments as offsets from the endof the history list. There is an option to allow local variables to inheritthe value of a variable with the same name at a preceding scope. There isa new shell option that, when enabled, causes the shell to attempt toexpand associative array subscripts only once (this is an issue when theyare used in arithmetic expressions). The `globasciiranges' shell optionis now enabled by default; it can be set to off by default at configurationtime."

Security updates have been issued by Debian (libav), Fedora (krb5), Red Hat (source-to-image), and SUSE (gpg2, libgit2, and libsoup).

On the Red Hat community blog, Dave Neary writes about community governance and, in particular, how to choose who gets a vote, who can run, and how to decide a winner when electing a leader or council. He summarizes a number of different options that he has encountered with an eye toward avoiding the deep rat-hole conversations that picking a way to run elections can engender."Defining the activity metric and minimum bar for what qualifies as participation can become contentious, mainly because where you draw the line will be arbitrary, and will omit people who you want to include, or include people who you want to omit. For example, if you set the bar at the minimum contribution level of one commit to the project, you omit all whose contributions are significant but not code related. The typical fear is ballot stuffing or cohort effects — where large companies will dominate the representative bodies by having a large voting bloc, or where friends of candidates (or people with a certain agenda) will pass the low bar to become voters just to vote for their candidate."

Linus Torvalds released 5.0-rc1 onJanuary 6, closing the merge window for this development cycle andconfirming that the next release will indeed be called "5.0". At thatpoint, 10,843 non-merge change sets had been pulled into the mainline, about2,100 since last week's summary waswritten. Those 2,100 patches included a number of significant changes, though, includingsome new system-call semantics that may yet prove to create problems for existinguser-space code.

Security updates have been issued by CentOS (keepalived), Debian (python-django), Fedora (tcpreplay), Mageia (apache-commons-compress, aubio, dcraw, freerdp, imagemagick, ldb, talloc, samba, libao, libextractor, libgxps, libpgf, openjpeg2, pdns, pdns-recursor, php-phpmailer, plexus-archiver, units, wget, and xmlrpc), Oracle (keepalived and kernel), and SUSE (polkit and xen).

Linus has released the 5.0-rc1 kernelprepatch and closed the merge window for this development cycle."The numbering change is not indicative of anything special. If youwant to have an official reason, it's that I ran out of fingers and toes tocount on, so 4.21 became 5.0."

One of the useful features added during the 4.20 development cycle was theavailability of pressure-stall information,which provides visibility into how resource-constrained the system is.Interest in using this information has spread beyond the data-centerenvironment where it was first implemented, but it turns out that there someshortcomings in the current interface that affect other use cases. SurenBaghdasaryan has posted a patchset aimed at making pressure-stall information more useful for theAndroid use case — and, most likely, for many other use cases as well.

Security updates have been issued by Fedora (wget), Oracle (kernel), Red Hat (keepalived), Scientific Linux (keepalived), and SUSE (GraphicsMagick and mailman).

The fs-verity mechanism, created to protectfiles on Android devices from hostile modification by attackers, seemed tobe on track for inclusion into the mainline kernel during the current mergewindow when thepatch set was posted at the beginning of November. Indeed, it wasn'tuntil mid-December that some other developers started to raise objections.The resulting conversation has revealed a deep difference of opinion regardingwhat makes a good filesystem-related API and may have implications for howsimilar features are implemented in the future.

Security updates have been issued by Debian (jasper, libdatetime-timezone-perl, qtbase-opensource-src, thunderbird, and tzdata), Red Hat (rh-perl524-perl), and SUSE (libraw, polkit, and xen).

There are currently a number of sites bouncing emails from LWN.net due to analleged listing in the dnsbl.njabl.org blacklist. The only problem is thatthis blacklist hasbeen offline since 2013. That domain has been taken over by somebodyelse; checking web content at that address is not recommended as it is, toput it lightly, non-technical. If you are not getting expected email fromLWN, you might want to look into whether your local setup is still tryingto use that old, discontinued blacklist.

Antonio Cuni writesabout recent work to support running Python code with low latencyrequirements under PyPy. "As we said, the total cost of memorymanagement is less on PyPy than on CPython, and it's one of the reasons whyPyPy is so fast. However, one big disadvantage is that while on CPython thecost of memory management is spread all over the execution of the program,on PyPy it is concentrated into GC runs, causing observable pauses whichinterrupt the execution of the user program. To avoid excessively longpauses, the PyPy GC has been using an incremental strategy since 2013. TheGC runs as a series of 'steps', letting the user program to progressbetween each step."

The LWN.net Weekly Edition for January 3, 2019 is available.

The January 3 LWN.net Weekly Edition will be our first for 2019, markingour return after an all-too-short holiday period. Years ago, we made theill-considered decision to post some predictions at the beginning of theyear and, like many mistakes, that decision has persisted and become anannual tradition. We fully expect 2019 to be an event-filled year, withboth ups and downs; read on for some wild guesses as to what some of thoseevents may look like.

The Internet Archive (IA) has been around forover 20 years now; many will know it for its Wayback Machine, which is an archive ofold versions of web pages, but IA is much more than just that. Tracey Jaquith said that sheand her IA colleague David Van Duzer would relate a "love/hate, longadventure story—mostly love" about the migration of parts of IA toKubernetes. It is an ongoing process, but they learned a lot along theway, so they wanted to share some of that with attendees of KubeCon +CloudNativeCon North America 2018.

The linux-kernel mailing list carries the sad news that Shaohua Li, atalented contributor to much of the core kernel and the maintainer of theMD RAID subsystem, passed away over the holidays. Thank you for your work,Shaohua, you will certainly be missed.

Dylan O'Mahony, the cloud architecture manager for Bose,opened a presentation atKubeCon +CloudNativeCon North America 2018 by noting that many attendees may bewondering why a "50-year-old audio company" would be part of a presentationon Kubernetes. It turns out that Bose was looking for ways to support itssmart-speaker products and found the existing solutions to be lacking.Bose partnered with Connected, "a product development company fromToronto", to use Kubernetes as part ofthat solution, so O'Mahony and David Doyle from Connected were at theconference to describe the prototype that they built.

Security updates have been issued by Debian (thunderbird), Fedora (terminology), openSUSE (GraphicsMagick), and Red Hat (rh-perl526-perl).

Cloud computing services that run customer code in short-lived processesare often called "serverless". Butunder the hood, virtual machines (VMs) are usually launched to run that isolatedcode on demand. The boot times for these VMs can be slow. This is the causeof noticeable start-up latency in a serverless platform like Amazon WebServices (AWS) Lambda. Toaddress the start-up latency, AWS developed Firecracker, a lightweightvirtual machine monitor (VMM), which it recentlyreleasedas open-source software. Firecracker emulates a minimal device modelto launch Linux guest VMs more quickly. It's an interesting exploration ofimproving security and hardware utilization by using a minimal VMM built withalmost no legacy emulation.

Security updates have been issued by Mageia (graphicsmagick, poppler, python, and python-lxml) and openSUSE (GraphicsMagick).

When the 4.20 kernel was released onDecember 23, Linus Torvalds indicated that he would try to keep to thenormal merge window schedule despite the presence of the holidays in themiddle of it. Thus far, he seems to be trying to live up to that;just over 8,700 changesets have been merged for the next release, whichseems likely to be called 5.0. A number of long-awaited features arefinally landing in the kernel with this release.

The New York Times reportsthe death of Dr. Lawrence G. Roberts, who was heavily involved inArpanet. "Dr. Roberts was considered the decisive force behind packetswitching, the technology that breaks data into discrete bundles that arethen sent along various paths around a network and reassembled at theirdestination. He decided to use packet switching as the underlyingtechnology of the Arpanet; it remains central to the function of theinternet." (Thanks to Paul Wise.)

Security updates have been issued by Arch Linux (go, go-pie, and webkit2gtk), Debian (c3p0, debian-security-support, libextractor, and tar), Fedora (electron-cash, leptonica, LibRaw, mingw-leptonica, mingw-openjpeg2, mingw-poppler, nettle, openjpeg2, php-pear, sqlite, and vcftools), Gentoo (GKSu and rust), Mageia (keepalived and libtiff), openSUSE (containerd, docker, go, go, GraphicsMagick, libraw, mozilla-nspr and mozilla-nss, netatalk, polkit, wireshark, and xen), and SUSE (containerd, docker, go, libqt5-qtbase, mailman, wireshark, and xen).