Security updates have been issued by Debian (qemu and xen), Mageia (libxkbcommon, sleuthkit, and wireshark), openSUSE (apache-pdfbox, dovecot22, and php7), SUSE (enigmail, kernel, nodejs4, and php7), and Ubuntu (firefox and transfig).
The Harvard Business School's "Working Knowledge" site has anarticle arguing that it can pay for companies to allow their developersto contribute back to the projects whose software they use."And that presents an interesting dilemma for firms that rely heavilyon open source. Should they allow employees on company time to make updatesand edits to the software for community use that could be used bycompetitors? New research by Assistant Professor Frank Nagle, a member ofthe Strategy Unit at Harvard Business School, shows that paying employeesto contribute to such software boosts the company’s productivity from usingthe software by as much as 100 percent, when compared with free-ridingcompetitors."
Network packet headers contain a great deal of information, but thekernel often only needs a subset of that information to be able to performfiltering or associate any given packet with a flow. The piece of code thatfollows the different layers of packet encapsulation to find the importantdata is called a flow dissector. In current Linux kernels, the flowdissectoris written in C. A patch set has beenproposed recently to implement it in BPF with the clear goal of improvingsecurity, flexibility, and maybe even performance.
Security updates have been issued by Debian (curl, gdm3, git-annex, lcms2, and sympa), Fedora (discount, dolphin-emu, gd, obs-build, osc, tcpflow, and yara), openSUSE (wireshark), Slackware (curl, firefox, ghostscript, and thunderbird), SUSE (apache-pdfbox, curl, dovecot22, and libvirt), and Ubuntu (libtirpc).
Security and convenience rarely go hand-in-hand, but if your job (or life)requires extraordinary care against potentially targeted attacks, thesecurity side of that tradeoff may win out. If so, running a system likeQubes OS on your desktop or CopperheadOS on your phone might make sense,which is just what Konstantin Ryabitsev, Linux Foundation (LF) director of ITsecurity, has done. He reported on the experience in a talk[YouTube video] entitled "Life Behind the Tinfoil Curtain" at the 2018LinuxSecurity Summit North America.
The Spectre variant 2 vulnerability allows the speculative execution ofincorrect (in an attacker-controllable way) indirect branch predictions,resulting in the ability to exfiltrate information via side channels. The kernel hasbeen reasonably well protected against this variant since shortly after itsdisclosure in January. It is, however, possible for user-space processesto use Spectre v2 to attack each other; thus far, the mainline kernel hasoffered relatively little protection against such attacks. A recent proposalfrom Jiri Kosina may change that situation, but there are still somedisagreements around the details.
The GNOME Project has announced the release of GNOME 3.30"AlmerÃa". "This release brings automatic updates in Software, moregames, and a new Podcasts application. Improvements to core GNOMEapplications include a refined location and search bar in Files, a[Thunderbolt] panel in Settings, support for remoting using RDP in Boxes, andmany more." The release notescontain more information.
GopherCon is the majorconference for the Go language, attendedby 1600 dedicated "gophers", as the members of its community like to callthemselves. Held for the last five years in Denver, it attracts programmers,open-source contributors, and technical managers from all over NorthAmerica and the world. GopherCon's highly-technical program is an intensemix of Go internals and programming tutorials, a few of which we willexplore in this article.Subscribers can read on for a report from GopherCon by guest author JoshBerkus.
Mozilla has released Firefox 62.0, with several new features. The FirefoxHome (default New Tab) allows users to display up to 4 rows of top sites,Pocket stories, and highlights; for those using containers there is menuoption to reopen a tab in a different container; Firefox 63 will remove alltrust for Symantec-issued certificates, and it is optional in Firefox62; FreeBSD support for WebAuthn was added; and more. See the releasenotes for details.
Greg Kroah-Hartman has released stable kernels 4.18.6, 4.14.68, 4.9.125, 4.4.154, and 3.18.121. They all contain important fixes andusers should upgrade.
Part 1 of this series introduced the Julia project's goals anddevelopment process, along withthe language syntax, including the basics of control flow, datatypes, and, in more detail, how to work with arrays. In this part, user-defined functions and the central concept of multiple dispatch are described. It will also survey Julia'smodule and package system, cover some syntax features, show how to makeplots, and briefly dip into macros and distributed computing.
Security updates have been issued by openSUSE (ImageMagick, libressl, postgresql10, spice, and spice-gtk), Red Hat (collectd, kernel, Red Hat Gluster Storage, Red Hat Virtualization, RHGS WA, rhvm-appliance, and samba), and SUSE (crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, kernel, spice, and spice-gtk).
It is common for kernel code to generate unique integers for identifiers.When one plugs in a flash drive, it will show up as/dev/sdN; that N (a letter derived from anumber) must be generated in thekernel, and it should not already be in use for another drive or unpleasantthings will happen. One might think that generating such numbers would notbe a difficult task, but that turns out not to be the case, especially insituations where many numbers must be tracked. The IDA (for "IDallocator", perhaps) API exists to handle this specialized task. In pastkernels, it has managed to make the process of getting an unused numbersurprisingly complex; the 4.19 kernel has a new IDA API that simplifies thingsconsiderably.
The annual Maintainer and Kernel Summits will be held in Vancouver, BC onNovember 12 to 15, in conjunction with the Linux Plumbers Conference.The program committee is looking for topics for both summits; read on fordetails on how to submit ideas and, perhaps, get an invitation to theMaintainer Summit.
The 4.19-rc2 kernel prepatch is out fortesting."As usual, the rc2 release is pretty small. People are taking abreather after the merge window, and it takes a bit of time for bugreports to start coming in and get identified."
Linux Mint Debian Edition v3 "Cindy" has been released, featuring theCinnamon desktop. LMDE 3 is based on Debian 9 "stretch". "There are no point releases in LMDE. Other than bug fixes and security fixes Debian base packages stay the same, but Mint and desktop components are updated continuously. When ready, newly developed features get directly into LMDE, whereas they are staged for inclusion on the next upcoming Linux Mint point release."The release notes provideadditional information.
Security updates have been issued by Debian (389-ds-base, bind9, and squirrelmail), Fedora (dolphin-emu), openSUSE (libX11), SUSE (cobbler, GraphicsMagick, ImageMagick, liblouis, postgresql10, qemu, and spice), and Ubuntu (libx11).
Google has announcedthe existence of a new cryptographic library called "Tink"."Tink aims to provide cryptographic APIs that are secure, easy to usecorrectly, and hard(er) to misuse. Tink is built on top of existinglibraries such as BoringSSL and Java Cryptography Architecture, butincludes countermeasures to many weaknesses in these libraries, which werediscovered by Project Wycheproof, another project from our team."
The developers of the Android system have, among their many goals, the wishto better protect Android devices against persistent compromise. It is badif a device is taken over by an attacker; it's worse if it remainscompromised even after a reboot. Numerous mechanisms for ensuring theintegrity of installed system files have been proposed and implementedover the years. But it seems there is always room for one more; to fillthat space, the fs-veritymechanism is being proposed as a way to protect individual files frommalicious modification.
Security updates have been issued by Debian (libx11), Fedora (bouncycastle, libxkbcommon, libzypp, nodejs, ntp, openssh, tomcat, xen, and zypper), Red Hat (ansible, kernel, and opendaylight), and SUSE (apache2, cobbler, ImageMagick, libtirpc, libzypp, zypper, and qemu).
Many services, from web hosting and video streaming to cloud storage,need to move data to and from storage. They also often require that each per-clientI/O flow be guaranteed a non-zero amount of bandwidth and a bounded latency. Anexpensive way to provide these guarantees is to over-provisionstorage resources, keeping each resource underutilized, and thushave plenty of bandwidth available for the few I/O flows dispatched toeach medium. Alternatively one can use an I/O controller. Linux providestwo mechanisms designed to throttle some I/O streams to allow others tomeet their bandwidth and latency requirements. These mechanisms work, butthey come at a cost: a loss of as much as 80% of total available I/Obandwidth. I have run some tests to demonstrate this problem; someupcoming improvements to the bfq I/Oscheduler promise to improve the situation considerably.
At the North America edition of the 2018Linux Security Summit (LSS NA), which was held in late August in Vancouver,Canada, Kees Cook gave a presentation on some of the dangers that come withprograms written in C. In particular, of course, the Linux kernel ismostly written in C, which means that the security of our systems rests ona somewhat dangerous foundation. But there are things that can be done tohelp firm things up by "Making C Less Dangerous" as the titleof his talk suggested.
Version 3.1 of the Bison parser generator has been released."It introducesnew features such as typed midrule actions, brings improvements in thediagnostics, fixes several bugs and portability issues, improves theexamples, and more".
Security updates have been issued by CentOS (bind and postgresql), Debian (linux-4.9 and tomcat8), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), Slackware (kernel), SUSE (kernel and openssl1), and Ubuntu (linux-azure, linux-oem, linux-gcp and poppler).
Julia is a young computer languageaimed at serving the needs of scientists, engineers, and otherpractitioners of numerically intensive programming. It was first publiclyreleased in 2012. After an intense period of language development, version1.0 was released onAugust 8. The 1.0 release promises years of languagestability; users can be confident that developments in the 1.x series willnot break their code. This is the first part of a two-part article introducing the world of Julia. This part will introduce enough of the language syntax and constructs to allow you to begin to write simple programs. The following installment will acquaint you with the additional pieces needed to create real projects, and to make use of Julia's ecosystem.
The Netdev 0x12 networkingconference was held in mid-July. The conference team has provided a brief introduction. Participants at the eventhave put together a set of reports of the talks that were held during theconference; tutorials and workshops were held on Day 1, Day 2 includes eleven talks, includingthe keynote by Van Jacobson, while Day 3 coversanother ten topics.
Security updates have been issued by Debian (ruby2.1 and twitter-bootstrap3), Fedora (freeipa), openSUSE (libreoffice), Oracle (bind), Red Hat (bind), Scientific Linux (bind), SUSE (graffana, kafka, logstash, monasca-installer and libreoffice), and Ubuntu (intel-microcode and libgd2).
Security updates have been issued by Debian (dropbear, libextractor, and libgit2), Fedora (chromium, obs-build, and osc), openSUSE (GraphicsMagick, ImageMagick, kbuild, virtualbox, libgit2, nextcloud, and phpMyAdmin), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, rh-postgresql10-postgresql, and rh-postgresql96-postgresql), and SUSE (gdm, openssh, openssl, python, and xen).
By the time Linus Torvalds released4.19-rc1 and closed the merge window for this development cycle, 12,317 non-mergechangesets had found their way into the mainline; about 4,800 of thoselanded after last week's summary waswritten. As tends to be the case late in the merge window, many of those changes were fixes for the biggerpatches that went in early, but there were also a number of new featuresadded.
Linus has released 4.19-rc1 and closed themerge window for this development cycle. "This was a fairlyfrustrating merge window, partly because 4.19 looks to be a pretty bigrelease (no single reason), and partly just due to random noise. We had theL1TF hw vulnerability disclosure early in the merge window, which justadded the usual frustration due to having patches that weren't public. Thatjust shows just how good all our infrastructure for linux-next and variousautomated testing systems have become, in how painful it is when it'slacking."
OpenSSH 7.8 is out. It includes a fix for the usernameenumeration vulnerability; additionally, the default format for theprivate key file has changed, support for running ssh setuid roothas been removed, a couple of new signature algorithms have been added, andmore.
Here's aguide to picking a kernel release from Greg Kroah-Hartman. "The best solution for almost all Linux users is to just use the kernel from your favorite Linux distribution. Personally, I prefer the community based Linux distributions that constantly roll along with the latest updated kernel and it is supported by that developer community. Distributions in this category are Fedora, openSUSE, Arch, Gentoo, CoreOS, and others.All of these distributions use the latest stable upstream kernel release and make sure that any needed bugfixes are applied on a regular basis. That is the one of the most solid and best kernel that you can use when it comes to having the latest fixes (remember all fixes are security fixes) in it."
In 2017, the KDE community decided on threegoalsto concentrate on for the next few years. One of them was streamlining the onboarding of newcontributors (the others were improving usability and privacy).During Akademy, the yearly KDEconference that was held in Vienna in August, Neofytos Kolokotronis shared the statusof theonboarding goal, the work done during the last year, and further plans.While it is a complicated process in a project as big and diverse as KDE,numerous improvements have been already made.
Five new stable kernels have been released: 4.18.5, 4.17.19, 4.14.67, 4.9.124, and 4.4.152. As usual, they contain importantfixes and users should upgrade. "Note, this is the LAST 4.17.ykernel to be released, it is now end-of-life. [Please] move to 4.18.y at this time."
Security updates have been issued by Fedora (kernel-headers), Mageia (bind, cgit, dpkg, sssd, and thunderbird), openSUSE (libXcursor and python-Django), Oracle (postgresql), Red Hat (postgresql), Scientific Linux (postgresql), SUSE (libreoffice, openssl, and xen), and Ubuntu (kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-lts-xenial, linux-aws, and spice, spice-protocol).
Bruce Perens looksat the license agreement for Intel's latest CPU microcode update anddoes not like what he sees. "So, lots of people are interested inthe speed penalty incurred in the microcode fixes, and Intel has nowattempted to gag anyone who would collect information for reporting aboutthose penalties, through a restriction in their license. Bad move."Update: Intel has since taken out the objectionable terms.
Security updates have been issued by Debian (kernel and tomcat-native), Fedora (axis, CuraEngine-lulzbot, nodejs, python-uranium-lulzbot, and sleuthkit), Gentoo (chromium, lxc, networkmanager-vpnc, and webkit-gtk), openSUSE (ceph), Red Hat (openstack-keystone), SUSE (ceph, podofo, and xen), and Ubuntu (mozjs52 and pango1.0).
The "Commons Clause", which is acondition that can be added to an open-source license, has been around fora few months, but its adoption by RedisLabs has some parts of the community in something of an uproar. At itscore, using the clause is meant to ensure that those who are "selling" Redismodules (or simply selling access to them in the cloud) are prohibited fromdoing so—at least without a separate, presumably costly, license from Redis Labs. The clause effectively triesto implement a "no commercial use" restriction, though it is a bit morecomplicated than that. No commercial use licenses are not new—the "open core" businessmodel is a more recent cousin, for example—but they have generally runaground on a simple question: "what is commercial use?"
On his blog, Daniel Vetter answers an often-asked question about why the direct rendering manager (DRM) does not have a 2D API (and won't in the future): "3D has it easy: There’s OpenGL and Vulkan and DirectX that require a certain feature set. And huge market forces that make sure if you use these features like a game would, rendering is fast.Aside: This means the 2D engine in a browser actually needs to work like a 3D action game, or the GPU will crawl. The [impedance] mismatch compared to traditional 2D rendering designs is huge.On the 2D side there’s no such thing: Every blitter engine is its own bespoke thing, with its own features, limitations and performance characteristics. There’s also no standard benchmarks that would drive common performance characteristics - today blitters are [needed] mostly in small systems, with very specific use cases. Anything big enough to run more generic workloads will have a 3D rendering block anyway. These systems still have blitters, but mostly just to help move data in and out of VRAM for the 3D engine to consume."
Greg Kroah-Hartman has announced the release of five new stable kernels: 4.18.4, 4.17.18, 4.14.66, 4.9.123, and 4.4.151. As usual, they contain importantfixes, so users of those series should upgrade.
Security updates have been issued by Debian (openssh and otrs2), Fedora (gifsicle, lighttpd, quazip, and samba), Red Hat (openstack-keystone), Scientific Linux (mutt), Slackware (libX11), SUSE (gtk2, ImageMagick, libcgroup, and libgit2), and Ubuntu (base-files).
<p>Side-channel attacks are a reasonably well-known technique to exfiltrateinformation across security boundaries. Until relatively recently,concerns about these types of attacks were mostly confined to cryptographicoperations, where the target was to extract secrets by observing some sidechannel. But with the advent of Spectre, speculative execution provides anew way to exploit side channels. A new Linux SecurityModule (LSM) is meant to help determine where a side channelmight provide secrets to an attacker, so that aspeculative-execution barrier operation can be performed.
Security updates have been issued by CentOS (mariadb, mutt, and qemu-kvm), Debian (clamav and libcgroup), Fedora (libldb, samba, and soundtouch), Oracle (mutt), Red Hat (mutt), SUSE (ImageMagick), and Ubuntu (apt, linux-lts-trusty, openjdk-lts, and wpa).
LWN.net