LWN.net

Stable kernels 4.19.7, 4.14.86, and 4.9.143 have been released, with the usual setof important fixes throughout the tree.

Security updates have been issued by Debian (suricata), Fedora (cobbler), Oracle (ghostscript), Red Hat (ansible), and Scientific Linux (ghostscript and ruby).

A critical flaw in the Kubernetes container orchestration system has been announced. It will allow any user to compromise a Kubernetes cluster by way of exploiting any aggregated API server that is deployed for it. This affects all Kubernetes versions 1.0 to 1.12, but is only fixed in the supported versions (in 1.10.11, 1.11.5, and 1.12.3). "With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection. [...] In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation. [...] There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server." Kubernetes users should obviously update as soon as possible.

Back in 2011, Harald Hoyer and Kay Sievers came up with a proposal forFedorato merge much of the operating system into /usr; former top-leveldirectories, /bin, /lib, and /sbin, would then become symbolic links pointing into thecorresponding subdirectories of /usr.Left out of the merge would be things likeconfiguration files in /etc, data in/var, and user home directories. This change was aimed atfeatures like atomic upgrades and easy snapshots. The switchto a merged /usr was successful for Fedora 17; many otherdistributions (Arch,OpenSUSE, Mageia,just to name a few) have followed suit. More recently, Debian has beenworking toward a merged /usr, but it ran into some surprisingproblems that are unique to the distribution.

Security updates have been issued by Fedora (glibc, qemu, and tmux), Mageia (messagelib), Oracle (ghostscript), Red Hat (ghostscript, OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, OpenShift Container Platform 3.2, OpenShift Container Platform 3.3, OpenShift Container Platform 3.4, OpenShift Container Platform 3.5, OpenShift Container Platform 3.6, and OpenShift Container Platform 3.8), Slackware (mozilla), and Ubuntu (linux, linux-gcp, linux-kvm, linux-raspi2, linux-hwe, linux-gcp, perl, and poppler).

The BPF verifier is charged with ensuring that any given BPF program issafe for the kernel to load and run. Programs that fail to terminate areclearly unsafe, as they present an opportunity for denial-of-serviceattacks. In current kernels, the verifier uses a heavy-handed technique toblock such programs: it disallows any program containing loops. This works, but at thecost of disallowing a wide range of useful programs; if the verifier coulddetermine whether any given loop would terminate within a bounded time,this restriction could be lifted. John Fastabend presented a plan fordoing so during the BPFmicroconference at the 2018 Linux Plumbers Conference.

CentOS has released CentOS Linux 7.6 (1810). "Updates released sincethe upstream release are all posted, across all architectures. We stronglyrecommend every user apply all updates, including the content releasedtoday, on your existing CentOS Linux 7 machine by just running 'yumupdate'." See the releasenotes for more information.

Security updates have been issued by Debian (nsis, openssl, poppler, and tiff), Fedora (dnsdist, drupal7, kernel, kernel-headers, kernel-tools, net-snmp, perl, php-Smarty2, and samba), Gentoo (connman, nagios-core, php, and webkit-gtk), Mageia (apache-mod_perl, kdeconnect-kde, and python-requests), Red Hat (rh-postgresql10-postgresql), and SUSE (kernel).

The 4.20-rc5 kernel prepatch is out; amongother things, it contains the STIBP changes described in this article. Linus is also thinking aboutrelease timing: "So my current suggestion is that we plan on aChristmas release, everybody gets their pull requests for the next mergewindow done *before* the holidays, and then we see what happens. I think weall want to have a calm holiday season without either the stress of a mergewindow _or_ the stress of prepping for one."

The4.19.6,4.14.85,4.9.142,4.4.166, and3.18.128stable kernels have all been released; each contains another large set ofimportant fixes.

As of today, Fedora 27 will not be getting any more updates, including security updates. Users should be planning to upgrade more or less immediately. "Fedora 28 will continue to receive updates until 4 weeks after the release of Fedora 30.The maintenance schedule of Fedora releases is documented on theFedora Project wiki. The Fedora Project wiki also containsinstructions on how to upgrade from a previous release of Fedorato a version receiving updates."

The BPF virtual machine is the same on all architectures where it issupported; architecture-specific code takes care of translating BPF tosomething the local processor can understand. So one might be tempted tothink that BPF programs would be portable across architectures but, in manycases, that turns out not to be true. During the BPF microconference at theLinux PlumbersConference, Alexei Starovoitov (assisted by Yonghong Song, who has donemuch of the work described) explainedthe problem and the work that has been done toward "compile once, run everywhere" BPF.

Security updates have been issued by Debian (libarchive, perl, and qemu), Fedora (glibc, glusterfs, links, and moodle), Gentoo (libsndfile and postgresql), openSUSE (openssh, rubygem-loofah, and tiff), Oracle (ruby), Red Hat (ruby), and Ubuntu (libssh and linux-aws).

The Software Freedom Conservancy reportsthat the first hearing in the appeal of the GPLenforcement lawsuit against VMware has been held in Germany."The hearing yesterday was a tiny step in a long process towardresolving this issue, and, as we understand the situation, nothing is yetdecided."

The Go Blog looksforward to version 2 of the Go language. "A major differencebetween Go 1 and Go 2 is who is going to influence the design and howdecisions are made. Go 1 was a small team effort with modest outsideinfluence; Go 2 will be much more community-driven. After almost 10 yearsof exposure, we have learned a lot about the language and libraries that wedidn’t know in the beginning, and that was only possible through feedbackfrom the Go community."

The Spectre class of hardware vulnerabilities was apparently so-namedbecause it can be expected to haunt us for some time. One aspect of thathaunting can be seen in the fact that, nearly one year after Spectre wasdisclosed, the kernel is still unable to prevent one user-space processfrom attacking another in some situations. An attempt to provide thatprotection using a new x86 microcode feature called STIBP has run intotrouble once its performance impact was understood; now a more nuancedapproach may succeed in providing protection where it is needed withoutslowing down everybody else.

Security updates have been issued by Gentoo (openssl and rpm), Mageia (icecast and yaml-cpp), Oracle (kernel and sos-collector), Red Hat (rh-ruby23-ruby, rh-ruby24-ruby, and rh-ruby25-ruby), Slackware (samba), SUSE (tomcat6), and Ubuntu (ghostscript).

The LWN.net Weekly Edition for November 29, 2018 is available.

Malware inserted into a popular npmpackage has put some users at risk of losing Bitcoin, which is certainlyworrisome. More concerning, though, is the implications of how the malwaregot into the package—and how the package got distributed. This is not thefirst time we have seen package-distribution channels exploited, nor willit be the last, but the underlying problem requires more than a technicalsolution. It is, fundamentally, a social problem: trust.

Security updates have been issued by Arch Linux (powerdns-recursor and samba), Debian (ghostscript), Fedora (community-mysql, flatpak, gettext, git, php-PHPMailer, php-phpmailer6, and wireshark), Oracle (kernel and NetworkManager), Scientific Linux (ghostscript, kernel, NetworkManager, and sos-collector), SUSE (dpdk, java-1_7_1-ibm, kernel, python-oslo.cache, python-oslo.concurrency, python-oslo.db, python-oslo.log, python-oslo.messaging, python-oslo.middleware, python-oslo.serialization, python-oslo.service, python-oslo.utils, python-oslo.versionedobjects, python-oslo.vmware, python-oslotest, qemu, rubygem-loofah, tiff, tomcat, and util-linux), and Ubuntu (git, openjdk-8, openjdk-lts, samba, systemd, and webkit2gtk).

A recurring topic in filesystem-developer circles is on handlingcase-insensitive file names. Filesystems for other operating systems doso but, by and large, Linux filesystems do not. In the Kernel Summit trackof the 2018 Linux Plumbers Conference (LPC),Gabriel Krisman Bertazi described his plans for making Linux filesystemsencoding-aware as part of an effort to make ext4, and possibly otherfilesystems, interoperable with case-insensitivity in Android, Windows, and macOS.

Greg Kroah-Hartman has released stable kernels 4.19.5, 4.14.84, 4.9.141, 4.4.165, and 3.18.127. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (gnuplot and samba), Fedora (flatpak, kernel-headers, kernel-tools, mariadb-connector-c, php-PHPMailer, php-phpmailer6, and xml-security-c), Gentoo (binutils, libav, mupdf, spice-gtk, strongswan, and tablib), Mageia (libpng(12), mariadb, and openssl), Oracle (ghostscript), Red Hat (.NET Core, ghostscript, java-1.7.1-ibm, kernel, kernel-alt, kernel-rt, NetworkManager, rh-nginx112-nginx, rh-nginx114-nginx, and sos-collector), Scientific Linux (389-ds-base, binutils, curl and nss-pem, fuse, git, glibc, glusterfs, GNOME, gnutls, jasper, java-1.7.0-openjdk, java-11-openjdk, kernel, krb5, libcdio, libkdcraw, libmspack, libreoffice, libvirt, openssl, ovmf, python, python-paramiko, samba, setup, sssd, thunderbird, wget, wpa_supplicant, X.org X11, xerces-c, xorg-x11-server, zsh, and zziplib), SUSE (dom4j, glib2, java-1_7_0-ibm, java-1_7_1-ibm, openssh, postgresql94, procps, qemu, and tiff), and Ubuntu (samba).

The kernelci.org project develops andoperates a distributed testing infrastructure for the kernel. It continuously builds,boots, and tests multiple kernel trees on various types of boards. Kevin Hilman and Gustavo Padovan led a session in the Testing& Fuzzing microconference at the 2018 Linux Plumbers Conference (LPC)to describe the project, its goals, and its future.

"Who's on Team Xmas Tree?" asked Dan Williams at the beginning of his talkin the Kernel Summit track of the 2018Linux Plumbers Conference. Hewas referring to a rule for the ordering of local variable declarationswithin functions that is enforced by a minority of kernel subsystemmaintainers — one of many examples of "local customs" that can surprisedevelopers when they submit patches to subsystems where they are notaccustomed to working. Documenting these varying practices is a small partof Williams's project to create a kernel maintainer's manual, but it seemsto be where the effort is likely to start.

Security updates have been issued by Debian (gnuplot5, icecast2, liblivemedia, otrs2, phpbb3, roundcube, squid3, and xml-security-c), Fedora (kio-extras, tmux, and xen), Gentoo (asterisk, chromium, exiv2, ghostscript-gpl, and thunderbird), openSUSE (libwpd, openssl, openssl-1_1, postgresql10, and SDL2_image), Red Hat (chromium-browser, rh-mysql57-mysql, rh-nginx110-nginx, and rh-nginx18-nginx), SUSE (exiv2, libgcrypt, rpm, and tiff), and Ubuntu (firefox and qemu).

Linus has released the 4.20-rc4 kernelprepatch. "Nothing looks particularly odd or scary, although we dohave some known stuff still pending."

Greg Kroah-Hartman has released a number of stable kernels over the lastfew days, 3.18.126 on November 22, and,on November 23: 4.19.4, 4.14.83, and 4.9.139. Two problems were reported for4.9.139, which quickly led to the release of 4.9.140. As usual, these kernels containimportant fixes; users of those series should upgrade.

Security updates have been issued by Arch Linux (flashplugin, lib32-libtiff, and webkit2gtk), Debian (libphp-phpmailer and openjdk-7), Mageia (flash-player-plugin, Ghostscript, and poppler), openSUSE (chromium and virtualbox), and SUSE (java-1_8_0-ibm, libwpd, openssl, openssl-1_1, realtime-kernel, salt, and SDL_image).

Security updates have been issued by Debian (ceph, openssl, and pixman), Fedora (kernel-headers, kernel-tools, libconfuse, python-urllib3, and xen), Mageia (gettext and roundcubemail), openSUSE (GraphicsMagick and libwpd), Oracle (thunderbird), Slackware (openssl), and Ubuntu (libapache2-mod-perl2).

Stable kernels 4.19.3, 4.18.20, 4.14.82, 4.9.138, and 4.4.164 have been released with the usual setof important fixes. This is the last 4.18.y kernel release and users shouldupgrade to 4.19.y.

Security updates have been issued by Arch Linux (libtiff), CentOS (java-1.7.0-openjdk, spice-server, and thunderbird), Debian (jasper, liblivemedia, ruby-i18n, and ruby-rack), Fedora (curl, elfutils, firefox, kde-connect, kio-extras, libarchive, poppler, and webkit2gtk3), openSUSE (chromium, GraphicsMagick, kernel, libmatroska, mkvtoolnix, SDL2_image, and squid), Oracle (qemu), and Red Hat (flash-plugin and kernel).

There has been a great deal of discussion around the kernel project'srecently adopted code of conduct (CoC), but little of that has happened in anopen setting. That changed to an extent when a panel discussion was heldduring the Kernel Summit track at the 2018 Linux Plumbers Conference.Panelists Mishi Choudhary, Olof Johansson, Greg Kroah-Hartman, and ChrisMason took on a number of issues surrounding the CoC in a generallycalm and informative session.

Security updates have been issued by Arch Linux (chromium), Debian (mariadb-10.1, openjpeg2, systemd, and uriparser), Mageia (389-ds-base, apache, and soundtouch), SUSE (libwpd, py26-compat-salt, salt, and SMS3.1), and Ubuntu (systemd).

The closing event at the 2018 Linux Plumbers Conference (LPC) was apanel ofkernel developers. The participants were Laura Abbott, Anna-MariaGleixner, Shuah Khan, Julia Lawall, and Anna Schumaker; moderation wasprovided by Kate Stewart. This fast-moving discussion covered thechallenges of kernel development, hardware vulnerabilities, scaling thekernel, and more.

Security updates have been issued by Arch Linux (grafana and patch), Debian (chromium-browser), Fedora (cabextract, curl, elfutils, firefox, flatpak, glusterfs, kernel, kernel-headers, kernel-tools, kio-extras, libmspack, mariadb, mupdf, poppler, suricata, and wireshark), Mageia (hylafax+, jhead, libmspack/cabextract, nginx, sdl2/mingw-SDL2, and squid), openSUSE (amanda, apache-pdfbox, chromium, ImageMagick, LibreOffice and dependency libraries, libxkbcommon, openssh, systemd, and xorg-x11-server), and SUSE (ImageMagick, openssh, squid, and squid3).

The 4.20-rc3 kernel prepatch is out fortesting. "The changes in rc3 are pretty tiny, which means that thestatistics look slightly different from the usual ones - drivers onlyaccount for less than a third of the patch, for example."

Security updates have been issued by Fedora (lldpad, pdns, and php), Mageia (flash-player-plugin, gdal, mutt, patch, php-pear-CAS, postgresql9.4|6, ruby-rack, and teeworlds), SUSE (kernel-rt, postgresql10, and squid), and Ubuntu (openjdk-7).

Android devices are based on the Linux kernel but, since the beginning,those devices have not run mainline kernels. The amount of out-of-treecode shipped on those devices has been seen as a problem for most of this time, and significant resources have been dedicated to reducing it.At the 2018 Linux PlumbersConference, Sandeep Patil talked about this problem and what is beingdone to address it. The dream of running mainline kernels on Androiddevices has not yet been achieved, but it may be closer than many people think.

Red Hat has announcedthe release of RHEL 8 Beta. "Red Hat Enterprise Linux 8 Beta introduces the concept of Application Streams to deliver userspace packages more simply and with greater flexibility. Userspace components can now update more quickly than core operating system packages and without having to wait for the next major version of the operating system. Multiple versions of the same package, for example, an interpreted language or a database, can also be made available for installation via an application stream. This helps to deliver greater agility and user-customized versions of Red Hat Enterprise Linux without impacting the underlying stability of the platform or specific deployments."

Security updates have been issued by Fedora (kde-connect, mingw-SDL2_image, SDL2_image, and subscription-manager), Red Hat (flash-plugin), SUSE (openssh-openssl1, systemd, and thunderbird), and Ubuntu (kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-hwe, linux-azure, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, postgresql-10, and python2.7).

The LWN.net Weekly Edition for November 15, 2018 is available.

In the first session of the Testing& Fuzzing microconference at the 2018 Linux Plumbers Conference (LPC), KevinHilman gave a report on the recently held Automated TestingSummit (ATS). Since the summit was an invitation-only gathering of 35people, there were many at LPC who were not at ATS but had a keeninterest in what was discussed. The summit came out of a realization thatthere is a lot of kernel testing going on in various places, but not a lotof collaboration between those efforts, Hilman said.

Device trees have become ubiquitous in recent years as a way ofdescribing the hardware layout of non-discoverable systems, such as manyARM-based devices. The device-tree bindings define how a particularpiece of hardware is described in a device tree. Drivers then implementthose bindings. The device-tree documentation shows how to use the bindings to describe systems: which properties are available and which valuesthey may have. In theory, the bindings, drivers and documentation should beconsistent with each other. In practice, they are often not consistent and,even when they are, using those bindings correctly in actual device treesis not a trivial task. As a result, developers havebeen considering formal validation for device-tree files for years.Recently, Rob Herring proposeda move to a more structured documentation format for device-tree bindingsusing JSON Schema to allow automatedvalidation.

The results of the 2018 election for members of the Linux Foundation'sTechnical Advisory Board have been posted; the members elected this timearound are Chris Mason, Laura Abbott, Olof Johansson, Dan Williams, andKees Cook. Abbott and Cook are new members to the board this time around.(The other TAB members are Ted Ts'o, Greg Kroah-Hartman, Jonathan Corbet,Tim Bird, and Steve Rostedt).

Stable kernels 4.19.2, 4.18.19, 4.14.81, and 4.9.137 have been released. They all contain arelatively large set of important fixes and users should upgrade.

Security updates have been issued by Arch Linux (powerdns and powerdns-recursor), Debian (ceph and spamassassin), Fedora (feh, flatpak, and xen), Red Hat (kernel, kernel-rt, openstack-cinder, python-cryptography, and Red Hat Single Sign-On 7.2.5), and Ubuntu (python2.7, python3.4, python3.5).

Debian supportsmany architectures and, even for those it does not officially support,there are Debian ports that tryto fill in the gap. For most user applications, it is mostly a matter ofgetting GCC up and running for the architecture in question, then buildingall of the different packages that Debian provides. But for packagesthat need to be built with LLVM—applications or libraries that use Rust,for example—that simple recipe becomes more complicated. How much the lackof Rust support for an unofficial architecture should hold back the rest of the distribution was the subject of a somewhatacrimonious discussion recently.

Security updates have been issued by Debian (firmware-nonfree and imagemagick), Fedora (cabextract, icecast, and libmspack), openSUSE (icecast), Red Hat (httpd24), Slackware (libtiff), SUSE (apache-pdfbox, firefox, ImageMagick, and kernel), and Ubuntu (clamav, spamassassin, and systemd).

User-space developers may be accustomed to thinking of system calls as directcalls into the kernel. Indeed, the first edition of The C ProgrammingLanguage described read() and write() as "adirect entry into the operating system". In truth, user-level"system calls" are just functions in the C library like any other. But whathappens when the developers of the C library refuse to provide access to system calls they don't like? The result is anongoing conflict that has recently flared up again; it shows some of thedifficulties that can arise when the system as a whole has no ultimatedesigner and the developers are not talking to each other.