LWN.net

Security updates have been issued by Arch Linux (go-pie), Debian (wireshark), openSUSE (freerdp, libraw, openssh, pdns-recursor, singularity, and systemd), and Ubuntu (kernel, linux-hwe, and spice).

Tragedy, according toWikipedia, is "a form of drama based on human suffering thatinvokes an accompanying catharsis or pleasure in audiences". Benno Rice tookhis inspiration from that definition for his 2019 linux.conf.au talk on the story ofsystemd which, he said, involves no shortage of suffering. His attempt tocast that story for the pleasure of his audience resulted in a sympatheticand nuanced look at a turbulent chapter in the history of the Linux system.

Security updates have been issued by Arch Linux (apache, go, haproxy, matrix-synapse, nasm, and powerdns-recursor), Debian (coturn, ghostscript, krb5, policykit-1, and qtbase-opensource-src), Fedora (wireshark), openSUSE (nodejs4, nodejs8, openssh, PackageKit, and wireshark), Oracle (qemu and thunderbird), Scientific Linux (thunderbird), and SUSE (avahi, krb5, and python-paramiko).

The 5.0-rc4 kernel prepatch is out."Go test and report any oddities you can find, but I think we'redoing fine."

Version 3.3 of the Bison parser generator is out."The new option --update replaces deprecated features with their modernspelling, but also applies fixes such as eliminating duplicate directives,etc. It is now possible to annotate rules with their number of expectedconflicts. Bison can be made relocatable. The symbol declaration syntaxwas overhauled, and in particular, %nterm, that exists since the origins ofBison, is now an officially supported (and documented!) feature. C++parsers now feature genuine symbol constructors, and use noexcept/constexpr.The GLR parsers in C++ now support the syntax_error exceptions. There arealso many smaller improvements, including a fix for a bug which is at least31 years old."

Stable kernels 4.20.5, 4.19.18, 4.14.96, 4.9.153, 4.4.172, and 3.18.133 have been released. They all containimportant fixes and users should upgrade.

Many projects use continuous-integration (CI) testing to improve thequality of the software they produce. By running a set of tests afterevery commit, CI systems can identify problems quickly, before they findtheir way into a releaseand bite unsuspecting users. The Linux kernel project lags many others inits use of CI testing for a number of reasons, including a fundamentalmismatch with how kernel developers tend to manage their workflows. At linux.conf.au 2019, Russell Curreydescribed a CI system called Snowpatch that, he hopes,will bridge the gap and bring better testing to the kernel developmentprocess.

The MythTV Team has announced therelease of MythTV 30.0. The release notescontain more information. This version includes support for mythfrontend running oncertain Android TV devices. "Over 500 commits made significant improvements to the infrastructure. For the most part, these are invisible to end users."

Security updates have been issued by Debian (mxml, postgresql-9.4, and tmpreaper), Fedora (haproxy and runc), openSUSE (krb5, soundtouch, virtualbox, and zeromq), Oracle (thunderbird), Red Hat (thunderbird), and Ubuntu (subversion and thunderbird).

Rory Aronson started his 2019 linux.conf.au keynote with astatement that gardening just isn't his passion; an early attempt degenerated into aweed-choked mess when he couldn't be bothered to keep it up. But he turnedout to be passionate indeed about building a machine that would do the gardening for him. That led to the FarmBot project, a successful exercise inthe creation of open hardware, open software, and an open business. A bigpart of that success, it turns out, lies in the project's documentation.

The Debian Project has announced an update toDebian 9 "stretch". "This point release incorporates the recent security update for APT, in order to help ensure that new installations of stretch are not vulnerable. No other updates are included."

Security updates have been issued by CentOS (perl), Fedora (anaconda, curl, and poppler), openSUSE (ntpsec), SUSE (ghostscript, kernel, rubygem-activejob-4_2, and webkit2gtk3), and Ubuntu (ghostscript and mysql-5.7).

The LWN.net Weekly Edition for January 24, 2019 is available.

Here is an extensive look athandling software dependencies from Russ Cox. "Dependencymanagers have scaled this open-source code reuse model down: now,developers can share code at the granularity of individual functions oftens of lines. This is a major technical accomplishment. There are myriadavailable packages, and writing code can involve such a large number ofthem, but the commercial, legal, and reputational support mechanisms fortrusting the code have not carried over. We are trusting more code withless justification for doing so."

A flag day for DNS is coming onFebruary 1; it may have escaped notice even though it has beenplanned for nearlya year. Some DNSservers will simply be marked as "dead" by much of the rest of the interneton or after that day, which means that domain owners need to ensure theirDNS records will still be available after that point. A longstandingworkaround for non-compliant servers will be dropped—mostly for better performancebut also in support of DNS extensions, some of which can help alleviatesecurity problems.

Read-copy update (RCU) is a synchronization mechanism that was added tothe Linux kernel in October 2002.RCU is most frequently described as a replacement for reader-writer locking,but has also been used in a number of other ways.RCU is notable in that readers do not directly synchronize with updaters,which makes RCU read paths extremely fast; that alsopermits RCU readers to accomplish useful work evenwhen running concurrently with updaters.Although the basic idea behind RCU has not changed indecades following its introduction into DYNIX/ptx, the API hasevolved significantly over the five years since the2014 edition of the RCU API,to say nothing of the nine years since the2010 edition of the RCU API.

Max Justicz describes avulnerability in apt-get and how to prevent it. "I found avulnerability in apt that allows a network man-in-the-middle (or amalicious package mirror) to execute arbitrary code as root on a machineinstalling any package. The bug has been fixed in the latest versions ofapt. If you’re worried about being exploited during the update process, youcan protect yourself by disabling HTTP redirects while you update."

Version 4.0 of theWine Windows compatibility layer is out."This release represents a year of development effort and over 6,000individual changes" New features include initialDirect3D 12 support, a Vulkan graphics driver, support forhigh-DPI displays (but only on Android) and more; see the release notes fordetails.

Stable kernels 4.20.4, 4.19.17, 4.14.95, and 4.9.152 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (libjpeg-turbo and systemd), Fedora (matrix-synapse, mingw-libjpeg-turbo, and mingw-libvorbis), Mageia (libcaca, libmp4v2, libxml2, pdns-recursor, perl-Email-Address, php-pear-HTML_QuickForm, podofo, and wavpack), openSUSE (webkit2gtk3), Red Hat (qemu-kvm-rhev), Scientific Linux (perl), Slackware (httpd), and Ubuntu (ntp).

Security updates have been issued by Debian (apt and aria2), Fedora (kernel-headers, kernel-tools, and openssh), openSUSE (webkit2gtk3), Oracle (perl), Red Hat (perl), SUSE (freerdp, python-urllib3, systemd, and wireshark), and Ubuntu (apt, poppler, and tiff).

Arguably, the most notable characteristic of persistent memory is that itis persistent: it retains its contents over power cycles. One otherimportant aspect of these persistent-memory arrays that, we are told, willsoon be everywhere, is their sheer size and low cost; persistent memory isa relatively inexpensive way to attach large amounts of memory to a system. Large,cheap memory arrays seem likely to be attractive to users who may not careabout persistence and who can live with slower access speeds. Supportingsuch users is the objective of a pair of patch sets that have been circulating in recent months.

The 5.0-rc3 kernel prepatch has beenreleased. "This rc is a bit bigger than usual. Partly because I missed anetworking pull request for rc2, and as a result rc3 now contains_two_ networking pull updates. But part of it may also just be that ittook a while for people to find and then fix bugs after the holidayseason."

Security updates have been issued by Fedora (gitolite3, gvfs, php, radare2, and syslog-ng), Mageia (libssh, php, python-django16, and rdesktop), openSUSE (podofo), and SUSE (libraw, openssh, PackageKit, and wireshark).

Hardware memory encryption is, or will soon be, available on multiplegeneric CPUs. In its absence, data is stored — and passes between thememory chips and the processor — in the clear. Attackers may be able toaccess it by using hardware probes or by directly accessing the chips, which isespecially problematic with persistent memory. One new memory-encryptionoffering is Intel's Multi-KeyTotal Memory Encryption (MKTME) [PDF]; AMD's equivalent is called Secure Encrypted Virtualization(SEV). The implementation of support for thisfeature is in progress for the Linux kernel. Recently, Alison Schofield proposed a user-space API for MKTME, provokinga long discussion on how memory encryption should beexposed to the user, if at all.

Security updates have been issued by Debian (drupal7), Fedora (electrum and perl-Email-Address), Mageia (gthumb), openSUSE (gitolite, kernel, krb5, libunwind, LibVNCServer, live555, mutt, wget, and zeromq), SUSE (krb5, mariadb, nodejs4, nodejs8, soundtouch, and zeromq), and Ubuntu (irssi).

The kernel's page cache works to improve performance by minimizing disk I/Oand increasing the sharing of physical memory. But, like otherperformance-enhancing techniques that involve resources shared acrosssecurity boundaries, the page cache can be abused as a way to extractinformation that should be kept secret. A recent paper [PDF] by Daniel Grussand colleagues showed how the page cache can be targeted for a number ofdifferent attacks, leading to an abrupt change in how themincore() system call works at the endof the 5.0 merge window. But subsequent discussion has made it clearthat mincore() is just the tip of the iceberg; it is unclear whatwill really need to be done to protect a system against page-cache attacksor what the performance cost might be.

Stable kernels 4.20.3, 4.19.16, 4.14.94, 4.9.151, and 4.4.171 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by CentOS (libvncserver), Debian (sssd), Fedora (kernel and kernel-headers), Red Hat (ansible, openvswitch, pyOpenSSL, python-django, and redis), and Ubuntu (policykit-1).

The LWN.net Weekly Edition for January 17, 2019 is available.

Low-end devices bound for developing countries, such as those running the Android Go edition, lack encryption support because the hardware doesn't provide anycryptographic acceleration. That means users in developing countries haveno protection for the data on their phones. Google would like to changethat situation. The company worked on adding the Speck cipher to thekernel, but decided against using itbecause of opposition due to Speck's origins at the US NationalSecurity Agency (NSA). As a replacement, the Adiantum encryption mode wasdeveloped; it has been merged for Linux 5.0.

Security updates have been issued by Debian (systemd and wireshark), Fedora (openssh, php-horde-Horde-Form, and unrtf), Mageia (aria2, libvncserver, x11vnc, and nss), Oracle (kernel and libvncserver), Scientific Linux (libvncserver), SUSE (kernel, soundtouch, webkit2gtk3, and wget), and Ubuntu (libcaca and policykit-1).

While the kernel has had support for asynchronousI/O (AIO) since the 2.5development cycle, it has also had people complaining about AIO for aboutthat long. The current interface is seen as difficult to use andinefficient; additionally, some types of I/O are better supported thanothers. That situation may be about to change with the introduction of a proposednew interface from Jens Axboe called "io_uring". As might be expectedfrom the name, io_uring introduces just what the kernel needed more than anything else:yet another ring buffer.

It is that time of year again: Google is lookingfor mentor projects for the 2019 Summer of Code. "GSoC is aglobal program that draws university student developers from around theworld to contribute to open source. Each student spends three monthsworking on a coding project, with the support of volunteer mentors, forparticipating open source organizations from late May to August. Last year1,264 students worked with 206 open source organizations." Theapplication deadline is February 6.

"User tracking" is generally contentious in free-software communities—evenif the "tracking" is not really intended to do so. It is oftendistributions that have the most interest in counting their users, butLinux users tend to be more privacy conscious than users of more mainstreamdesktop operating systems. The Fedora project recently discussed how tocount its users and ways to preserve their privacy while doing so.

Security updates have been issued by Arch Linux (irssi and systemd), CentOS (systemd), Debian (xen and zeromq3), Fedora (gnutls, kernel, kernel-headers, kernel-tools, and nbdkit), Oracle (libvncserver and systemd), Red Hat (libvncserver), and Ubuntu (haproxy, libarchive, and php-pear).

An advisory from Harry Sintonen describes several vulnerabilities in thescp clients shipped with OpenSSH, PuTTY, and others. "Manyscp clients fail to verify if the objects returned by the scp server matchthose it asked for. This issue dates back to 1983 and rcp, on which scp isbased. A separate flaw in the client allows the target directory attributesto be changed arbitrarily. Finally, two vulnerabilities in clients mayallow server to spoof the client output." The outcome is that ahostile (or compromised) server can overwrite arbitrary files on the clientside. There do not yet appear to be patches available to address theseproblems.

Security updates have been issued by Arch Linux (python-django and python2-django), Debian (sqlite3, systemd, and vlc), Fedora (mingw-nettle and polkit), Mageia (graphicsmagick, python-django, spice-vdagent, and to), openSUSE (aria2, discount, gpg2, GraphicsMagick, gthumb, haproxy, irssi, java-1_7_0-openjdk, java-1_8_0-openjdk, libgit2, LibVNCServer, and sssd), Red Hat (systemd), Scientific Linux (systemd), Slackware (irssi and zsh), SUSE (LibVNCServer and sssd), and Ubuntu (gnome-bluetooth and systemd).

The second 5.0 prepatch is out for testing."So the merge window had somewhat unusual timing with the holidays,and I was afraid that would affect stragglers in rc2, but honestly, thatdoesn't seem to have happened much. rc2 looks pretty normal."

The stable-kernel machine has churned out another set of releases:4.20.2,4.19.15,4.14.93,4.9.150,4.4.170, and3.18.132have all been released with a large set of important fixes.

In January 2038, the 32-bit time_t value used on many Unix-likesystems will run out of bits and be unable to represent the current time.This may seem like a distant problem, but, as Tom Scott recently observed,the year-2038 apocalypse is now closer to the present than the year-2000problem. The fact that systems being deployed now will still be operatingin 2038 adds urgency to the issue as well. The good news is that work has been underway for years to prepareLinux for this date, so there should be no need to call developers out ofretirement in 2037 in a last-minute panic. Some of the final steps in thistransition for the core kernel have been posted, and seem likely to bemerged for 5.1.

Version5.0 of the Metasploit penetration-testing framework is out."Metasploit 5.0 offers a new data service, introduces fresh evasioncapabilities, supports multiple languages, and builds upon the Framework’sever-growing repository of world-class offensive security content. We’reable to continue innovating and expanding in no small part thanks to themany open source users and developers who make it a priority to share theirknowledge with the community. You have our gratitude."

Security updates have been issued by Arch Linux (systemd and wireshark-cli), Debian (libsndfile and tmpreaper), Fedora (beep, electrum, gnutls, haproxy, krb5, mupdf, php-horde-Horde-Image, python-django, and wget), Mageia (libarchive and terminology), openSUSE (libraw, polkit, and singularity), SUSE (haproxy, java-1_8_0-openjdk, LibVNCServer, and webkit2gtk3), and Ubuntu (exiv2, gnupg2, and webkit2gtk).

What if you announced a board election and nobody ran? That is the quandarythe openSUSE project facedas recently as January 4, when the nomination deadline loomed andno candidates for the three open seats had come forward. The situation hassince changed, and openSUSE members will have a wide slate of candidates tochoose from. But the seeming reticence to come forward may well be areflection of some unresolved tensions that exploded into a flame warseveral months ago.

Qualys has sent out a security advisory describing three stack-overrunvulnerabilities in systemd-journald. "We developed an exploit for CVE-2018-16865 and CVE-2018-16866 thatobtains a local root shell in 10 minutes on i386 and 70 minutes onamd64, on average. We will publish our exploit in the near future.To the best of our knowledge, all systemd-based Linux distributions arevulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora28 and 29 are not exploitable because their user space is compiled withGCC's -fstack-clash-protection."

Security updates have been issued by Debian (libcaca), Fedora (beep and libgxps), Mageia (krb5, live, ffmpeg, mplayer, and vlc, and mbedtls), SUSE (helm-mirror, java-1_7_0-openjdk, and systemd), and Ubuntu (nss and python-django).

The LWN.net Weekly Edition for January 10, 2019 is available.

<p>Python has always touted itself as a "batteries included" language; itsstandard library contains lots of useful modules, often more than enough tosolve many types of problems quickly. From time to time, though, some havestarted to rethink that philosophy, to reduce or restructure the standardlibrary, for a variety of reasons. A discussion at the end of November on the python-dev mailing list revived that debateto some extent.

The4.20.1,4.19.14,4.14.92, and4.9.149stable kernels have been released; each contains a relatively large set ofimportant fixes.

Security updates have been issued by Arch Linux (elfutils, polkit, and tar), Debian (python-django and ruby-loofah), and Mageia (ansible, avidemux, coreutils, discount, nettle, openafs, opensc, and qtbase5).