LWN.net

Security updates have been issued by CentOS (ntp), Debian (openssl1.0), openSUSE (salt), Oracle (firefox, ghostscript, and ntp), Red Hat (ntp), and SUSE (bluez, git, libnettle, ovmf, and tiff).

The LWN.net Weekly Edition for December 20, 2018 is available.

The December 20 LWN.net Weekly Edition is the final one for the year; asusual, we will be taking the last week of the year off for a brief rest.LWN, which is about to conclude its 21st year of publication, has had thetime to build up some traditions, one of which is a year-end retrospectivethat evaluates the predictions we made backin January. As usual, some of those predictions aged rather better thanothers; read on for our report card.

Stable kernel 4.19.11 has been releasedwith some important fixes; users should upgrade.

A year-old bug in Kubernetes was thetopic of a talk given by Michelle Au and Jan Šafránek at KubeCon+ CloudNativeCon North America, which was held mid-December inSeattle. In the talk, they looked at the details of the bug and theresponse from the Kubernetes product security team (PST). While the bug was fairly straightforward, it wassurprisingly hard to fix. The whole process also provided experience thatwill help improve vulnerability handling in the future.

Security updates have been issued by CentOS (ghostscript), Fedora (ansible and wireshark), openSUSE (go1.11, pdns, and pdns-recursor), Oracle (firefox), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), and SUSE (crash, libqt5-qtbase, perl, and qemu).

Back in late October, when we looked in onthe Python governance question, which came about due to the resignation of Guido van Rossum, things seemedto be mostly set for a vote in late November. There were six PythonEnhancement Proposals (PEPs) under consideration that would be ranked byvoters in a two-week period ending December 1; instant-runoffvoting would be used to determine the winner. In the interim, though,much of that changed; the voting period, winner-determination mechanism,and number of PEPs under consideration are all different. But the votingconcluded on December 16 and a winnerhas been declared; PEP 8016 ("TheSteering Council Model"), which was added to the mix in early November, cameout on top.

HardenedBSD has releasedversion 12 of its security-enhanced fork of FreeBSD. Improvements inthis release include Non-Cross-DSO Control-Flow Integrity (CFI) forapplications on amd64 and arm64; jailed bhyve; per-jail toggles forunprivileged process debugging; Spectre v2 mitigation with retpolineapplied to the entirety of base and ports; Symmetric Multi-Threading (SMT)disabled by default; and more.

Security updates have been issued by Debian (libapache-mod-jk and sleuthkit), Fedora (kernel, kernel-headers, mbedtls, php, php-symfony, php-symfony3, php-symfony4, and wireshark), openSUSE (pdns, pdns-recursor, and salt), Oracle (firefox and ghostscript), Red Hat (ansible, firefox, ghostscript, and kernel), Scientific Linux (firefox and ghostscript), and SUSE (ovmf).

Greg Kroah-Hartman has released stable kernel 4.4.168. As usual, there are important fixesand users should upgrade.

Gustavo Padovan notesan important milestone in Linux graphics development: "The dreamfinally came true in 2018 with the release of the Google Pixel 3, the firstAndroid phone running with the mainline graphics stack. A feat that wasdeemed impossible 10 years ago is now a reality thanks to a lot of hardwork from the entire community."

Stable kernel 3.18.130 has been releasedwith important fixes; users should upgrade.

Security updates have been issued by Debian (php5, poppler, and samba), Fedora (firefox, mbedtls, nbdkit, pdns-recursor, php, php-symfony, php-symfony3, and php-symfony4), Gentoo (CouchDB, scala, and spamassassin), Mageia (firefox, libwpd, nss, and thunderbird), openSUSE (Chromium, cups, ghostscript, kernel, openvswitch, phpMyAdmin, qemu, and tcpdump), Red Hat (RHGS WA), and SUSE (ansible, openldap2, openvswitch, qemu, and tcpdump).

Linus has released 4.20-rc7, saying:"The plan remains the same: if everything continues normally, I'llrelease 4.20 just before christmas, and then just have a moreleisurely merge window than normal."On the stable side,4.19.10,4.14.89,and 4.9.146 are out with a new set ofimportant fixes.

Indirect function calls — calls to a function whose address is stored in apointer variable — have never been blindingly fast, but the Spectrehardware vulnerabilities have made things far worse. The indirect branchpredictor used to speed up indirect calls in the CPU can no longer beused, and performance has suffered accordingly. The "retpoline"mechanism was a brilliant hack that proved faster than the hardware-based solutionsthat were tried at the beginning. While retpolines took a lot of the painout of Spectre mitigation, experience over the last year has made it clearthat they still hurt. It is thus not surprising that developers have beenlooking for alternatives to retpolines; several of them have shown up onthe kernel lists recently.

Security updates have been issued by CentOS (ghostscript, git, java-1.7.0-openjdk, java-11-openjdk, kernel, NetworkManager, python-paramiko, ruby, sos-collector, thunderbird, and xorg-x11-server), Debian (gcc-4.9), and SUSE (amanda, ntfs-3g_ntfsprogs, and tiff).

The Linux kernel is generally seen as a poor fit for safety-criticalsystems; it was never designed to provide realtime response guarantees orto be certifiable for such uses. But the systems that can be usedin such settings lack the features needed to support complex applications.This problem is often solved by deploying a mix of computers runningdifferent operating systems. But what if you want to support a mixture oftasks, some safety-critical and some not, on the same system? At a talkgiven at LinuxLab 2018, ClaudioScordino described an effort to support this type of mixed-criticalitysystem.

Greg Kroah-Hartman has released stable kernels 4.19.9, 4.14.88, 4.9.145, 4.4.167, and 3.18.129. They all contain important fixes andusers should upgrade.

Security updates have been issued by Debian (firefox-esr), Fedora (singularity), openSUSE (compat-openssl098, cups, firefox, mozilla-nss, and xen), and SUSE (cups, exiv2, ghostscript, and git).

The LWN.net Weekly Edition for December 13, 2018 is available.

In the RDMA microconference of the 2018 Linux Plumbers Conference (LPC),John Hubbard, Dan Williams, and Matthew Wilcox led a discussion on theproblems surrounding get_user_pages() (and friends) and theinteraction with DMA. It is not the first time the topic has come up,there was also a discussion about it at theLinux Storage, Filesystem, and Memory-Management Summit back in April. Ina nutshell, the problem is that multiple parts of the kernel think theyhave responsibility for the same chunk of memory, but they do notcoordinate their activities; as might be guessed, mayhem can sometimes ensue.

The x32 subarchitectureis a software variant of x86-64; it runs the processor in the 64-bit mode,but uses 32-bit pointers and arithmetic. The idea is to get the advantagesof x86-64 without the extra memory usage that goes along with it. Itseems, though, that x32 is not much appreciated; few distributions supportit and the number of users appears to be small. So now Andy Lutomirski isproposingits eventual removal:I propose that we make CONFIG_X86_X32 depend on BROKEN for a releaseor two and then remove all the code if no one complains. If anyonewants to re-add it, IMO they're welcome to do so, but they need to doit in a way that is maintainable.If there are x32 users out there, now would be a good time for them tospeak up.

Security updates have been issued by Arch Linux (chromium, firefox, lib32-openssl, lib32-openssl-1.0, openssl, openssl-1.0, texlive-bin, and wireshark-cli), Fedora (perl), openSUSE (pdns), Oracle (kernel), Red Hat (kernel), Slackware (mozilla), SUSE (kernel, postgresql10, qemu, and xen), and Ubuntu (firefox, freerdp, freerdp2, pixman, and poppler).

Git 2.20.0 is out. Changes include interdiff generation support in gitformat-patch, an improved ability to cope with corrupted patches ingit am, a number of performance and usability improvements, and more.

The Mozilla Blog takesa look at the Contextual Feature Recommender (CFR) in Firefox64. "Aimed at people who are looking to get more out of their onlineexperience or ways to level up. CFR is a system that proactively recommendsFirefox features and add-ons based on how you use the web. For example, ifyou open multiple tabs and repeatedly use these tabs, we may offer afeature called “Pinned Tabs” and explain how it works. Firefox curates thesuggested features and notifies you. With today’s release, we will start torollout with three recommended extensions which include: FacebookContainer, Enhancer for YouTube and To Google Translate. This feature isavailable for US users in regular browsing mode only. They will not appearin Private Browsing mode. Also, Mozilla does NOT receive a copy of yourbrowser history. The entire process happens locally in your copy ofFirefox." The releasenotes contain more details about this release.

Git does not handle large files very well. While there iswork underway to handle large repositories through the commitgraph work, Git's internal design has remained surprisingly constantthroughout its history, which means that storing large files into Git comeswith a significant and, ultimately, prohibitive performancecost. Thankfully, other projects are helping Git address thischallenge. This article compares how Git LFS and git-annex address this problemand should help readers pick the right solution for their needs.

Security updates have been issued by Debian (php7.0), Fedora (keepalived, kernel, kernel-headers, kernel-tools, mingw-uriparser, and uriparser), openSUSE (pdns-recursor), Oracle (kernel), SUSE (compat-openssl098, glibc, java-1_8_0-ibm, kernel, opensc, python, python-base, python-cryptography, python-pyOpenSSL, samba, and soundtouch), and Ubuntu (cups).

There are a lot of claims regarding the relative security of containersversus virtual machines (VMs), but there has been little in the way ofactually trying to measure those differences. James Bottomley gave a talkin the refereed track of the 2018 Linux Plumbers Conference (LPC)that described work that targets filling in that gap. He and his colleagueshave come up with a measure that, while not perfect, gives a starting point for furtherefforts.

Version15 of the Nextcloud productivity and communications platform is out.New features include Mastodon integration, two-factor authentication, anumber of user-interface improvements, and more.

For those who would like a deeper understanding of how the human interfacedevice (HID) protocol works, Peter Hutterer has posted adetailed overview. "Originally HID was designed to work overUSB. But just like Shrek the technology world is obsessed with layers sothese days HID works over different transport layers. HID over USB is whatyour mouse uses, HID over i2c may be what your touchpad uses. HID worksover Bluetooth and it's celebrity-diet version BLE. Somewhere, someone outthere is very slowly moving a mouse pointer by sending HID over carrierpigeons just to prove a point. Because there's always that one guy."

Kernel bugs can have all kinds of unfortunate consequences, frominconvenient crashes to nasty security vulnerabilities. Some of the mostfeared bugs, though, are those that corrupt data in filesystems. Thelosses imposed on users can be severe, and the resulting problems may notbe noticed for a long time, making recovery difficult. Filesystemdevelopers, knowing that they will have to face their users in the realworld, go to considerable effort to prevent this kind of bug from findingits way into a released kernel. A recent failure in that regard raises anumber of interesting questions about how kernel development is done.

Security updates have been issued by Debian (chromium-browser and lxml), Fedora (cairo, hadoop, and polkit), Mageia (tomcat), openSUSE (apache2-mod_jk, Chromium, dom4j, ImageMagick, libgit2, messagelib, ncurses, openssl-1_0_0, otrs, pam, php5, php7, postgresql10, rubygem-activejob-5_1, tiff, and tomcat), Red Hat (chromium-browser and rh-git218-git), Slackware (php), SUSE (audiofile, cri-o and kubernetes packages, cups, ImageMagick, libwpd, SMS3.2, and systemd), and Ubuntu (lxml).

The 4.20-rc6 kernel prepatch is out fortesting."Most of it looks pretty small and normal. Would I have preferred forthere to be less churn? Yes. But it's certainly smaller than rc5 was,so we're moving in the right direction, and we have at least one morerc to go."

The stable kernel process continues to churn out releases;4.19.8,4.14.87, and4.9.144are now available with another set of important fixes.

Filesystem developers tend toward a high level of conservatism when itcomes to making changes; given the consequences of mistakes, this seemslike a healthy survival trait. One might rightly be tempted to regard arecent disagreement over the backporting of filesystem-related fixes to thestable kernels as an example of this conservatism, but there is more toit. The kernel development process has matured in many ways over theyears; perhaps this discussion hints at some of the changes that will beneeded to continue that maturation in the future.

Security updates have been issued by Arch Linux (jupyter-notebook), CentOS (ghostscript), Debian (libphp-phpmailer and policykit-1), Fedora (bird), Gentoo (ede), Mageia (flash-player-plugin), openSUSE (dom4j, dpdk, glib2, nextcloud, postgresql94, and qemu), Oracle (kernel), SUSE (firefox, libarchive, libgit2, libreoffice, ncurses, openssl-1_0_0, squid, and tiff), and Ubuntu (ghostscript, openssl, openssl1.0, and wavpack).

Signals have existed in Unix systems for years, despite the generalconsensus that they are an example of a baddesign. Extensions and new ways of using signals pop up from time totime, fixing the issues that have been found. A notable addition was theintroduction of signalfd()nearly 10 years ago. Recently, the kernel developers have discussed how to avoidrace conditions related to process-ID (PID) recycling, which occurs when aprocess terminates and another one is assigned the same PID. A process that failsto notice that its target has exited may try to send a signal to the wrongrecipient, with potentially grave consequences. A patch set from ChristianBrauner is trying to solve the issue by adding signaling via file descriptors.

Microsoft has announcedthat its "Edge" browser is joining the Chromium world. "Today we’re announcing that we intend to adopt the Chromium open source project in the development of Microsoft Edge on the desktop to create better web compatibility for our customers and less fragmentation of the web for all web developers.As part of this, we intend to become a significant contributor to the Chromium project, in a way that can make not just Microsoft Edge — but other browsers as well — better on both PCs and other devices."

Security updates have been issued by Mageia (kio-extras), Red Hat (flash-plugin and openstack-neutron), Slackware (gnutls and nettle), SUSE ( aphp53, apache2, apache2-mod_jk, compat-openssl097g, firefox, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss, glib2, kvm, mariadb, ncurses, openssl-1_0_0, openssl1, pam, php5, php7, qemu, rubygem-activejob-5_1, tomcat, and wireshark), and Ubuntu (libraw and spamassassin).

The LWN.net Weekly Edition for December 6, 2018 is available.

Videos from the 2018 Linux Plumbers Conference (November 13-15, Vancouver)have now been posted for all sessions, including the Kernel Summit andNetworking tracks. They can be found by going to thedetailed schedule and clicking on the session of interest.

Daniel Vetter began his talk in the refereed track of the 2018 Linux Plumbers Conference (LPC)by noting that it would be in a somewhat similar vein to other talks he hasgiven, since it is about tooling and workflows that are outside of thekernel norm. But, unlike those other talks that concerned changes that hadalready taken place, this talk was about switching open-source graphics projectsto using a hosted version of GitLab, which has not yet happened.In it, he wanted to share his thoughts about why he thinks migrating toGitLab makes sense for the kernel graphics community—and maybe the kernelas a whole.

Stable kernels 4.19.7, 4.14.86, and 4.9.143 have been released, with the usual setof important fixes throughout the tree.

Security updates have been issued by Debian (suricata), Fedora (cobbler), Oracle (ghostscript), Red Hat (ansible), and Scientific Linux (ghostscript and ruby).

A critical flaw in the Kubernetes container orchestration system has been announced. It will allow any user to compromise a Kubernetes cluster by way of exploiting any aggregated API server that is deployed for it. This affects all Kubernetes versions 1.0 to 1.12, but is only fixed in the supported versions (in 1.10.11, 1.11.5, and 1.12.3). "With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection. [...] In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation. [...] There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server." Kubernetes users should obviously update as soon as possible.

Back in 2011, Harald Hoyer and Kay Sievers came up with a proposal forFedorato merge much of the operating system into /usr; former top-leveldirectories, /bin, /lib, and /sbin, would then become symbolic links pointing into thecorresponding subdirectories of /usr.Left out of the merge would be things likeconfiguration files in /etc, data in/var, and user home directories. This change was aimed atfeatures like atomic upgrades and easy snapshots. The switchto a merged /usr was successful for Fedora 17; many otherdistributions (Arch,OpenSUSE, Mageia,just to name a few) have followed suit. More recently, Debian has beenworking toward a merged /usr, but it ran into some surprisingproblems that are unique to the distribution.

Security updates have been issued by Fedora (glibc, qemu, and tmux), Mageia (messagelib), Oracle (ghostscript), Red Hat (ghostscript, OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, OpenShift Container Platform 3.2, OpenShift Container Platform 3.3, OpenShift Container Platform 3.4, OpenShift Container Platform 3.5, OpenShift Container Platform 3.6, and OpenShift Container Platform 3.8), Slackware (mozilla), and Ubuntu (linux, linux-gcp, linux-kvm, linux-raspi2, linux-hwe, linux-gcp, perl, and poppler).

The BPF verifier is charged with ensuring that any given BPF program issafe for the kernel to load and run. Programs that fail to terminate areclearly unsafe, as they present an opportunity for denial-of-serviceattacks. In current kernels, the verifier uses a heavy-handed technique toblock such programs: it disallows any program containing loops. This works, but at thecost of disallowing a wide range of useful programs; if the verifier coulddetermine whether any given loop would terminate within a bounded time,this restriction could be lifted. John Fastabend presented a plan fordoing so during the BPFmicroconference at the 2018 Linux Plumbers Conference.

CentOS has released CentOS Linux 7.6 (1810). "Updates released sincethe upstream release are all posted, across all architectures. We stronglyrecommend every user apply all updates, including the content releasedtoday, on your existing CentOS Linux 7 machine by just running 'yumupdate'." See the releasenotes for more information.

Security updates have been issued by Debian (nsis, openssl, poppler, and tiff), Fedora (dnsdist, drupal7, kernel, kernel-headers, kernel-tools, net-snmp, perl, php-Smarty2, and samba), Gentoo (connman, nagios-core, php, and webkit-gtk), Mageia (apache-mod_perl, kdeconnect-kde, and python-requests), Red Hat (rh-postgresql10-postgresql), and SUSE (kernel).