LWN.net

At the North America edition of the 2018Linux Security Summit (LSS NA), which was held in late August in Vancouver,Canada, Kees Cook gave a presentation on some of the dangers that come withprograms written in C. In particular, of course, the Linux kernel ismostly written in C, which means that the security of our systems rests ona somewhat dangerous foundation. But there are things that can be done tohelp firm things up by "Making C Less Dangerous" as the titleof his talk suggested.

Version 3.1 of the Bison parser generator has been released."It introducesnew features such as typed midrule actions, brings improvements in thediagnostics, fixes several bugs and portability issues, improves theexamples, and more".

Security updates have been issued by CentOS (bind and postgresql), Debian (linux-4.9 and tomcat8), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), Slackware (kernel), SUSE (kernel and openssl1), and Ubuntu (linux-azure, linux-oem, linux-gcp and poppler).

Julia is a young computer languageaimed at serving the needs of scientists, engineers, and otherpractitioners of numerically intensive programming. It was first publiclyreleased in 2012. After an intense period of language development, version1.0 was released onAugust 8. The 1.0 release promises years of languagestability; users can be confident that developments in the 1.x series willnot break their code. This is the first part of a two-part article introducing the world of Julia. This part will introduce enough of the language syntax and constructs to allow you to begin to write simple programs. The following installment will acquaint you with the additional pieces needed to create real projects, and to make use of Julia's ecosystem.

The Netdev 0x12 networkingconference was held in mid-July. The conference team has provided a brief introduction. Participants at the eventhave put together a set of reports of the talks that were held during theconference; tutorials and workshops were held on Day 1, Day 2 includes eleven talks, includingthe keynote by Van Jacobson, while Day 3 coversanother ten topics.

Stable kernels 4.4.153 and 3.18.120 have been released. They both containimportant fixes and users should upgrade.

Security updates have been issued by Debian (ruby2.1 and twitter-bootstrap3), Fedora (freeipa), openSUSE (libreoffice), Oracle (bind), Red Hat (bind), Scientific Linux (bind), SUSE (graffana, kafka, logstash, monasca-installer and libreoffice), and Ubuntu (intel-microcode and libgd2).

Dat is a new peer-to-peer protocolthat uses some of the concepts ofBitTorrent and Git. Dat primarilytargets researchers and open-data activists as it is a great tool for sharing, archiving, andcataloging large data sets. But it can also be used to implementdecentralized web applications in a novel way.Subscribers can read on for more on Dat by guest author Antoine Beaupré.

Security updates have been issued by Debian (dropbear, libextractor, and libgit2), Fedora (chromium, obs-build, and osc), openSUSE (GraphicsMagick, ImageMagick, kbuild, virtualbox, libgit2, nextcloud, and phpMyAdmin), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, rh-postgresql10-postgresql, and rh-postgresql96-postgresql), and SUSE (gdm, openssh, openssl, python, and xen).

By the time Linus Torvalds released4.19-rc1 and closed the merge window for this development cycle, 12,317 non-mergechangesets had found their way into the mainline; about 4,800 of thoselanded after last week's summary waswritten. As tends to be the case late in the merge window, many of those changes were fixes for the biggerpatches that went in early, but there were also a number of new featuresadded.

Linus has released 4.19-rc1 and closed themerge window for this development cycle. "This was a fairlyfrustrating merge window, partly because 4.19 looks to be a pretty bigrelease (no single reason), and partly just due to random noise. We had theL1TF hw vulnerability disclosure early in the merge window, which justadded the usual frustration due to having patches that weren't public. Thatjust shows just how good all our infrastructure for linux-next and variousautomated testing systems have become, in how painful it is when it'slacking."

OpenSSH 7.8 is out. It includes a fix for the usernameenumeration vulnerability; additionally, the default format for theprivate key file has changed, support for running ssh setuid roothas been removed, a couple of new signature algorithms have been added, andmore.

Here's aguide to picking a kernel release from Greg Kroah-Hartman. "The best solution for almost all Linux users is to just use the kernel from your favorite Linux distribution. Personally, I prefer the community based Linux distributions that constantly roll along with the latest updated kernel and it is supported by that developer community. Distributions in this category are Fedora, openSUSE, Arch, Gentoo, CoreOS, and others.All of these distributions use the latest stable upstream kernel release and make sure that any needed bugfixes are applied on a regular basis. That is the one of the most solid and best kernel that you can use when it comes to having the latest fixes (remember all fixes are security fixes) in it."

In 2017, the KDE community decided on threegoalsto concentrate on for the next few years. One of them was streamlining the onboarding of newcontributors (the others were improving usability and privacy).During Akademy, the yearly KDEconference that was held in Vienna in August, Neofytos Kolokotronis shared the statusof theonboarding goal, the work done during the last year, and further plans.While it is a complicated process in a project as big and diverse as KDE,numerous improvements have been already made.

Five new stable kernels have been released: 4.18.5, 4.17.19, 4.14.67, 4.9.124, and 4.4.152. As usual, they contain importantfixes and users should upgrade. "Note, this is the LAST 4.17.ykernel to be released, it is now end-of-life. [Please] move to 4.18.y at this time."

Security updates have been issued by Fedora (kernel-headers), Mageia (bind, cgit, dpkg, sssd, and thunderbird), openSUSE (libXcursor and python-Django), Oracle (postgresql), Red Hat (postgresql), Scientific Linux (postgresql), SUSE (libreoffice, openssl, and xen), and Ubuntu (kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-lts-xenial, linux-aws, and spice, spice-protocol).

Bruce Perens looksat the license agreement for Intel's latest CPU microcode update anddoes not like what he sees. "So, lots of people are interested inthe speed penalty incurred in the microcode fixes, and Intel has nowattempted to gag anyone who would collect information for reporting aboutthose penalties, through a restriction in their license. Bad move."Update: Intel has since taken out the objectionable terms.

Security updates have been issued by Debian (kernel and tomcat-native), Fedora (axis, CuraEngine-lulzbot, nodejs, python-uranium-lulzbot, and sleuthkit), Gentoo (chromium, lxc, networkmanager-vpnc, and webkit-gtk), openSUSE (ceph), Red Hat (openstack-keystone), SUSE (ceph, podofo, and xen), and Ubuntu (mozjs52 and pango1.0).

The LWN.net Weekly Edition for August 23, 2018 is available.

The "Commons Clause", which is acondition that can be added to an open-source license, has been around fora few months, but its adoption by RedisLabs has some parts of the community in something of an uproar. At itscore, using the clause is meant to ensure that those who are "selling" Redismodules (or simply selling access to them in the cloud) are prohibited fromdoing so—at least without a separate, presumably costly, license from Redis Labs. The clause effectively triesto implement a "no commercial use" restriction, though it is a bit morecomplicated than that. No commercial use licenses are not new—the "open core" businessmodel is a more recent cousin, for example—but they have generally runaground on a simple question: "what is commercial use?"

On his blog, Daniel Vetter answers an often-asked question about why the direct rendering manager (DRM) does not have a 2D API (and won't in the future): "3D has it easy: There’s OpenGL and Vulkan and DirectX that require a certain feature set. And huge market forces that make sure if you use these features like a game would, rendering is fast.Aside: This means the 2D engine in a browser actually needs to work like a 3D action game, or the GPU will crawl. The [impedance] mismatch compared to traditional 2D rendering designs is huge.On the 2D side there’s no such thing: Every blitter engine is its own bespoke thing, with its own features, limitations and performance characteristics. There’s also no standard benchmarks that would drive common performance characteristics - today blitters are [needed] mostly in small systems, with very specific use cases. Anything big enough to run more generic workloads will have a 3D rendering block anyway. These systems still have blitters, but mostly just to help move data in and out of VRAM for the 3D engine to consume."

Greg Kroah-Hartman has announced the release of five new stable kernels: 4.18.4, 4.17.18, 4.14.66, 4.9.123, and 4.4.151. As usual, they contain importantfixes, so users of those series should upgrade.

Security updates have been issued by Debian (openssh and otrs2), Fedora (gifsicle, lighttpd, quazip, and samba), Red Hat (openstack-keystone), Scientific Linux (mutt), Slackware (libX11), SUSE (gtk2, ImageMagick, libcgroup, and libgit2), and Ubuntu (base-files).

<p>Side-channel attacks are a reasonably well-known technique to exfiltrateinformation across security boundaries. Until relatively recently,concerns about these types of attacks were mostly confined to cryptographicoperations, where the target was to extract secrets by observing some sidechannel. But with the advent of Spectre, speculative execution provides anew way to exploit side channels. A new Linux SecurityModule (LSM) is meant to help determine where a side channelmight provide secrets to an attacker, so that aspeculative-execution barrier operation can be performed.

Security updates have been issued by CentOS (mariadb, mutt, and qemu-kvm), Debian (clamav and libcgroup), Fedora (libldb, samba, and soundtouch), Oracle (mutt), Red Hat (mutt), SUSE (ImageMagick), and Ubuntu (apt, linux-lts-trusty, openjdk-lts, and wpa).

It has been understood for years that kernel performance can be improved bydoing things in batches. Whether the task is freeing memory pages,initializing data structures, or performing I/O, things go faster if thework is done on many objects at once; many kernel subsystems have beenreworked to take advantage of the efficiency of batching. It turns out,though, that there was a piece of relatively low-hanging fruit at the core of the kernel's networkstack. The 4.19 kernel will feature some work increasing the batching ofpacket processing, resulting in some impressive performance improvements.

During this year's Akademy conference, Lays Rodrigues introduced Atelier, a cross-platform, open-source system that allows users to control their 3D printers. Asshe stated in her talkabstract, it is "a project with a goal to make the 3Dprinting world a better place". Read on for an overview of what theAtelier team is up to and what it has accomplished so far.

Security updates have been issued by Debian (confuse, jetty9, kamailio, kernel, libxcursor, and mutt), Fedora (blktrace, docker-latest, libgit2, and yubico-piv-tool), Mageia (chromium-browser-stable, flash-player-plugin, kernel, kernel-linus, kernel-tmb, microcode, openslp, and wpa_supplicant), openSUSE (apache2, curl, GraphicsMagick, perl-Archive-Zip, and xen), Oracle (kernel and mariadb), Red Hat (rh-postgresql95-postgresql), Slackware (ntp and samba), SUSE (apache2, curl, kernel, kernel-livepatch-tools, libgcrypt, mysql, openssl, perl, procps, rsyslog, shadow, wireshark, and xen), and Ubuntu (kernel).

The 1.0release of the Flatpak applicationdistribution system is out. There are a number of performanceimprovements, the ability to mark applications as being at end-of-life,up-front confirmation of requested permissions, and more. "Apps cannow request access the host SSH agent to securely access remote servers orGit repositories."

Greg Kroah-Hartman has released two batches of stable kernels. The firstset has fixes in various parts of the tree, while the second batch has asingle fix for a problemwith the page-table-entry inversion that is done as a mitigation for the L1TF speculative-executionvulnerability. The first batch includes: 4.18.2, 4.17.16, 4.14.64, 4.9.121, 4.4.149, and 3.18.119. The second batch is: 4.18.3, 4.17.17, 4.14.65, 4.9.122, and 4.4.150. Users should upgrade, presumably tosomething in the second batch unless they are running the 3.18 series.

Security updates have been issued by Debian (intel-microcode, keystone, php-horde-image, and xen), Fedora (rsyslog), openSUSE (apache2, clamav, kernel, php7, qemu, samba, and Security), Oracle (mariadb and qemu-kvm), Red Hat (docker, mariadb, and qemu-kvm), Scientific Linux (mariadb and qemu-kvm), SUSE (GraphicsMagick, kernel, kgraft, mutt, perl-Archive-Zip, python, and xen), and Ubuntu (postgresql-10, postgresql-9.3, postgresql-9.5, procps, and webkit2gtk).

As of this writing, Linus Torvalds has pulled just over 7,600 non-mergechangesets into the mainline repository for the 4.19 development cycle.4.19 thus seems to be off to a faster-than-usual start, perhaps because theone-week delay in the opening of the merge window gave subsystemmaintainers a bit more time to get ready. There is, as usual, a lot ofinteresting new code finding its way into the kernel, along with the usualstream of fixes and cleanups.

Over at Google's Project Zero blog, Natalie Silvanovich looks at some of the bugs the project has found in WebAssembly, which is a binary format to run code in the browser for web applications. She also looks to the future: "There are two emerging features of WebAssembly that are likely to have a security impact. One is threading. Currently, WebAssembly only supports concurrency via JavaScript workers, but this is likely to change. Since JavaScript is designed assuming that this is the only concurrency model, WebAssembly threading has the potential to require a lot of code to be thread safe that did not previously need to be, and this could lead to security problems.WebAssembly GC [garbage collection] is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly."

The Debian project is celebrating the 25th anniversary of its founding by Ian Murdock on August 16, 1993. The "Bits from Debian" blog had this to say: "Today, the Debian project is a large and thriving organization with countless self-organized teams comprised of volunteers. While it often looks chaotic from the outside, the project is sustained by its two main organizational documents: the Debian Social Contract, which provides a vision of improving society, and the Debian Free Software Guidelines, which provide an indication of what software is considered usable. They are supplemented by the project's Constitution which lays down the project structure, and the Code of Conduct, which sets the tone for interactions within the project.Every day over the last 25 years, people have sent bug reports and patches, uploaded packages, updated translations, created artwork, organized events about Debian, updated the website, taught others how to use Debian, and created hundreds of derivatives." Happy birthday to the project from all of us here at LWN.

Greg Kroah-Hartman has released a new batch of stable kernels: 4.18.1, 4.17.15, 4.14.63, 4.9.120, and 4.4.148. These include the fixes for the L1 terminal fault vulnerability and a fewother fixes here and there. Users should upgrade.

Security updates have been issued by Debian (fuse), Fedora (cri-o, gdm, kernel-headers, postgresql, units, and wpa_supplicant), Mageia (iceaepe, kernel-linus, kernel-tmb, and libtomcrypt), openSUSE (aubio, libheimdal, nemo-extensions, and python-Django1), Red Hat (flash-plugin), SUSE (apache2, kernel, php7, qemu, samba, and ucode-intel), and Ubuntu (gnupg).

The LWN.net Weekly Edition for August 16, 2018 is available.

Social networks are typically walled gardens; users of a service caninteract with other users and their content, but cannot see or interactwith data stored in competing services. Beyond that, though, these walledgardens have generally made it difficult or impossible to decide to switchto a competitor—all of the user's data is locked into a particular site. Overtime, that has been changing to some extent, but a new project has thepotential to make it straightforward to switch to a new service withoutlosing everything. The DataTransfer Project (DTP) is a collaborative project between several internetheavyweights that wants to "create an open-source, service-to-servicedata portability platform".

Security updates have been issued by CentOS (kernel), Debian (kernel, linux-4.9, postgresql-9.4, and ruby-zip), Fedora (cgit, firefox, knot-resolver, mingw-LibRaw, php-symfony, php-symfony3, php-symfony4, php-zendframework-zend-diactoros, php-zendframework-zend-feed, php-zendframework-zend-http, python2-django1.11, quazip, sox, and thunderbird-enigmail), openSUSE (python-Django and seamonkey), Oracle (kernel), Red Hat (kernel, kernel-rt, and redhat-virtualization-host), Scientific Linux (kernel), Slackware (openssl), SUSE (clamav, firefox, kernel, and samba), and Ubuntu (kernel, libxml2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-raspi2, and samba).

A kernel bug that allows a remote denial of service via crafted packets wasfixed recently and the resulting patchwas merged on July 23. But an announcement of the flaw(which is CVE-2018-5390) was not released until August 6—a two-week window where userswere left in the dark. It was not just the patch that might have alertedattackers; the flaw was publicized in other ways, as well,before the announcement, which has led to some discussion of embargopolicies on the oss-security mailing list. Within free-software circles,embargoes are generally seen as a necessary evil, but delaying thedisclosure of an already-public bug does not sit well.

The Meltdown CPU vulnerability, first disclosed in early January, was frighteningbecause it allowed unprivileged attackers to easily read arbitrary memoryin the system. Spectre, disclosed at the same time, was harder to exploitbut made it possible for guests running in virtual machines to attack thehost system and other guests. Both vulnerabilities have been mitigated tosome extent (though it will take a long time to even findall of the Spectre vulnerabilities, much less protect against them). But now the newly disclosed "L1 terminal fault" (L1TF) vulnerability(also going by the name Foreshadow) brings back boththreats: relativelyeasy attacks against host memory from inside a guest. Mitigations areavailable (and have been mergedinto the mainline kernel), but they will be expensive for some users.

Security updates have been issued by Arch Linux (thunderbird), Debian (gdm3 and samba), openSUSE (cgit and lxc), SUSE (grafana, kafka, logstash, openstack-monasca-installer and samba), and Ubuntu (gdm3 and libarchive).

Hundreds (at least) of kernel bugs are fixed every month. Given thekernel's privileged position within the system, a relatively large portionof those bugs have security implications. Many bugs are relatively easilynoticed once they are triggered; that leads to them being fixed. Somebugs, though, can be hard to detect, a result that can be worsened by thedesign of in-kernel APIs. A proposed change to how user-space accessorswork will, hopefully, help to shine a light on one class of stealthy bugs.

Security updates have been issued by Debian (blender, openjdk-8, postgresql-9.6, and sam2p), Fedora (libmspack, mingw-glib2, mingw-glibmm24, and rsyslog), Mageia (blender, glpi, godot, kernel, lftp, libjpeg, libsndfile, libsoup, mariadb, mp3gain, openvpn, and soundtouch), openSUSE (cgit, libvirt, mailman, NetworkManager-vpnc, and sddm), Slackware (bind), and SUSE (ffmpeg, glibc, and libvirt).

Linus has released the 4.18 kernel."It was a very calm week, and arguably I could just have released onschedule last week, but we did have some minor updates."Some of the significant features in this release includeunprivileged filesystem mounts,restartable sequences,a new zero-copy TCP receive API,support for active state management forpower domains,the AF_XDP mechanism forhigh-performance networking,the core bpfilter packet filterimplementation,and more. See the KernelNewbies 4.18 page formore details.

"Mounting" a filesystem is the act of making it available somewhere in thesystem's directory hierarchy. But a mount operation doesn't just glue adevice full of files into a specific spot in the tree; there is a whole setof parameters controlling how that filesystem is accessed that can bespecified at mount time. The handling of these mount parameters is thelatest obstacle to getting the proposed newmounting API into the mainline; should the new API reproduce what isarguably one of the biggest misfeatures of the current mount()system call?

Security updates have been issued by CentOS (java-1.7.0-openjdk, openslp, and yum-utils), Fedora (exiv2, kernel-headers, kernel-tools, libgit2, and thunderbird-enigmail), openSUSE (blueman, cups, gdk-pixbuf, libcdio, libraw, libsoup, libtirpc, mysql-community-server, polkit, python-mitmproxy, sssd, virtualbox, and webkit2gtk3), Oracle (kernel), Red Hat (cobbler), SUSE (ceph, firefox, NetworkManager-vpnc, openssh, and wireshark), and Ubuntu (openjdk-7 and openjdk-8).

The bzip2 compression algorithm has been slowly falling out offavor, but is still used heavily across the net. A searchfor "bzip2 source" returns bzip.org as the first three results. But itwould seem that the owner of this domain has let it go, and it is now parkedand running ads. So we no longer have an official home forbzip2. If a new repository or tarball does turn up at thatdomain, it should be looked at closely before being trusted. (Thanks toJason Kushmaul).

Greg Kroah-Hartman has released the 4.17.14, 4.14.62, 4.9.119, 4.4.147, and 3.18.118 stable kernels. There are importantfixes in each and users should upgrade.

Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (kamailio and wpa), Fedora (kernel-headers, kernel-tools, moodle, and vim-syntastic), and openSUSE (clamav, enigmail, and java-11-openjdk).