On April 3 security researcher Bartek Nowotarskipublished the details of a new denial-of-service (DoS)attack, called a "continuation flood", against manyHTTP/2-capable webservers. While the attack is not terribly complex, it affects many independentimplementations of the HTTP/2 protocol, even though multiplesimilar vulnerabilities over the years have given implementers plenty of warning.
The mainline kernel has just received a set of commits mitigating thelatest x86 hardware vulnerability, known as "branch history injection".From this commit:
On February 20, Linaro held the initialget-together for what is intended to be a regular Linux Kernel Forum forthe Arm-focused kernel community. This gathering aims to conveneapproximately a few weeks prior to the merge window opening and prior tothe release of the current kernel version under development. Topicscovered in the first gathering include preparing 64-bit Arm kernels forlow-end embedded systems, memory errors and Compute ExpressLink (CXL), devlink objectives, and scheduler integration.
Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released.Changes include a number of additions to its QUIC protocol support, someyear-2038 improvements for 32-bit systems, and a lot of cryptographicfeatures with descriptions like "Added a new EVP_DigestSqueeze()API. This allows SHAKE to squeeze multiple times with different outputsizes." See the releasenotes for details.
There are many mechanisms for deferred work in the Linux kernel. One of them,workqueues, has seen increasing use as part ofthe move away from software interrupts. Alison Chaiken gave a talkat SCALEabout how they compare to software interrupts, the new challenges they pose forsystem administrators, and what tools are available tokernel developers wishing to diagnose problems with workqueues as they becomeincreasingly prevalent.
Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).
Version 4.2.0 of the Rivendellradio automation system has been released. Changes include a new datafeed for 'next' data objects, improvements to its podcast system,numerous bug fixes, and more.
Sometimes the smallest patches create the biggest discussions. A case inpoint would be the process by which the PostgreSQL community - not a groupnormally prone to extended, strongly worded megathreads - resolved the question ofwhether to merge a brief patch adding a new configuration parameter. Sometimes, a proposal that looks like a security patch is not, infact, intended to be a security patch, but getting that point across can bedifficult.
Version 2.4.0 of the GNU Stow symbolic-link manager has been released.This marks the first release forGNU Stow since 2019. MaintainerAdam Spires wrote:
Wayne Davison has announcedthe release of rsync version 3.3.0, whichcontains a number of bug fixes and minor enhancements. Davison hasalso announced a change in maintainers and a move to a new GitHubproject:
The nominations have closed and campaigning is underway to see whowill be the next DebianProject Leader (DPL). This year, twocandidates are campaigning for the position Jonathan Carter hasheld for four eventful years: Sruthi Chandran andAndreas Tille. Topics that have emerged so far include how theprospective DPLs would spend project money, their opinions on handlingcontroversial topics, and project diversity.
OpenBSD 7.5 has been released. The list of changes and improvements is, asusual, long; it includes the pinsyscalls() functionality coveredhere in January.
The Eclipse Foundation, the organizationbehind the Eclipse IDE and many other software projects, announceda collaboration between several different open-source-software foundations tocreate a specification describing secure software development best practices.This work is motivated by the European Union's Cyber Resilience Act (CRA).
Version 7.0 of theFFmpeg audio/video toolkit is out. "The most noteworthy changes formost users are a native VVC decoder (currently experimental, until morefuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool".There's also the usual list of new formats and codecs, and a few deprecatedfeatures have been removed.
Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).
Among the numerous approaches to funding the development and advancement ofopen-source software, corporate sponsorship in the form of donations to umbrellaorganizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brienpresenteda slice of his recent research into the landscape of such sponsorship arrangements,with an overview of the identifiable trends of the past ten years and some initialinsights he hopes are valuable for sponsors and community members alike.
Version6.0 LTS of the Incus container management system has been released."This is a major milestone for Incus as it marks our first release withextended support, suitable for use in production environments where monthlyfeature releases aren't suitable." Changes include swap limits forcontainers, a new shell completion mechanism, support for the creation ofVLAN interfaces, improved live migration, and more.
Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).
AlmaLinux has announcedupdated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, ause-after-free vulnerability in the kernel that could be exploited togain local privilege escalation. This is notable because the fixmarks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):
The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have beenreleased. Each contains an important set of fixes. Note that 6.7.12 isthe final release for the 6.7.y series, and that branch is nowend-of-life. Users should move to the 6.8.y branch.
The Rust programming language differs from C in many ways; thosedifferences tend to be what users admire in the language. But thosedifferences can also lead to an impedance mismatch when Rust code isintegrated into a C-dominated system, and it can be even worse in thekernel, which is not a typical C program. Memory models are a case inpoint. A programming language's view of memory is sufficiently fundamentaland arcane that many developers never have to learn much about it. It ishard to maintain that sort of blissful ignorance while working in thekernel, though, so a recent discussion of how to choose a memory model forkernel code in Rust is of interest.
Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).
Versions 5.6.0 and 5.6.1 of theXZcompression utility and librarywere shipped with a backdoor that targetedOpenSSH.Andres Freunddiscovered the backdoor bynoticing that failed SSH logins were taking a lot ofCPU time while doing somemicro-benchmarking, and tracking down the backdoor from there. It was introducedby XZ co-maintainer "Jia Tan" - a probable alias for person or persons unknown.The backdoor is a sophisticated attack with multiple parts, from the buildsystem, to link time, to run time.
A common theme in early-days anti-Linux FUD was that, since anybody cancontribute to the code, it cannot be trusted. Over two decades later, onerarely hears that line anymore; experience has shown that free-softwarecommunities are not prone to shipping overtly hostile code. But, as the backdooring of XZ has reminded us, theembedding of malicious code is, unfortunately, not limited to theproprietary realm. Our community will be busy analyzing this incident forsome time to come, but clear conclusions may be hard to come by.
Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).
At SCALEthis year Dan Schatzberg and Tejun Heo,both from Meta, gave back-to-back talks about someof the performance-engineering work that they do there. Schatzberg presented onthe extensible BPF scheduler, which has beendiscussed extensively on the kernel mailing list.Heo presented on IOCost - a control group (cgroup) I/O controlleroptimized for solid-state disks (SSDs) - and the benchmark suite that is necessary tomake it work well on different models of disk.
Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).
Andres Freund has posted adetailed investigation into a backdoor that was shipped with versions5.6.0 and 5.6.1 of the xz compression utility. It appears that themalicious code may be aimed at allowing SSH authentication to be bypassed.
Radicle is a new, peer-to-peer,MIT/Apache-licensed collaboration platform written in Rust and built on topof Git. It adds support for issues and pull requests (which Radicle calls"patches") on top of core Git, which are stored in the Git repositoryitself. Unlike GitHub, GitLab, and similar forges, Radicle is distributed;it doesn't rely on having everyone use the same server. Instead, Radicleinstances form a network that synchronizes changes between nodes.
Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).
On March 21, Redis Ltd. announced that the Redis "in-memory data store" project would now bereleased under non-free, source-available licenses, starting with Redis7.4. Thenews is unwelcome, but not entirely unexpected. What is unusual with this situation isthe number of Redis alternatives to choose from; there are at leastfour options to choose as a replacement for those who wish to staywith free software, including a pre-existing fork called KeyDB and the Linux Foundation's newly-announced Valkey project. The question now is which one(s)Linux distributions, users, and providers will choose to take its place.
Keith Fiske gave a talk(with slides) about the state of partitioning - splitting a largetable into smaller tables for performance reasons - inPostgreSQL atSCALEthis year. He spoke about the existing support for partitioning, what work stillneeds to be done, and what place existing partitioning tools, like his ownpg_partman, still have as PostgreSQL gains more built-in features.
Version 4.20.0 of the Samba Windows interoperability suite has beenreleased. Changes include better support for group-managed serviceaccounts, an experimental Windows search protocol client, support forconditional access control entries, and more.
Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).
LWN.net