LWN.net

Version1.18 of the MATE desktop has been released. "The release isfocused on completing the migration to GTK3+ and adopting new technologiesto replace some of deprecated components MATE Desktop 1.16 still reliedon."

Robert Haas describesthe many parallelism enhancements in the upcoming PostgreSQL 10release. "The Gather node introduced in PostgreSQL 9.6 gathersresults from all workers in an arbitrary order. That's fine if the datathat the workers were producing had no particular ordering anyway, but ifeach worker is producing sorted output, then it would be nice to gatherthose results in a way that preserves the sort order. This is what GatherMerge does. It can speed up queries where it's useful for the results ofthe parallel portion of the plan to have a particular sort order, and wherethe parallel portion of the plan produces enough rows that performing anordinary Gather followed by a Sort would be expensive."

Red Hat has released its annualreport on the vulnerabilities that afflicted its products and how theywere handled. "Looking only at issues affecting base Red HatEnterprise Linux releases, we released 38 Critical security advisoriesaddressing 50 Critical vulnerabilities. Of those issues, 100% had fixes thesame or next day after the issue was public. During that same timeframe,across the whole Red Hat portfolio, 76% of Critical issues had updates toaddress them the same or next day after the issue was public with 98%addressed within a week of the issue being public."

The deadline CPU scheduler has come a long way, Juri Lelli said in his 2017Linaro Connect session, but there is still quite a bit of work to be done.While this scheduler was originally intended for realtime workloads, there isreason to believe that it is well suited for other settings, including theembedded and mobile world. In this talk, he gave a summary of what thedeadline scheduler provides now and the changes that are envisioned for thenear (and not-so-near) future.

Security updates have been issued by Arch Linux (linux-grsec and linux-lts), Debian (icoutils, imagemagick, and roundcube), Fedora (freetype, libupnp, libwmf, thunderbird, tor, and w3m), Red Hat (chromium-browser and thunderbird), Scientific Linux (thunderbird), and Ubuntu (icoutils, icu, libevent, pidgin, pillow, and python-imaging).

The world wide web has been around for 28 years now. Web inventor Sir TimBerners-Lee writesabout the challenges facing the modern web, including the loss of control ofour personal data, the spread of misinformation, and the lack oftransparency in political advertising. "Political advertising onlinehas rapidlybecome a sophisticated industry. The fact that most people get theirinformation from just a few platforms and the increasing sophistication ofalgorithms drawing upon rich pools of personal data, means that politicalcampaigns are now building individual adverts targeted directly atusers. Onesource suggests that in the 2016 US election, as many as 50,000variations of adverts were being served every single day on Facebook, anear-impossible situation to monitor. And there are suggestions that somepolitical adverts – in the US and around the world – are being used inunethical ways – to point voters to fake news sites, for instance, or to keepothers away from the polls. Targeted advertising allows a campaign tosay completely different, possibly conflicting things to differentgroups. Is that democratic?"

The LLVM 4.0.0 release is out. "This release is the result of the community's work over the past sixmonths, including: use of profile data in ThinLTO, more aggressiveaggressive dead code elimination, experimental support for coroutines,experimental AVR target, better GNU ld compatibility and significantperformance improvements in LLD, as well as improved optimizations,many bug fixes and more." The LLVM compiler project has moved to anew numbering scheme with this release, where the first number incrementswith each major release.

Security updates have been issued by Arch Linux (chromium, firefox, libxslt, and thunderbird), Debian (firefox-esr, icoutils, and pidgin), Fedora (firefox, freetype, GraphicsMagick, kdelibs, kdelibs3, kernel, libupnp, munin, php-pear-PHP-CodeSniffer, thunderbird, and wireshark), Mageia (flac, flash-player-plugin, potrace, and wireshark), openSUSE (bitlbee, cacti, kdelibs4, kio, lynx, openssh, pax-utils, perl-Image-Info, Wireshark, and xen), and SUSE (qemu).

The 4.11-rc2 kernel prepatch is out fortesting. "I think we're in fine shape for this stage in thedevelopment kernel, it shouldn't be particularly scary to just say 'I'll bea bit adventurous and test an rc2 kernel'. Yes, it's early rc time still,but go on, help us make sure we're doing ok."

The 4.10.2,4.9.14, and4.4.53 stable kernel updates are out; eachcontains another relatively large set of important fixes.

Security updates have been issued by Debian (firefox-esr, pidgin, and vim), openSUSE (potrace and sane-backends), SUSE (xen), and Ubuntu (libarchive and lxc).

Ars Technica is reporting that a recently patched vulnerability in the Apache Struts 2 web framework is being actively exploited in the wild."It's not clear why the vulnerability is being exploited so widely 48 hours after a patch was released. One possibility is that the Apache Struts maintainers didn't adequately communicate the risk. Although they categorize the vulnerability security rating as high, they also describe it as posing a 'possible remote code execution' risk. Outside researchers, meanwhile, have said the exploits are trivial to carry out, are highly reliable, and require no authentication. It's also easy to scan the Internet for vulnerable servers. It's also possible to exploit the bug even if a Web application doesn't implement file upload functionality."

Security updates have been issued by CentOS (firefox and kvm), Debian (kernel and wget), Fedora (drupal7-views, firefox, GraphicsMagick, knot, and knot-resolver), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (kde4libs and linux-aws).

The LWN.net Weekly Edition for March 9, 2017 is available.

Samba 4.6 has been released with many new features and changes. Newfeatures include Kerberos client encryption types, a new option for ownerinheritance, multi-process Netlogon support, new options for controllingTCP ports used for RPC services, and more.

Security updates have been issued by Debian (texlive-base), Fedora (cacti, drupal7-metatag, freeipa, mingw-gtk-vnc, suricata, and xen), Oracle (kvm), Red Hat (java-1.8.0-ibm and kvm), Scientific Linux (kvm), Slackware (firefox and thunderbird), SUSE (qemu), and Ubuntu (firefox, imagemagick, kernel, linux, linux-gke, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux, linux-ti-omap4, linux-hwe, linux-lts-trusty, linux-lts-xenial, and network-manager-applet).

On February 28th, GitHub publisheda brand new version of its Terms ofService (ToS). While the firstdraft announced earlier in February didn't generate much reaction, thenew ToS raised concerns that they may break at least the spirit, if not theletter, of certain free-software licenses. Digging in further reveals thatthe situation is probably not as dire as some had feared.

Firefox 52.0 has been released. This version features support forWebAssembly, adds user warnings for non-secure HTTP pages with logins,implements the Strict Secure Cookies specification which forbids insecureHTTP sites from setting cookies with the "secure" attribute, and enhancesSync to allow users to send and open tabs from one device to another. Seethe releasenotes for more information.

Security updates have been issued by Debian (freetype and libzip-ruby), Fedora (cacti, canl-c, and mupdf), and openSUSE (bind, munin, and mysql-community-server).

Ars Technica arguesthat Encrypted Media Extensions (EME), a framework that will allow thedelivery of DRM-protected media through the browser, will be good for theweb. "Moreover, a case could be made that EME will make it easier for content distributors to experiment with—and perhaps eventually switch to—DRM-free distribution.Under the current model, whether it be DRM-capable browser plugins or DRM-capable apps, a content distributor such as Netflix has no reason to experiment with unprotected content. Users of the site's services are already using a DRM-capable platform, and they're unlikely to even notice if one or two videos (for example, one of the Netflix-produced broadcasts like House of Cards or the forthcoming Arrested Development episodes) are unprotected. It wouldn't make a difference to them."The Free Software Foundation has adifferent take on EME. "We have been fighting EME since 2013, and we will not back off because the W3C presents weak guidance as a fig leaf for DRM-using companies to hide their disrespect for users' rights. Companies can impose DRM without the W3C; but we should make them do it on their own, so it is seen for what it is—a subversion of the Web's principles—rather than normalize it or give it endorsement."

Security updates have been issued by Arch Linux (curl), CentOS (ipa, kernel, and qemu-kvm), Debian (munin, ruby-zip, and zabbix), Fedora (bind99, gtk-vnc, jenkins, jenkins-remoting, kdelibs, kf5-kio, libcacard, libICE, libXdmcp, and vim), openSUSE (php5), Oracle (kernel), Red Hat (ansible and openshift-ansible and rpm-ostree and rpm-ostree-client), and Ubuntu (munin).

The first 4.11 kernel prepatch is out, andthe merge window is closed for this development cycle. "This lookslike a fairly regular release. It's on the smallish side, but mainly justcompared to 4.9 and 4.10 - so it's not really _unusually_ small (in recentkernels, 4.1, 4.3, 4.5, 4.7 and now 4.11 all had about the same number ofcommits in the merge window)." There were 10,960 non-merge commitspulled in the end, so it's definitely not unusually small.

Over at the Red Hat Security Blog, Hooman Broujerdi looks at threat modeling as a tool to help create more secure software. "Threat modeling is a systematic approach for developing resilient software. It identifies the security objective of the software, threats to it, and vulnerabilities in the application being developed. It will also provide insight into an attacker's perspective by looking into some of the entry and exit points that attackers are looking for in order to exploit the software.[...]Although threat modeling appears to have proven useful for eliminating security vulnerabilities, it seems to have added a challenge to the overall process due to the gap between security engineers and software developers. Because security engineers are usually not involved in the design and development of the software, it often becomes a time consuming effort to embark on brainstorming sessions with other engineers to understand the specific behavior, and define all system components of the software specifically as the application gets complex.[...]While it is important to model threats to a software application in the project life cycle, it is particularly important to threat model legacy software because there's a high chance that the software was originally developed without threat models and security in mind. This is a real challenge as legacy software tends to lack detailed documentation. This, specifically, is the case with open source projects where a lot of people contribute, adding notes and documents, but they may not be organized; consequently making threat modeling a difficult task."

Ben Francis has posted adetailed history of the Firefox OS project."For me it was never about Firefox OS being the third mobile platform. Itwas always about pushing the limits of web technologies to make the web amore competitive platform for app development. I think we certainlyachieved that, and I would argue our work contributed considerably to thetrends we now see around Progressive Web Apps. I still believe the web willwin in the end. "

Security updates have been issued by Debian (munin), Fedora (kernel, libXdmcp, and xrdp), Mageia (ming, quagga, util-linux, and webkit2), Oracle (ipa, kernel, and qemu-kvm), Red Hat (ipa, kernel, kernel-rt, python-oslo-middleware, and qemu-kvm), Scientific Linux (ipa, kernel, and qemu-kvm), and Ubuntu (munin, php7, and w3m).

The Free Software Foundation Europe has put out a release providing itsview of the decision in Munich to possibly back away from itsfree-software-based infrastructure."Since this decision was reached, the majority of media have reportedthat a final call was made to halt LiMux and switch back to Microsoftsoftware. This is, however, not an accurate representation of theoutcome of the city council meeting. We studied the availabledocumentation and our impression is that the last word has not beenspoken."

Security updates have been issued by Debian (imagemagick, libquicktime, munin, and qemu), Fedora (cxf, netpbm, and vim), openSUSE (ImageMagick, php7, and util-linux), and Red Hat (kernel and openstack-puppet-modules).

The LWN.net Weekly Edition for March 2, 2017 is available.

Security updates have been issued by CentOS (qemu-kvm), Debian (bind9, libquicktime, mupdf, qemu-kvm, and tnef), Fedora (mupdf, rpm, tomcat, util-linux, and xen), openSUSE (gstreamer and gstreamer-plugins-base), Oracle (qemu-kvm), Red Hat (qemu-kvm), Scientific Linux (qemu-kvm), SUSE (kernel and xen), and Ubuntu (libgd2).

Opensource.com takes a lookat changes to MySQL 8.0. "Ever open up a directory of a MySQL schema and see all those files—.frm, .myi, .myd, and the like? Those files hold some of the metadata on the database schemas. Twenty years ago, it was a good way to go, but InnoDB is a crash proof storage engine and can hold all that metadata safely. This means file corruption of a .frm file is not going to stall your work. Developers also removed the file system's maximum number of files as the limiting factor to your number of databases; you can now have literally have millions of tables in your database."

CVE-2017-6074 is the vulnerability identifierfor a use-after-free bug in the kernel's network stack. This vulnerabilityis apparently exploitable in local privilege-escalation attacks. Theproblem, introduced in 2005, is easily fixed, but it points at a couple ofshortcomings in the kernel development process; as a result, it would notbe surprising if more bugs of this variety were to turn up in the nearfuture.

Security updates have been issued by Debian (apache2, libplist, and tnef), Fedora (firebird, kernel, and vim), Red Hat (java-1.6.0-ibm, java-1.7.0-ibm, java-1.7.1-ibm, kernel, and qemu-kvm-rhev), SUSE (php53 and xen), and Ubuntu (tiff).

Users of the Subversion source-code management system may want to take alook at thispost from Mark Phippard. He explains how hash collisions can corrupt arepository and a couple of short-term workarounds. "The quicksummary if you do not want to read this entire post is that the problem isreally not that bad. If you run into it there are solutions to resolve itand you are not going to run into it in normal usage. There will alsolikely be some future updates to Subversion that avoid it entirely so ifyou regularly update your server and client when new releases come out youare probably safe not doing anything and just waiting for an update tohappen."

The SHA-1 hashalgorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumedthat this would happen before too long. On February 23, Google announcedthat it had succeeded at this task. While the technique used iscomputationally expensive, this event has clarified what most developershave known for some time: it is time to move away from SHA-1. While themigration has essentially been completed in some areas (SSL certificates,for example), there are still important places where it is heavily used,including at the core of the Git source-code management system.Unsurprisingly, the long-simmering discussion in the Git community onmoving away from SHA-1 is now at a full boil.

Security updates have been issued by Debian (apache2, radare2, and shadow), Mageia (firebird, libevent, and php-tcpdf), and openSUSE (chromium).

The 4.9.13 and 4.4.52 stable kernels are out; theserelatively small updates contain the usual set of important fixes.Update: the 4.10.1 update is out aswell (thanks to Thorsten Leemhuis).

Security updates have been issued by CentOS (kernel and qemu-kvm), Debian (bind9, cakephp, munin, and shadow), Fedora (python-cjson, python-PyMySQL, quagga, util-linux, and xen), Mageia (kernel kmod and kernel-tmb), Oracle (kernel), Red Hat (kernel), and Scientific Linux (kernel).

Linus Torvalds has posted a lengthyexplanation of why the recently created SHA-1 collision is not anemergency for Git users. "In the pdf examples, the pdf format actedas the 'black box', and what you see is the printout which has only a veryindirect relationship to the pdf encoding. But if you use git for source control like in the kernel, the stuff youreally care about is source code, which is very much a transparentmedium. If somebody inserts random odd generated crud in the middle of yoursource code, you will absolutely notice." That said, he notes thatthere is work in progress to move away from SHA-1.[It seems that subversion users have an additional set of concerns; see this bug reportconversation for the scary story.]

Thanks to Josh Triplett for sending us this Google Project Zero report about a dump of unitialized memory caused by Cloudflare'sreverse proxies. "A while later, we figured out how to reproduce theproblem. It looked like that if an html page hosted behind cloudflare had aspecific combination of unbalanced tags, the proxy would intersperse pagesof uninitialized memory into the output (kinda like heartbleed, butcloudflare specific and worse for reasons I'll explain later). My workingtheory was that this was related to their "ScrapeShield" feature whichparses and obfuscates html - but because reverse proxies are shared betweencustomers, it would affect *all* Cloudflare customers. We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security."

Security updates have been issued by Debian (libreoffice and phpmyadmin), Fedora (kopete and xrdp), Oracle (kernel and qemu-kvm), Red Hat (kernel and qemu-kvm), Scientific Linux (kernel and qemu-kvm), and Ubuntu (LibreOffice and php7.0).

Over at the Red Hat Developers blog, Martin Sebor looks at some new (or enhanced) warnings available in GCC 7 that will help catch various types of memory errors. For example: "The -Wformat-overflow=level option detects certain and likely buffer overflow in calls to the sprintf family of formatted output functions. The option starts by determining the size of the destination buffer, which can be allocated either statically or dynamically. It then iterates over directives in the format string, calculating the number of bytes each result in output. For integer directives like %i and %x it tries to determine either the exact value of the argument or its range of values and uses the result to calculate the exact or minimum and maximum number of bytes the directive can produce. Similarly for floating point directives such as %a and %f, and string directives such as %s. When it determines that the likely number of bytes a directive results in will not fit in the space remaining in the destination buffer it issues a warning."

Andrey Konovalov has announced the discovery and fix of a local privilege escalation in the Linux kernel. Using the syzkaller fuzzer (which LWN looked at around one year ago), he found a double-free in the Datagram Congestion Control Protocol (DCCP) implementation that goes back to at least September 2006 (2.6.18), but probably all the way back to the introduction of DCCP in October 2005 (2.6.14). "[At] this point we have a use-after-free on some_object. An attacker cancontrol what object that would be and overwrite it's content witharbitrary data by using some of the kernel heap spraying techniques.If the overwritten object has any triggerable function pointers, anattacker gets to execute arbitrary code within the kernel.I'll publish an exploit in a few days, giving people time to update."

Greg Kroah-Hartman has announced the release of the 4.9.12 and 4.4.51 stable kernels. As usual, there areimportant fixes in the updates and users of those kernels should upgrade.

Security updates have been issued by Arch Linux (bzip2, kernel, and linux-zen), CentOS (kernel), Debian (bitlbee, kernel, and tomcat7), Fedora (diffoscope, mujs, pcre, plasma-desktop, and tomcat), Mageia (libpcap/tcpdump and spice), Oracle (kernel), Red Hat (kernel, kernel-rt, and python-oslo-middleware), SUSE (php5 and util-linux), Ubuntu (imagemagick), and openSUSE (gd, kernel, libXpm, and libquicktime).

The final version of the LEDE router distribution's 17.01.0 release is nowavailable. "LEDE 17.01.0 "Reboot" incorporates thousands of commits over the lastnine months of effort. With this release, the LEDE development teamcloses out an intense effort to modernize many parts of OpenWrt andincorporate many new modules, packages, and technologies." LWNrecently reviewed a release-candidateversion of LEDE 17.01.

The Google security blog carriesthe news of the first deliberately constructed SHA-1 hash collision."We started by creating a PDF prefix specifically crafted to allow usto generate two documents with arbitrary distinct visual contents, but thatwould hash to the same SHA-1 digest. In building this theoretical attack inpractice we had to overcome some new challenges. We then leveraged Google’stechnical expertise and cloud infrastructure to compute the collision whichis one of the largest computations ever completed."The SHA-1 era is truly coming to an end, even if most attackers lack accessto the computing resources needed for this particular exploit.

The LWN.net Weekly Edition for February 23, 2017 is available.

Tuukka Turunen presents a roadmap forQt. "Qt 3D was first released with Qt 5.7 and in Qt 5.8 the focus was mostly on stability and performance. With Qt 5.9 we are providing many new features which significantly improve the functionality of Qt 3D. Notable new features include support for mesh morphing and keyframe animations, using Qt Quick items as a texture for 3D elements, as well as support for physically based rendering and particles. There are also multiple smaller features and improvements throughout the Qt 3D module."

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities).Debian has updated tomcat7(regression in previous update) and tomcat8(regression in previous update).Gentoo has updated archive-tar-minitar (file overwrites) and ghostscript-gpl (multiple vulnerabilities).openSUSE has updated profanity(42.2, 42.1: user impersonation).SUSE has updated php7 (SLE12: multiple vulnerabilities).Ubuntu has updated kernel (14.04:three vulnerabilities), linux, linux-raspi2(16.10: three vulnerabilities), linux,linux-snapdragon (16.04: multiple vulnerabilities), linux, linux-ti-omap4 (12.04: threevulnerabilities), linux-lts-trusty (12.04:three vulnerabilities), linux-lts-xenial(14.04: multiple vulnerabilities), and tcpdump (multiple vulnerabilities).

Issues of when and how to enforce free-software licenses, and whoshould do it, have been onsome people's minds recently, and Richard Fontana from Red Hat decidedto continue the discussion at FOSDEM. This was a fairly lawyerly talk;phrases like "alleged violation" and "I think that..." were scatteredthroughout it to a degree not normally found in talks by developers.This is because Fontana is a lawyer at Red Hat, and he was talking aboutideas which, while they are not official Red Hat positions, were developedfollowing discussions between him and other members of the legal team at Red Hat.Subscribers can click below for the full report of the talk by guest author Tom Yates.