LWN.net

Greg Kroah-Hartman has announced the release of four new stable kernels: 4.13.9, 4.9.58, 4.4.94, and 3.18.77. There are fixes throughout the treein them, so users of those series should upgrade.

Security updates have been issued by Arch Linux (irssi, musl, and xorg-server), CentOS (httpd and java-1.8.0-openjdk), Debian (libav, ming, and openjfx), Fedora (ImageMagick, libwpd, rubygem-rmagick, and sssd), Gentoo (adobe-flash, chromium, dnsmasq, go, kodi, libpcre, and openjpeg), openSUSE (bluez, exiv2, python3-PyJWT, salt, xen, xerces-j2, and xorg-x11-server), Oracle (java-1.8.0-openjdk and kernel), Red Hat (java-1.8.0-oracle and rh-nodejs4-nodejs), and Scientific Linux (java-1.8.0-openjdk).

Christian Schaller has posted alist of the Fedora Workstation project's accomplishments since itsinception. "Wayland – We been the biggest contributor since wejoined the effort and have taken the lead on putting in place all thepieces needed for actually using it on a desktop, including starting toship it as our primary offering in Fedora Workstation 25. This includesputting a lot of effort into ensuring that XWayland works smoothly toensure full legacy application support."The list as a whole is quite long.

The 4.14 kernel, due in the first half of November, is moving into therelatively slow part of the development cycle as of this writing. The timeis thus ripe for a look at the changes that went into this kernel cycle andhow they got there. While 4.14 is a fairly typical kernel developmentcycle, there are a couple of aspects that stand out this time around.

The upcoming Firefox 57 release presents a challenge to distributors, whohave to decide when and how to ship a major update that will break a bunchof older extensions. ThisFedora Magazine article describes the plan that Fedora has come up withfor this transition. "Users probably shouldn’t 'hold back at FF56 asmy favorite extensions don’t work.' Recall that security fixes only comefrom new versions, and they’ll all be WebExtension only. The ExtendedSupport Release version will also switch to WebExtensions only at the nextrelease. This date, June 2018, marks the deadline for ESR users to migratetheir extensions."

Security updates have been issued by Arch Linux (chromium), Debian (jackson-databind, libvirt, and mysql-5.5), Fedora (SDL2_image), Mageia (db53, kernel, poppler, and wpa_supplicant, hostapd), Oracle (httpd), Red Hat (ansible, chromium-browser, httpd, java-1.8.0-openjdk, kernel, and kernel-rt), and Scientific Linux (httpd and kernel).

Version 17.01.4 of the LEDE router distribution is available with a numberof important fixes."While this release includes fixes for the bugs in the WPA Protocoldisclosed earlier this week, these fixes do not fix the problem on theclient-side. You still need to update all your client devices. As someclient devices might never receive an update, an optional AP-sideworkaround was introduced in hostapd to complicate these attacks,slowing them down."

The OpenOffice4.1.4 release is finally available; see this article for some background on thisrelease. The announcement is all bright and sunny, but a look at theAugust 16 Apache board minutes shows concern about the state ofthe project. Indeed, the OpenOffice project management committee was,according to these minutes, supposed to post an announcement about thestate of the project; it would appear that has not yet happened.

Here's aSamsung press release describing the company's move into the "run Linuxon your phone" space. "Installed as an app, Linux on Galaxy givessmartphones the capability to run multiple operating systems, enablingdevelopers to work with their preferred Linux-based distributions on theirmobile devices. Whenever they need to use a function that is not availableon the smartphone OS, users can simply switch to the app and run anyprogram they need to in a Linux OS environment."

The Ubuntu 17.10 release is out. "Under the hood, there have been updates to many core packages, includinga new 4.13-based kernel, glibc 2.26, gcc 7.2, and much more.Ubuntu Desktop has had a major overhaul, with the switch from Unity asour default desktop to GNOME3 and gnome-shell. Along with that, thereare the usual incremental improvements, with newer versions of GTK andQt, and updates to major packages like Firefox and LibreOffice."See therelease notes for more information.

Security updates have been issued by CentOS (wpa_supplicant), Debian (db, db4.7, db4.8, graphicsmagick, imagemagick, nss, and yadifa), Fedora (ImageMagick, rubygem-rmagick, and upx), Mageia (flash-player-plugin, libxfont, openvpn, ruby, webmin, and wireshark), openSUSE (cacti, git, and upx), Oracle (wpa_supplicant), Red Hat (kernel-rt, rh-nodejs4-nodejs-tough-cookie, rh-nodejs6-nodejs-tough-cookie, and wpa_supplicant), Scientific Linux (wpa_supplicant), and Slackware (libXres, wpa_supplicant, and xorg).

The LWN.net Weekly Edition for October 19, 2017 is available.

<p>Monday October 16 was not a particularly good day for those who areeven remotely security conscious—or, in truth, even for those who aren't. Twoseparate security holes came to light; one probably affects almost allusers of modern technology. The other is more esoteric at some level, butstill serious. In both cases, the code in question is baked into variousdevices, which makes it more difficult to fix; in many cases, the devicesin question may not even have a plausible path toward a fix. Encryptionhas been a boon for internet security, but both of these vulnerabilitieshave highlighted that there is more to security than simply cryptography.

Konstantin Ryabitsev argueson Linux.com that WiFi security is only a part of the problem."Wi-Fi is merely the first link in a long chain of communicationhappening over channels that we should not trust. If I were to guess, theWi-Fi router you’re using has probably not received a security update sincethe day it got put together. Worse, it probably came with default or easilyguessable administrative credentials that were never changed. Unless youset up and configured that router yourself and you can remember the lasttime you updated its firmware, you should assume that it is now controlledby someone else and cannot be trusted."

At the X.Org Developers Conference, hosted by Google in Mountain View, CASeptember 20-22, Manasi Navare gave a talk about her journey learningabout kernel graphics on the way to achieving DisplayPort (DP)compliance for Intel graphics devices.Making that work involved learning about DP, the kernel graphics subsystem,and how to dokernel development, as well. There were plenty of details to absorb,including the relatively new atomic modesetting support, the design of which was described in a two-part LWNarticle.

Alberto Ruiz announcesthat Fleet Commander is ready for production use."Fleet Commander is an integrated solution for large Linux desktopdeployments that provides a configuration management interface that iscontrolled centrally and that covers desktop, applications and networkconfiguration. For people familiar with Group Policy Objects in ActiveDirectory in Windows, it is very similar."

Greg Kroah-Hartman has released stable kernels 4.13.8, 4.9.57, 4.4.93, and 3.18.76. All of them contain important fixesand users should upgrade.

Security updates have been issued by Arch Linux (kernel, linux-hardened, and linux-zen), CentOS (wpa_supplicant), Debian (xorg-server), Fedora (selinux-policy), Gentoo (libarchive, nagios-core, ruby, and xen), openSUSE (wpa_supplicant), Oracle (wpa_supplicant), Red Hat (Red Hat Single Sign-On, rh-nodejs6-nodejs, rh-sso7-keycloak, and wpa_supplicant), Scientific Linux (wpa_supplicant), SUSE (git, wpa_supplicant, and xen), and Ubuntu (xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).

Let's Encrypt has announcedthat Automatic Certificate Management Environment (ACME) protocol supportis being integrated into the Apache HTTP Server (httpd). "ACME support being built in to one of the world’s most popular Web servers, Apache httpd, is great because it means that deploying HTTPS will be even easier for millions of websites. It’s a huge step towards delivering the ideal certificate issuance and management experience to as many people as possible."

An earlier LWN article showed thatprivate key storage is an importantproblem to solve in any cryptographic system and established keycardsas a good way to store private key material offline. But which keycardshould we use? This article examines the form factor, openness, andperformance of four keycards to try to help readers choose the one thatwill fit their needs.

Security updates have been issued by Arch Linux (flashplugin, hostapd, lib32-flashplugin, and wpa_supplicant), Debian (sdl-image1.2), Fedora (curl, openvswitch, weechat, and wpa_supplicant), openSUSE (GraphicsMagick, kernel, mbedtls, and wireshark), Red Hat (flash-plugin), and Ubuntu (wpa).

Matthew Green exploresthe origins of the KRACK vulnerability."I don’t want to spend much time talking about KRACK itself, becausethe vulnerability is pretty straightforward. Instead, I want to talk aboutwhy this vulnerability continues to exist so many years after WPA wasstandardized. And separately, to answer a question: how did this attackslip through, despite the fact that the 802.11i handshake was formallyproven secure?"

The GNU C Library (glibc) project produces regular releases on anapproximately six-month cadence. The current release is 2.26from early August; the 2.27 release is expected at the beginning ofFebruary 2018. Unlike many other projects, though, glibc does not normallycreate point releases for important fixes between the major releases.The last point release from glibc was 2.14.1, which came out in 2011.A discussion on the need for a 2.26 point release led to questions aboutwhether such releases have a useful place in the currentsoftware-development environment.

DragonFly BSD 5.0 has been released. "Preliminary HAMMER2 support has been released into the wild as-of the 5.0 release. This support is considered EXPERIMENTAL and should generally not yet be used for production machines and important data. The boot loader will support both UFS and HAMMER2 /boot. The installer will still use a UFS /boot even for a HAMMER2 installation because the /boot partition is typically very small and HAMMER2, like HAMMER1, does not instantly free space when files are deleted or replaced.DragonFly 5.0 has single-image HAMMER2 support, with live dedup (for cp's), compression, fast recovery, snapshot, and boot support. HAMMER2 does not yet support multi-volume or clustering, though commands for it exist. Please use non-clustered single images for now."

Ars Technica is reporting on a flaw in the RSA library developed by Infineon that drastically reduces the amount of work needed to discover a private key from its corresponding public key. This flaw, dubbed "ROCA", mainly affects key pairs that have been generated on keycards. "While all keys generated with the library are much weaker than they should be, it's not currently practical to factorize all of them. For example, 3072-bit and 4096-bit keys aren't practically factorable. But oddly enough, the theoretically stronger, longer 4096-bit key is much weaker than the 3072-bit key and may fall within the reach of a practical (although costly) factorization if the researchers' method improves.To spare time and cost, attackers can first test a public key to see if it's vulnerable to the attack. The test is inexpensive, requires less than 1 millisecond, and its creators believe it produces practically zero false positives and zero false negatives. The fingerprinting allows attackers to expend effort only on keys that are practically factorizable. The researchers have already used the method successfully to identify weak keys, and they have provided a tool here to test if a given key was generated using the faulty library. A blog post with more details is here."

Security updates have been issued by Debian (wpa), Fedora (perl, recode, and tor), Gentoo (elfutils, gnutls, graphite2, libtasn1, puppet-agent, shadow, and webkit-gtk), Mageia (pjproject, thunderbird, and weechat), and SUSE (kernel).

The Linux Foundation's Technical Advisory board, in response to concernsabout exploitative license enforcement around the kernel, has put togetherthis patch adding a document to the kerneldescribing its view of license enforcement. This document has been signedor acknowledged by a long list of kernel developers.In particular, it seeks toreduce the effect of the "GPLv2 death penalty" by stating that a violator'slicense to the software will be reinstated upon a timely return tocompliance. "We view legal action as a last resort, to be initiatedonly when other community efforts have failed to resolve the problem.Finally, once a non-compliance issue is resolved, we hope the user will feelwelcome to join us in our efforts on this project. Working together, we willbe stronger."See thisblog post from Greg Kroah-Hartman for more information.

The "krackattacks" web sitediscloses a set of WiFi protocol flaws that defeat most of the protectionthat WPA2 encryption is supposed to provide. "In a keyreinstallation attack, the adversary tricks a victim into reinstalling analready-in-use key. This is achieved by manipulating and replayingcryptographic handshake messages. When the victim reinstalls the key,associated parameters such as the incremental transmit packet number(i.e. nonce) and receive packet number (i.e. replay counter) are reset totheir initial value. Essentially, to guarantee security, a key should onlybe installed and used once. Unfortunately, we found this is not guaranteedby the WPA2 protocol".

The 4.14-rc5 kernel prepatch is out."We've certainly had smaller rc5's, but we've had bigger ones too, andthis week finally felt fairly normal in a release that has up untilnow felt a bit messier than it perhaps should have been.So assuming this trend holds, we're all good. Knock wood."

James Bottomley describesthe use of the trusted platform module with elliptic-curvecryptography, with a substantial digression into how the elliptic-curvealgorithm itself works."The initial attraction is the same as for RSA keys: making itimpossible to extract your private key from the system. However, themathematical calculations for EC keys are much simpler than for RSA keysand don’t involve finding strong primes, so it’s much simpler for the TPM(being a fairly weak calculation machine) to derive private and public ECkeys."

The 4.13.7 stable kernel update has beenreleased; it contains a fix for an unpleasantlocal vulnerability that affects only 4.13 kernels.

When a veteran kernel developer introduces a severe security hole into thekernel, it can be instructive to look at how the vulnerability came about.Among other things, it can point the finger at an API that lends itselftoward the creation of such problems. And, as it turns out, the knowledgethat the API is dangerous at the outset and marking it as such may not beenough to prevent problems.

Security updates have been issued by Arch Linux (botan, flyspray, go, go-pie, pcre2, thunderbird, and wireshark-cli), Fedora (chromium and mingw-poppler), Red Hat (Red Hat JBoss BPM Suite 6.4.6 and Red Hat JBoss BRMS 6.4.6), SUSE (git and kernel), and Ubuntu (libffi and xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).

Mozilla's manifesto commitsthe organization to a number of principles, including support forindividual privacy and an individual's right to control how they experiencethe Internet. As a result, when Mozilla recently stated its intent toremove the "text only" option from its mailing lists — for the purpose oftracking whether recipients are reading its emails — the reaction was, toput it lightly, not entirely positive. The text-only option has beensaved, but the motivation behind this change is indicative of thechallenges facing independent senders of email.

Greg Kroah-Hartman has announced the release of the 4.13.6, 4.9.55, 4.4.92, and 3.18.75 stable kernels. As usual, theycontain fixes throughout the tree, so users should upgrade.Update: Kroah-Hartman released 4.9.56: "It fixes a networkingbug in 4.9.55. Don't use 4.9.55, it's busted, sorry about that, Ishould have held off and gotten more testing on it, my fault :("

Security updates have been issued by CentOS (httpd and thunderbird), Debian (nss), Fedora (git), openSUSE (krb5, libvirt, samba, and thunderbird), Oracle (httpd and thunderbird), Red Hat (httpd, rh-mysql57-mysql, and thunderbird), Scientific Linux (httpd and thunderbird), and Ubuntu (ceph).

The LWN.net Weekly Edition for October 12, 2017 is available.

<p>Two separate talks, at two different venues, give us a look into thekinds of testing that the Intel graphics team isdoing. Daniel Vetter had a short presentation as part of the Testing and Fuzzing microconference atthe Linux Plumbers Conference (LPC). His colleague, Martin Peres, gave asomewhat longer talk, complete with demos, at the X.Org Developers Conference(XDC). The picture they paint is a pleasing one: there is lots of testinggoing on there. But there are problems as well; that amount of testingruns afoul of bugs elsewhere in the kernel, which makes the jobharder.

Security updates have been issued by Arch Linux (lame, salt, and xorg-server), Debian (ffmpeg, imagemagick, libxfont, wordpress, and xen), Fedora (ImageMagick, rubygem-rmagick, and tor), Oracle (kernel), SUSE (kernel, SLES 12 Docker image, SLES 12-SP1 Docker image, and SLES 12-SP2 Docker image), and Ubuntu (curl, glance, horizon, kernel, keystone, libxfont, libxfont1, libxfont2, libxml2, linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-gcp, linux-hwe, linux-lts-xenial, nova, openvswitch, swift, and thunderbird).

KDE Plasma 5.11 has been released."Plasma 5.11 brings a redesigned settings app, improved notifications, a more powerful task manager. Plasma 5.11 is the first release to contain the new “Vault”, a system to allow the user to encrypt and open sets of documents in a secure and user-friendly way, making Plasma an excellent choice for people dealing with private and confidential information."

While the 4.14 development cycle has not been the busiest ever (12,500changesets merged as of this writing, slightly more than 4.13 at this stageof the cycle), it has been seen as a rougher experience than itspredecessors.There are all kinds of reasons why one cycle might besmoother than another, but it is not unreasonable to wonder whether thefact that 4.14 is a long-term support (LTS) release has affected how thiscycle has gone. Indeed, when he released 4.14-rc3, LinusTorvalds complained that this cycle was more painful than most, and suggested thatthe long-term support status may be a part of the problem. A couple of recent pulls into the mainline highlight thepressures that, increasingly, apply to LTS releases.

Purism has reachedits crowdfunding goal to create the Librem 5, an encrypted, opensmartphone ecosystem that gives users complete device control. "Reaching the $1.5 million milestone weeks ahead of schedule enables Purism to accelerate the production of the physical product. The company plans to move into hardware production as soon as possible to assemble a developer kit as well as initiate building the base software platform, which will be publicly available and open to the developer community." LWN looked at the privacy features planned for the phone in an article for this week's edition.

The GNU Privacy Guard (GnuPG) is one of thefundamental tools that allows a distributed group to have trust in its communications. Werner Koch, lead developer of GnuPG,spoke about it at Kernel Recipes: what's in the new 2.2 version, when older versionswill reach their end of life, and how development will proceed going forward.He also spoke at some length on the issue of best-practice key managementand how GnuPG is evolving to assist. Subscribers can click below for areport on the talk by guest author Tom Yates.

Security updates have been issued by Fedora (WebCalendar), openSUSE (mpg123 and openjpeg2), Red Hat (kernel), and SUSE (firefox, nss).

The kernel's timer interface has been around for a long time, and its APIshows it. Beyond a lack of conformance with current in-kernel interfacepatterns, the timer API is not as efficient as it could be and stands inthe way of ongoing kernel-hardening efforts. A late addition to the 4.14 kernel paves the way toward awholesale change of this API to address these problems.

The next election for members of the Linux Foundation's Technical AdvisoryBoard will be held on October 25 at the Kernel Summit in Prague. Thecall has gone out for candidates to fill the five available seats."The Linux Foundation Technical Advisory Board (TAB) serves as theinterface between the kernel development community and the Foundation.The TAB advises the Foundation on kernel-related matters, helps membercompanies learn to work with the community, and works to resolvecommunity-related problems before they get out of hand. The board hasten members, one of whom sits on the LF board of directors."

Stable kernels 4.9.54, 4.4.91, and 3.18.74 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by CentOS (kernel and postgresql), Debian (botan1.10, curl, dnsmasq, libxfont, nautilus, qemu, qemu-kvm, sam2p, and tor), Fedora (dnsmasq, libmspack, and samba), Gentoo (file, icu, libpcre2, munin, ocaml, pacemaker, postgresql, rubygems, and sudo), Mageia (clamav, dnsmasq, flightgear, libidn, and x11-server), openSUSE (libvirt), Oracle (kernel), SUSE (portus), and Ubuntu (poppler).

The 4.14-rc4 kernel prepatch is out fortesting. "So I do have some hope that things are approachingnormal. I'd expect that to continue, and things start calming down."

The Debian 9.2 point release is available; it includes fixes for a longlist of problems. "As a special case for this point release, thoseusing the 'apt-get' tool to perform the upgrade will need to ensure thatthe 'dist-upgrade' command is used, in order to update to the latest kernelpackages."