LWN.net

Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml).

User-space shadow stacks are a relatively new feature in Linux; support wasonly added for 6.6, and is limited to the x86architecture. As support for other architectures (including arm64 and RISC-V) approaches readiness,though, more thought is going into the API for this feature. As a recentdiscussion on the integration of shadow stacks with the clone3() system call shows, there arestill some details to be worked out.

Thisars technica article describes how secure-boot firmware on a huge rangeof systems can be subverted with a malicious image file:

Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography).

The LWN.net Weekly Edition for December 7, 2023 is available.

The OpenPGP standard for emailencryption has been around since1997, when it was derived from thevenerable Pretty GoodPrivacy (PGP) program that was released in1991. Since it came about,OpenPGP has been the decentralized, interoperable way to exchange encryptedemail, though its use never really took off as advocates hoped. Now, though, itwould seem that a split in the OpenPGP community threatens tofragment the OpenPGP-encrypted-email landscape, potentially leading tointeroperability woes.

Many processor vendors provide a mechanism to allow some bits of a pointervalue to be used to store unrelated data; these include Intel's linear address masking (LAM), AMD's upper address ignore, and Arm's top-byteignore. A set of researchers has now come up with a way (thatthey call "SLAM") to use those features to bypass many checks on pointervalidity, opening up a new set of Spectre attacks.

Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis).

The Common Vulnerabilities and Exploits(CVE) system is the main mechanism for tracking various securityflaws, using the omnipresent CVE number-even vulnerabilities with fancy names andweb siteshave CVE numbers. But the CVE system is not without its critics and, intruth, the incentives between the reporting side and those responsible forhandling the bugs have always been misaligned, which leads to abuse ofvarious kinds. There have been efforts tocombat some of those abuses along the way; a newly announced"!CVE" project is meant to track vulnerabilities "that are notacknowledged by vendors but still are serious security issues".

Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4).

Version5.0 of the Django web framework is out. Significant changes include database-computeddefault values, field groups in the templating system, and more; see the releasenotes for details.

The kernel's deadline scheduling classoffers a solution to a number of realtime (or generally latency-sensitive)problems, but it is also resistant to the usual solutions for the priority-inversionproblem. The development community has been pursuing proxy execution as asolution to a few scheduling challenges, including this one; the problem isdifficult and progress has been slow. LWN last looked at proxy execution in June; at the 2023 LinuxPlumbers Conference, John Stultz gave an overview of proxy execution,the current status of the work, and the remaining problems to solve.

Version 14.1 of the GDB debugger is out. Changes include initial supportfor the debuggeradapter protocol, NO_COLOR support, the ability to work withinteger types larger than 64bits, a number of enhancements to thePython API, and more.

Davidlohr Bueso has posted asummary of the CXL microconference at the recently concluded LinuxPlumbers Conference. "The goals for the track were to openly discusscurrent on-going development efforts around the core driver, as well asexperimental memory management topics which lead to accommodating kernelinfrastructure for new technology and use cases."

Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox).

Linus has released 6.7-rc4 for testing."And things look fine for now, with a fairlysmall rc4".Meanwhile, the6.6.4,6.1.65, and5.15.141stable kernel updates have been released; each contains another set ofimportant fixes.

Support for NVIDIA graphics processors has traditionally been a sore pointfor Linux users; NVIDIA has not felt the need to cooperate with the kernelcommunity or make free drivers available, and the reverse-engineeredNouveau driver has often struggled to keep up with product releases. Therehave, however, been signs of improvement in recent years. At the 2023 LinuxPlumbers Conference, graphics subsystem maintainer Dave Airlie providedan update on the state of support for NVIDIA GPUs and what remains to bedone.

Security updates have been issued by Debian (chromium, gimp-dds, horizon, libde265, thunderbird, vlc, and zbar), Fedora (java-17-openjdk and xen), Mageia (optipng, roundcubemail, and xrdp), Red Hat (postgresql), Slackware (samba), SUSE (chromium, containerd, docker, runc, libqt4, opera, python-django-grappelli, sqlite3, and traceroute), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, and linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2).

The Android system was once famous for extensive, out-of-tree kernelenhancements. Many of those have been eliminated or upstreamed overthe years, bringing Android much closer to the mainline kernel. Onesignificant component in the "upstreamed" category is Binder, aninterprocess communication mechanism that is used only by Android. Thereare a number of factors that make Binder a good candidate for rewriting inthe Rust language; at the 2023 LinuxPlumbers Conference, Carlos Llamas and Alice Ryhl described themotivation behind and implementation of a rewrite of Binder in Rust.

Security updates have been issued by Fedora (chromium, gnutls, gst-devtools, gstreamer1, gstreamer1-doc, libcap, mingw-poppler, python-gstreamer1, qbittorrent, webkitgtk, and xen), Mageia (docker, kernel-linus, and python-django), Oracle (dotnet6.0, dotnet7.0, dotnet8.0, firefox, samba, squid, and thunderbird), Red Hat (firefox, postgresql:13, squid, and thunderbird), SUSE (cilium, freerdp, java-1_8_0-ibm, and java-1_8_0-openj9), and Ubuntu (ec2-hibinit-agent, freerdp2, gimp, gst-plugins-bad1.0, openjdk-17, openjdk-21, openjdk-lts, openjdk-8, pypy3, pysha3, and u-boot-nezha).

The LWN.net Weekly Edition for November 30, 2023 is available.

The LibreQoS projectdescribes itself as:

In the Kernel Summittrack at the 2023 LinuxPlumbers Conference (LPC), Stefan Roesch led a session on kernelsamepage merging (KSM). He gave an overview of the feature and describedsome recent changes to KSM. He showed howan application can enable KSM to deduplicate its memory and how the featurecan be evaluated to determine whether it is a good fit for new workloads.In addition, he provided some real-world data of the benefits from hisworkplace at Meta.

Nextcloud has announcedthe "acquisition" of the Roundcube webmail system.

Security updates have been issued by Debian (gst-plugins-bad1.0 and postgresql-multicorn), Fedora (golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, libcap, nats-server, openvpn, and python-geopandas), Mageia (kernel), Red Hat (c-ares, curl, fence-agents, firefox, kernel, kernel-rt, kpatch-patch, libxml2, pixman, postgresql, and tigervnc), SUSE (python-azure-storage-queue, python-Twisted, and python3-Twisted), and Ubuntu (afflib, ec2-hibinit-agent, linux-nvidia-6.2, linux-starfive-6.2, and poppler).

The drgn Python-based kerneldebugger was developed by Omar Sandoval for use in his job on the kernelteam at Meta. He now spends most of his time working on drgn, both indeveloping new features for the tool and in usingit to debug production problems at Meta, which gives him a view of bothends of that feedback loop. At the 2023 Linux Plumbers Conference (LPC), he led a session on drgn in the kernel debuggingmicroconference, where he wanted to brainstorm on how to add some newfeatures to the debugger and, in particular, how to allow them to work onproduction kernels.

The large6.6.3,6.5.13,6.1.64,5.15.140,5.10.202,5.4.262,4.19.300,4.14.331stable kernel updates have all been released; each contains another set ofimportant fixes. Note that 6.5.13 is the final update for 6.5.

Security updates have been issued by Debian (cryptojs, fastdds, mediawiki, and minizip), Fedora (chromium, kubernetes, and thunderbird), Mageia (lilypond, mariadb, and packages), Red Hat (firefox, linux-firmware, and thunderbird), SUSE (compat-openssl098, gstreamer-plugins-bad, squashfs, squid, thunderbird, vim, and xerces-c), and Ubuntu (libtommath, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, perl, and python3.8, python3.10, python3.11).

A regular feature of the Kernel Maintainers Summit is a session where LinusTorvalds discusses the problems that he has been encountering. In recentyears, though, there have been relatively few of those problems, so thisyear he turned things around a bit by askingthe community what problems it was seeing instead. He then addressedthem at the Summit in a session covering aspects of the developmentcommunity, including feedback to maintainers, diversity (or thelack thereof), and more.

Security updates have been issued by Debian (freeimage, gimp, gst-plugins-bad1.0, node-json5, opensc, python-requestbuilder, reportbug, strongswan, symfony, thunderbird, and tiff), Fedora (chromium, galera, golang, kubernetes, mariadb, python-asyncssh, thunderbird, vim, and webkitgtk), Gentoo (AIDE, Apptainer, GLib, GNU Libmicrohttpd, Go, GRUB, LibreOffice, MiniDLNA, multipath-tools, Open vSwitch, phpMyAdmin, QtWebEngine, and RenderDoc), Slackware (vim), SUSE (gstreamer-plugins-bad, java-1_8_0-ibm, openvswitch, poppler, slurm, slurm_22_05, slurm_23_02, sqlite3, vim, webkit2gtk3, and xrdp), and Ubuntu (openvswitch and thunderbird).

PipeWire, the audio/video bus meant toreplace PulseAudio, JACK, and other systems, has reached1.0. In celebration, Fedora Magazine is running aninterview with PipeWire creator Wim Taymans.

Linus has released 6.7-rc3 for testing."The diffstat here is dominated by a couple of reverts of some Realtekphy code (accounting for almost a third of the diff).But ignoring that, it's mostly fairly small, and all over the place."

OpenSSL3.2.0 has been released. New features include client-side QUICsupport, a number of new cryptographic algorithms, support for TCP fastopen, TLS certificate compression, and more.

Overstressed maintainers are a constant topic of conversation throughoutthe open-source community. Kernel maintainers have been complaining moreloudly than usual recently about overwork and stress. The problems thatmaintainers are facing are clear; what to do about them is rather less so.A session at the 2023 Maintainers Summit took up the topic yet again withthe hope of finding some solutions; there may be answers, perhaps evenwithin the kernel community, but a general solution still seems distant.

Security updates have been issued by Debian (firefox-esr, gnutls28, intel-microcode, and tor), Fedora (chromium, microcode_ctl, openvpn, and vim), Gentoo (LinuxCIFS utils, SQLite, and Zeppelin), Oracle (c-ares, container-tools:4.0, dotnet7.0, kernel, kernel-container, nodejs:20, open-vm-tools, squid:4, and tigervnc), Red Hat (samba and squid), Slackware (mozilla), SUSE (fdo-client, firefox, libxml2, maven, maven-resolver, sbt, xmvn, poppler, python-Pillow, squid, strongswan, and xerces-c), and Ubuntu (apache2, firefox, glusterfs, nghttp2, poppler, python2.7, python3.5, python3.6, tiff, and zfs-linux).

November 23 is the US Thanksgiving holiday; as is our tradition, we willnot be publishing an LWN Weekly Edition this week as we will be far toobusy eating. We wish a good holiday to all of our readers (whether theycelebrate it or not); the weekly edition will return on November30.

Rust has been a prominent topic at the Kernel Maintainers Summit for thelast couple of years, and the 2023 meeting continued that tradition. AsRust-for-Linux developer Miguel Ojeda noted at the beginning of the sessiondedicated to the topic, the level of interest in using Rust for kerneldevelopment has increased significantly over the last year. But Rust wasexplicitly added to Linux as an experiment; is the kernel community nowready to say that the experiment has succeeded?

Security updates have been issued by Debian (gimp), Fedora (audiofile and firefox), Mageia (postgresql), Red Hat (binutils, c-ares, fence-agents, glibc, kernel, kernel-rt, kpatch-patch, libcap, libqb, linux-firmware, ncurses, pixman, python-setuptools, samba, and tigervnc), Slackware (kernel and mozilla), SUSE (apache2-mod_jk, avahi, container-suseconnect, java-1_8_0-openjdk, libxml2, openssl-1_0_0, openssl-1_1, openvswitch, python3-setuptools, strongswan, ucode-intel, and util-linux), and Ubuntu (frr, gnutls28, hibagent, linux, linux-aws, linux-aws-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-oem-6.1, mosquitto, rabbitmq-server, squid, and tracker-miners).

The GNU Name System has now been formalized as RFC 9498.

Version 2.43.0 of the Gitsource-code management system has been release. It includes a long list ofimprovements and minor new features.

The Linux kernel supports a wide variety of filesystems, many of which areno longer in heavy use - or, perhaps, any use at all. The kernel codeimplementing the less-popular filesystems tends to be relatively unpopularas well, receiving little in the way of maintenance. Keeping oldfilesystems alive does place a burden on kernel developers, though, so itis not surprising that there is pressure to remove the least popular ones.At the 2023 Kernel Maintainers Summit, the developers talked about thesefilesystems and what can be done about them.

Version120.0 of the Firefox browser is out. Changes include a new "copy linkwithout site tracking" option, the ability to enable the Global Privacy Controlfeature, and some additional privacy features seemingly restricted to usersin Germany. The browser will now also import TLS root certificates fromthe operating system by default on Windows, macOS, and Android.

Faith Ekstrand has announcedthat the NVK Vulkan driver for NVIDIA "Turing" GPUs has been certified asbeing fully compliant with the Vulkan 1.0 API.

Security updates have been issued by Debian (activemq, strongswan, and wordpress), Mageia (u-boot), SUSE (avahi, frr, libreoffice, nghttp2, openssl, openssl1, postgresql, postgresql15, postgresql16, python-Twisted, ucode-intel, and xen), and Ubuntu (avahi, hibagent, nodejs, strongswan, tang, and webkit2gtk).

Greg Kroah-Hartman has announced the release of the 6.6.2, 6.5.12,6.1.63, 5.15.139, 5.10.201, 5.4.261, 4.19.299, and 4.14.330 stable kernels. They contain arather large number of important fixes throughout the kernel tree.

Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser).

The second 6.7 kernel prepatch is out fortesting. "The most noticeable thing is probably the turbostat toolupdate, which actually came in during the merge window, but was delayed byjust waiting for getting the pull request properly signed."

One of the core constraints when programming in the kernel is the need toavoid sleeping when running in atomic context. For the most part, theresponsibility for adherence to this rule is placed on the developer'sshoulders; Rust developers, though, want the compiler to ensure that codeis safe whenever possible. At the 2023 LinuxPlumbers Conference, Gary Guo presented (via a remote link) the klinttool, which can find and flag many atomic-context violations before they turn intouser-affecting bugs.

Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn).

Version1.74.0 of the Rust language has been released. New features includebetter configuration for linters, authenticated cargo repositories, andsupport for projections in opaque return types.