LWN.net

David Malcolm writesabout some static-analyzer features that are coming in the GCC14release.

The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have beenreleased. Each contains an important set of fixes. Note that 6.7.12 isthe final release for the 6.7.y series, and that branch is nowend-of-life. Users should move to the 6.8.y branch.

The Rust programming language differs from C in many ways; thosedifferences tend to be what users admire in the language. But thosedifferences can also lead to an impedance mismatch when Rust code isintegrated into a C-dominated system, and it can be even worse in thekernel, which is not a typical C program. Memory models are a case inpoint. A programming language's view of memory is sufficiently fundamentaland arcane that many developers never have to learn much about it. It ishard to maintain that sort of blissful ignorance while working in thekernel, though, so a recent discussion of how to choose a memory model forkernel code in Rust is of interest.

The SUSE Security Team Blog is carrying adetailed article on SUSE's review of the KDE6 release.

Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).

The first stable release of Redict, a fork of the Redis in-memory databaseunder a copyleft license, has been announced.

Versions 5.6.0 and 5.6.1 of theXZcompression utility and librarywere shipped with a backdoor that targetedOpenSSH.Andres Freunddiscovered the backdoor bynoticing that failed SSH logins were taking a lot ofCPU time while doing somemicro-benchmarking, and tracking down the backdoor from there. It was introducedby XZ co-maintainer "Jia Tan" - a probable alias for person or persons unknown.The backdoor is a sophisticated attack with multiple parts, from the buildsystem, to link time, to run time.

A common theme in early-days anti-Linux FUD was that, since anybody cancontribute to the code, it cannot be trusted. Over two decades later, onerarely hears that line anymore; experience has shown that free-softwarecommunities are not prone to shipping overtly hostile code. But, as the backdooring of XZ has reminded us, theembedding of malicious code is, unfortunately, not limited to theproprietary realm. Our community will be busy analyzing this incident forsome time to come, but clear conclusions may be hard to come by.

Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).

At SCALEthis year Dan Schatzberg and Tejun Heo,both from Meta, gave back-to-back talks about someof the performance-engineering work that they do there. Schatzberg presented onthe extensible BPF scheduler, which has beendiscussed extensively on the kernel mailing list.Heo presented on IOCost - a control group (cgroup) I/O controlleroptimized for solid-state disks (SSDs) - and the benchmark suite that is necessary tomake it work well on different models of disk.

Version 10.0 of the NetBSD system has been released.

Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).

The 6.9-rc2 kernel prepatch is out fortesting. "Neither snow nor rain nor heat nor gloom of night stays kernel rc releases.Nor does Easter."

Andres Freund has posted adetailed investigation into a backdoor that was shipped with versions5.6.0 and 5.6.1 of the xz compression utility. It appears that themalicious code may be aimed at allowing SSH authentication to be bypassed.

Radicle is a new, peer-to-peer,MIT/Apache-licensed collaboration platform written in Rust and built on topof Git. It adds support for issues and pull requests (which Radicle calls"patches") on top of core Git, which are stored in the Git repositoryitself. Unlike GitHub, GitLab, and similar forges, Radicle is distributed;it doesn't rely on having everyone use the same server. Instead, Radicleinstances form a network that synchronizes changes between nodes.

Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).

Christian Schaller writesabout the desktop-oriented work aimed at the upcoming Fedora40release.

On March 21, Redis Ltd. announced that the Redis "in-memory data store" project would now bereleased under non-free, source-available licenses, starting with Redis7.4. Thenews is unwelcome, but not entirely unexpected. What is unusual with this situation isthe number of Redis alternatives to choose from; there are at leastfour options to choose as a replacement for those who wish to staywith free software, including a pre-existing fork called KeyDB and the Linux Foundation's newly-announced Valkey project. The question now is which one(s)Linux distributions, users, and providers will choose to take its place.

Keith Fiske gave a talk(with slides) about the state of partitioning - splitting a largetable into smaller tables for performance reasons - inPostgreSQL atSCALEthis year. He spoke about the existing support for partitioning, what work stillneeds to be done, and what place existing partitioning tools, like his ownpg_partman, still have as PostgreSQL gains more built-in features.

Version 4.20.0 of the Samba Windows interoperability suite has beenreleased. Changes include better support for group-managed serviceaccounts, an experimental Windows search protocol client, support forconditional access control entries, and more.

Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).

The LWN.net Weekly Edition for March 28, 2024 is available.

The PostgreSQL community is dealing with the loss of Simon Riggs, whopassed away on March26:

Jason Nucciarone and Felipe Reyes gave back-to-back talksabout high-performance computing (HPC) using Ubuntu atSCALE thisyear. Nucciarone talked about ongoing work packagingOpen OnDemand - a web-based HPC cluster interface -to make high-performance-computing clustersmore user friendly. Reyes presented on usingOpenStack - a cloud-computing platform- to pass the performance benefits of one's hardware throughto virtual machines (VMs) running on a cluster.

Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).

Sasha Levin has announced the release of the 6.8.2, 6.7.11,6.6.23, 6.1.83, 5.15.153, 5.10.214, 5.4.273, and 4.19.311 stable kernels. Each contains a longlist of important fixes throughout the kernel tree.

The GNOME project announcedGNOME46 (code-named "Kathmandu") on March20. The release has quite a few updates and improvementsacross user applications, developer tools, and under the hood. Onething stood out while looking over this release-a major emphasis onFlatpaks as the way to acquire and update GNOME software.

Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).

The first-ever NixConin North America was co-located withSCALE this year. Theevent drew a mix of experiencedNix usersand people new to the project.I attended talks that covered using Nix to build Docker images, upcoming changesto how NixOS performs early booting, and ideas for making the set of servicesprovided in nixpkgsmore useful for self hosting. (LWN covered the relationship betweenNix, NixOS, and nixpkgs in arecent article.)Near the end of theconference, a collection of Nix contributors gave a "State of the Union"about the growth of the project and highlighting areas of concern.

The 6.9-rc1kernel prepatch was released on March24, closing the merge window forthis development cycle. By that time, 12,435 non-merge changesets had beenmerged into the mainline, making for a less-busy merge window than the lastcouple of kernel releases (but similar to the 12,492 seen for 6.5). Wellover 7,000 of those changes were merged after the first-half merge-window summary waswritten, meaning that the latter part of the merge window brought many moreinteresting changes.

Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf).

Version 29.3 of theEmacs editor has been released:

The 6.9-rc1 kernel prepatch is out fortesting. Linus Torvalds described some rather large updates to the corekernel code that are coming for 6.9:

Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).

While a programming error in the kernel may be subject to directexploitation, usually a more roundabout approach is required to takeadvantage of a security bug. One popular approach for those wishing totake advantage of vulnerabilities is heap spraying, andit has often been employed to compromise the kernel. In the future,though, heap-spraying attacks may be a bit harder to pull off, thanks to the"dedicated bucket allocator" proposed by Kees Cook.

Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi).

Version1.77.0 of the Rust language has been released. Changes include supportfor NUL-terminated C-string literals, the ability for asyncfunctions to call themselves recursively, the stabilization of theoffset_of!() macro, and more.

Verson 5.39.9 of the Perl language has been released. Changes this timeinclude a new "medium-precedence" logical exclusive-or operator, a numberof updated modules, and more; see thispage for details.

The Redis in-memory database system has hadits license changed to either the Redis Source AvailableLicense or the Server SidePublic License (covered here in 2018);neither license qualifies as free software.

Danilo Krummrich has announced theexistence of the "Nova" project within Red Hat.

The LWN.net Weekly Edition for March 21, 2024 is available.

Version 46 of the GNOME desktophas been released. "GNOME 46 is code-named 'Kathmandu', in recognitionof the amazing work done by the organizers of GNOME.Asia 2023."Significant changes include a new global search feature, enhancements tothe Files app, improved remote login support, and more.

Cockpit is an interestingproject for web-based Linux administration that has receivedrelatively little attention over the years. Part of that may be due tothe project's strategy of minor releases roughly every two weeks,rather than larger releases with many new features. While the strategyhas done little to garner headlines, it has delivered a useful andextensible tool to observe, manage, and troubleshoot Linux servers.

The Python project has announced three security releases, 3.10.14,3.9.19,and 3.8.19.In addition to the security fixes, these releases are notable for two reasons;they are the first to make use of GitHub Actions to performpublic builds instead of building artifacts "on a local computer of oneof the release managers", and the first since Python became aCVE Numbering Authority (CNA).Python release team member ukasz Langa saidthat being a CNA means Python is able to "ensure the quality of the vulnerabilityreports is high, and that the severity estimates are accurate." It alsoallows Python to coordinate CVE announcements with the patched versions ofPython, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is anissue with Python's tempfile.TemporaryDirectory class which could beexploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.

Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-aws, linux-aws-6.5, and linux-oracle, linux-oracle-5.15).

There are a number of different language-enhancement ideas that crop upwith some regularity in the Python community; many of them have been debated and shot down multipletimes over the years. When one inevitably arises anew, it can sometimes bedifficult to tamp it down, even if it is unlikely that the idea will goany further than the last N times it cropped up. A recent discussion about"real" anonymous functions follows a somewhat predictable path, but thereare still reasons to participate in vetting these "new" ideas, despite thetiresome, repetitive nature of the exercise-examples of recurring feature ideas that were eventually adopted definitely exist.

Version124.0 of the Firefox browser is out. Changes include support for"caret browsing mode" in the PDF viewer and the ability to control thesorting of tabs in the Firefox View screen.

Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).

Man Yue Mo explainshow to compromise a Pixel8 phone even when the Arm memory-tagging extension is in use, by takingadvantage of the Mali GPU.