LWN.net

Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

The 6.8.4 and 6.6.25 stable kernels have been released.They both contain 11 reversions of workqueue patches.

V8, the JavaScript engine used in Chrome,announcedthat its memory sandbox is no longer experimental.

Among the numerous approaches to funding the development and advancement ofopen-source software, corporate sponsorship in the form of donations to umbrellaorganizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brienpresenteda slice of his recent research into the landscape of such sponsorship arrangements,with an overview of the identifiable trends of the past ten years and some initialinsights he hopes are valuable for sponsors and community members alike.

Version6.0 LTS of the Incus container management system has been released."This is a major milestone for Incus as it marks our first release withextended support, suitable for use in production environments where monthlyfeature releases aren't suitable." Changes include swap limits forcontainers, a new shell completion mechanism, support for the creation ofVLAN interfaces, improved live migration, and more.

Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).

The LWN.net Weekly Edition for April 4, 2024 is available.

AlmaLinux has announcedupdated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, ause-after-free vulnerability in the kernel that could be exploited togain local privilege escalation. This is notable because the fixmarks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):

David Malcolm writesabout some static-analyzer features that are coming in the GCC14release.

The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have beenreleased. Each contains an important set of fixes. Note that 6.7.12 isthe final release for the 6.7.y series, and that branch is nowend-of-life. Users should move to the 6.8.y branch.

The Rust programming language differs from C in many ways; thosedifferences tend to be what users admire in the language. But thosedifferences can also lead to an impedance mismatch when Rust code isintegrated into a C-dominated system, and it can be even worse in thekernel, which is not a typical C program. Memory models are a case inpoint. A programming language's view of memory is sufficiently fundamentaland arcane that many developers never have to learn much about it. It ishard to maintain that sort of blissful ignorance while working in thekernel, though, so a recent discussion of how to choose a memory model forkernel code in Rust is of interest.

The SUSE Security Team Blog is carrying adetailed article on SUSE's review of the KDE6 release.

Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).

The first stable release of Redict, a fork of the Redis in-memory databaseunder a copyleft license, has been announced.

Versions 5.6.0 and 5.6.1 of theXZcompression utility and librarywere shipped with a backdoor that targetedOpenSSH.Andres Freunddiscovered the backdoor bynoticing that failed SSH logins were taking a lot ofCPU time while doing somemicro-benchmarking, and tracking down the backdoor from there. It was introducedby XZ co-maintainer "Jia Tan" - a probable alias for person or persons unknown.The backdoor is a sophisticated attack with multiple parts, from the buildsystem, to link time, to run time.

A common theme in early-days anti-Linux FUD was that, since anybody cancontribute to the code, it cannot be trusted. Over two decades later, onerarely hears that line anymore; experience has shown that free-softwarecommunities are not prone to shipping overtly hostile code. But, as the backdooring of XZ has reminded us, theembedding of malicious code is, unfortunately, not limited to theproprietary realm. Our community will be busy analyzing this incident forsome time to come, but clear conclusions may be hard to come by.

Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).

At SCALEthis year Dan Schatzberg and Tejun Heo,both from Meta, gave back-to-back talks about someof the performance-engineering work that they do there. Schatzberg presented onthe extensible BPF scheduler, which has beendiscussed extensively on the kernel mailing list.Heo presented on IOCost - a control group (cgroup) I/O controlleroptimized for solid-state disks (SSDs) - and the benchmark suite that is necessary tomake it work well on different models of disk.

Version 10.0 of the NetBSD system has been released.

Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).

The 6.9-rc2 kernel prepatch is out fortesting. "Neither snow nor rain nor heat nor gloom of night stays kernel rc releases.Nor does Easter."

Andres Freund has posted adetailed investigation into a backdoor that was shipped with versions5.6.0 and 5.6.1 of the xz compression utility. It appears that themalicious code may be aimed at allowing SSH authentication to be bypassed.

Radicle is a new, peer-to-peer,MIT/Apache-licensed collaboration platform written in Rust and built on topof Git. It adds support for issues and pull requests (which Radicle calls"patches") on top of core Git, which are stored in the Git repositoryitself. Unlike GitHub, GitLab, and similar forges, Radicle is distributed;it doesn't rely on having everyone use the same server. Instead, Radicleinstances form a network that synchronizes changes between nodes.

Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).

Christian Schaller writesabout the desktop-oriented work aimed at the upcoming Fedora40release.

On March 21, Redis Ltd. announced that the Redis "in-memory data store" project would now bereleased under non-free, source-available licenses, starting with Redis7.4. Thenews is unwelcome, but not entirely unexpected. What is unusual with this situation isthe number of Redis alternatives to choose from; there are at leastfour options to choose as a replacement for those who wish to staywith free software, including a pre-existing fork called KeyDB and the Linux Foundation's newly-announced Valkey project. The question now is which one(s)Linux distributions, users, and providers will choose to take its place.

Keith Fiske gave a talk(with slides) about the state of partitioning - splitting a largetable into smaller tables for performance reasons - inPostgreSQL atSCALEthis year. He spoke about the existing support for partitioning, what work stillneeds to be done, and what place existing partitioning tools, like his ownpg_partman, still have as PostgreSQL gains more built-in features.

Version 4.20.0 of the Samba Windows interoperability suite has beenreleased. Changes include better support for group-managed serviceaccounts, an experimental Windows search protocol client, support forconditional access control entries, and more.

Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).

The LWN.net Weekly Edition for March 28, 2024 is available.

The PostgreSQL community is dealing with the loss of Simon Riggs, whopassed away on March26:

Jason Nucciarone and Felipe Reyes gave back-to-back talksabout high-performance computing (HPC) using Ubuntu atSCALE thisyear. Nucciarone talked about ongoing work packagingOpen OnDemand - a web-based HPC cluster interface -to make high-performance-computing clustersmore user friendly. Reyes presented on usingOpenStack - a cloud-computing platform- to pass the performance benefits of one's hardware throughto virtual machines (VMs) running on a cluster.

Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).

Sasha Levin has announced the release of the 6.8.2, 6.7.11,6.6.23, 6.1.83, 5.15.153, 5.10.214, 5.4.273, and 4.19.311 stable kernels. Each contains a longlist of important fixes throughout the kernel tree.

The GNOME project announcedGNOME46 (code-named "Kathmandu") on March20. The release has quite a few updates and improvementsacross user applications, developer tools, and under the hood. Onething stood out while looking over this release-a major emphasis onFlatpaks as the way to acquire and update GNOME software.

Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).

The first-ever NixConin North America was co-located withSCALE this year. Theevent drew a mix of experiencedNix usersand people new to the project.I attended talks that covered using Nix to build Docker images, upcoming changesto how NixOS performs early booting, and ideas for making the set of servicesprovided in nixpkgsmore useful for self hosting. (LWN covered the relationship betweenNix, NixOS, and nixpkgs in arecent article.)Near the end of theconference, a collection of Nix contributors gave a "State of the Union"about the growth of the project and highlighting areas of concern.

The 6.9-rc1kernel prepatch was released on March24, closing the merge window forthis development cycle. By that time, 12,435 non-merge changesets had beenmerged into the mainline, making for a less-busy merge window than the lastcouple of kernel releases (but similar to the 12,492 seen for 6.5). Wellover 7,000 of those changes were merged after the first-half merge-window summary waswritten, meaning that the latter part of the merge window brought many moreinteresting changes.

Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf).

Version 29.3 of theEmacs editor has been released:

The 6.9-rc1 kernel prepatch is out fortesting. Linus Torvalds described some rather large updates to the corekernel code that are coming for 6.9:

Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).

While a programming error in the kernel may be subject to directexploitation, usually a more roundabout approach is required to takeadvantage of a security bug. One popular approach for those wishing totake advantage of vulnerabilities is heap spraying, andit has often been employed to compromise the kernel. In the future,though, heap-spraying attacks may be a bit harder to pull off, thanks to the"dedicated bucket allocator" proposed by Kees Cook.

Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi).

Version1.77.0 of the Rust language has been released. Changes include supportfor NUL-terminated C-string literals, the ability for asyncfunctions to call themselves recursively, the stabilization of theoffset_of!() macro, and more.

Verson 5.39.9 of the Perl language has been released. Changes this timeinclude a new "medium-precedence" logical exclusive-or operator, a numberof updated modules, and more; see thispage for details.

The Redis in-memory database system has hadits license changed to either the Redis Source AvailableLicense or the Server SidePublic License (covered here in 2018);neither license qualifies as free software.

Danilo Krummrich has announced theexistence of the "Nova" project within Red Hat.

The LWN.net Weekly Edition for March 21, 2024 is available.