LWN.net

Security updates have been issued by Debian (firefox-esr, libwebp, ruby-loofah, and ruby-rails-html-sanitizer), Fedora (open-vm-tools and salt), Oracle (.NET 7.0, dmidecode, flac, gcc, httpd:2.4, keylime, libcap, librsvg2, and qemu-kvm), Red Hat (.NET 6.0 and .NET 7.0), Slackware (libarchive and mozilla), SUSE (chromium and kernel), and Ubuntu (curl, firefox, ghostscript, open-vm-tools, postgresql-9.5, and thunderbird).

The LWN.net Weekly Edition for September 14, 2023 is available.

The "Common Vulnerabilities andExposures" (CVE) system was launched late in the previous century (September1999) to track vulnerabilities insoftware. Over the years since, it has had a somewhat checkeredreputation, along with some some attempts toreplace it, but CVE numbers are still the only effective way to trackvulnerabilities. While that can certainly be useful, theCVE-assignment (and severity scoring) process is not without its problems.The prominence of CVE numbers, and the consequent increase in "reputation" for a reporter, have combined to create a system that canbe-and is-actively gamed. Meanwhile, the organizations that oversee thesystem are ultimately not doing a particularly stellar job.

The6.5.3,6.4.16, and6.1.53stable kernel updates have been released; each contains a large number ofimportant fixes. Note that the 6.4.x line ends with 6.4.16.

Security updates have been issued by Debian (e2guardian), Fedora (libeconf), Red Hat (dmidecode, kernel, kernel-rt, keylime, kpatch-patch, libcap, librsvg2, linux-firmware, and qemu-kvm), Slackware (mozilla), SUSE (chromium and shadow), and Ubuntu (cups, dotnet6, dotnet7, file, flac, and ruby-redcloth).

The GCC stack-protector feature detects stack-based buffer overruns byputting a canary value on the stack and noticing if that value is changed.Itturns out, though, that dynamically allocated local variables (such asvariable-length arrays and space obtained with alloca()) areplaced beyond the canary, so overflows of those variables will not bedetected. As a result, arm64 binaries built with vulnerable versions ofGCC are not as protected as they should be and need to be rebuilt.

Arduino has emerged as one of theprime success stories of the open-hardware movement. In recent years, thecompany has shifted its focus toward Internet of Things (IoT)applications. As part of this transformation, it has completely redesignedits open-source integrated development environment (IDE), adding a moreprofessional feature set for its hobbyist target audience. If you haveexperimented with Arduino in the past, but have lost track of itsprogress, now might be a good time to give it another try.

Ars Technica reports on a credential-stealing Trojan horse that would infect only some of those who installed the "Free Download Manager". The article is based on a Kaspersky report that details the malicious payload offered up at that site from 2020 to 2022.

Security updates have been issued by Debian (node-cookiejar and orthanc), Oracle (firefox, kernel, and kernel-container), Red Hat (flac and httpd:2.4), Slackware (vim), SUSE (python-Django, terraform-provider-aws, terraform-provider-helm, and terraform-provider-null), and Ubuntu (c-ares, curl, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-raspi, and linux-ibm, linux-ibm-5.4).

Linus Torvalds released6.6-rc1 and closed the 6.6 merge window on September10. At thatpoint, 12,230 non-merge changesets had been pulled into the mainlinerepository, which is exactly 500 more than were pulled for 6.5 at this stagein the cycle. Over 7,000 of those changes were pulled after our first-half summary was written; theybrought a fair amount of new functionality with them. Read on for anoverview of those changes.

Security updates have been issued by Debian (frr, kernel, libraw, mutt, and open-vm-tools), Fedora (cjose, pypy, vim, wireshark, and xrdp), Gentoo (apache), Mageia (chromium-browser-stable, clamav, ghostscript, librsvg, libtiff, openssl, poppler, postgresql, python-pypdf2, and unrar), Red Hat (flac), SUSE (firefox, geoipupdate, icu73_2, libssh2_org, rekor, skopeo, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp-5.4, linux-gkeop, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-6.2, linux-ibm, linux-oracle, linux-starfive, linux-gcp-5.15, linux-gkeop-5.15, and opendmarc).

Linus has released 6.6-rc1 and closed themerge window for this release.

In a series of posts on his blog, Oscar Benjamin looks at SymPy, which is a Python-based symbolic-mathematics library. In the first article, he outlines the "big changes for SymPy with particular focus on speed". The second covers polynomial handling; subsequent articles will examine other pieces of the puzzle.

The work to add support for large anonymousfolios to the kernel has been underway for some time, but this featurehas not yet landed in the mainline. The author of this work, Ryan Roberts,has been trying to get a handle on what the remaining obstacles are so hecan address them. On September6, an online meeting ofmemory-management developers discussed that topic and made some progress;there is still some work to do, though, before large anonymous folios cango upstream.

Security updates have been issued by Debian (chromium, libssh2, memcached, and python-django), Fedora (netconsd), Oracle (firefox and thunderbird), Scientific Linux (firefox), SUSE (open-vm-tools), and Ubuntu (grub2-signed, grub2-unsigned, shim, and shim-signed, plib, and python2.7, python3.5).

Thisars technica article looks at the widespread deployment of Google's"privacy sandbox" in the Chrome browser:

The Ubuntu blog has adetailed article on plans to add full-disk encryption, with the keystored in the system's trusted platform module (TPM), to the desktopdistribution.

OpenSUSE Leap is a hybriddistribution; it is based on SUSE's enterprise distribution (SLE), whichfollows the "slow and stable" approach, but adds a number of newer packageson top. Leap is intended to be a desktop-oriented distribution with a stableand reliable base. As SUSE transitions away from its traditionalenterprise distribution toward its "AdaptableLinux Platform" (ALP), though, the stable base upon which openSUSE Leapis built is going away. The openSUSE community is currently discussing howthe project should respond.

Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).

The LWN.net Weekly Edition for September 7, 2023 is available.

The6.5.2,6.4.15,6.1.52, and5.15.131stable kernels have been released; each contains another set of importantfixes.

A recent discussion on the Python forum looked at a way toprotect module objects (and users) from mistaken attribute assignment anddeletion. There are ways to get the same effect today, but the mechanism that would be used causes aperformance penalty for an unrelated, and heavily used, action: attributelookup on modules. Back in2017, PEP562 ("Module __getattr__and __dir__") set the stage for adding magic methods to module objects; nowa new proposal would extend that idea to add __setattr__() and__delattr__() to them.

The Mozilla Foundation has published areport on the data-collection and privacy practices of 25 car brands.

Leandro Moreira is maintaining adetailed description of Linux network tuning parameters and how theyall tie together. There is a lot of good information for administratorsseeking a better understanding of how all those knobs work andinteroperate. (Seen on HN).

Security updates have been issued by Debian (aom and php7.3), Fedora (freeimage and mingw-freeimage), Scientific Linux (thunderbird), SUSE (amazon-ssm-agent, chromium, container-suseconnect, docker, glib2, php7, python-Django1, and rubygem-rails-html-sanitizer), and Ubuntu (kernel, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-ibm, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-gcp, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia).

The Linux Vendor Firmware Service (LVFS)provides a repository where vendors can upload firmware updates that can beaccessed by the fwupdfirmware update daemon on Linux systems. That mechanism allows users to keepthe hardware components of their systems up to date with the latest firmwarereleases, but it has gotten so popular that the daily metadata queries are starting to swamp the LVFScontent delivery network (CDN) server. So Richard Hughes, who developedfwupd and LVFS, suggestedthat it would make sense to start looking at ways to reduce that burden;the idea was discussed in a recent thread on the Fedora devel mailing list.

FOSS Force looksat the KDE Gear 23.08 release.

Security updates have been issued by Debian (file and thunderbird), Fedora (exercism, libtommath, moby-engine, and python-pyramid), Oracle (cups and kernel), Red Hat (firefox, kernel, kernel-rt, kpatch-patch, and thunderbird), SUSE (amazon-ecs-init, buildah, busybox, djvulibre, exempi, firefox, gsl, keylime, kubernetes1.18, php7, and sccache), and Ubuntu (docker-registry and linux-azure-5.4).

The kernel-development community has recently been discussing a number ofindependent patches, each of which is intended to help improve the securityof deployed systems in some way. They touch on a number of areas within thekernel, including the question of how widely io_uring should be available,how to allow virtual machines to attest to their integrity, and the bestway to inform applications when their random-number generators need to bereseeded.

Security updates have been issued by Debian (thunderbird), Fedora (firefox, kernel, kubernetes, and mediawiki), Mageia (openldap), SUSE (terraform), and Ubuntu (atftp, busybox, and thunderbird).

The6.5.1,6.4.14,6.1.51,5.15.130,5.10.194,5.4.256,4.19.294, and4.14.325stable kernel updates have all been released; each contains another set ofimportant fixes.

The pidfd API has been added to the kernelover the last several years to provide a race-free way for processes torefer to each other. While the GNU C Library (glibc) gainedbasic pidfd support with the 2.36 release in 2022, it still lacks acomplete solution for race-free process creation. Thispatch set from Adhemerval Zanella seems likely to fill that gap in thenear future, though, with an extension to the posix_spawn()API.

Security updates have been issued by Debian (chromium, firefox-esr, and gst-plugins-ugly1.0), Fedora (firefox, libeconf, libwebsockets, mosquitto, and rust-rustls-webpki), SUSE (amazon-ssm-agent, open-vm-tools, and terraform-provider-helm), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp-5.15, linux-gcp-5.4, linux-oracle-5.4, linux-gkeop, linux-gkeop-5.15, linux-intel-iotg, linux-kvm, linux-oracle, and python-git).

As of this writing, 4,588 non-merge changesets have been pulled into themainline repository for the 6.6 kernel release. The 6.6 merge window, inother words, is just getting started. Nonetheless, a fair amount ofsignificant work has already been pulled, so the time has come to summarizewhat has happened so far in this development cycle.

Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive).

The LWN.net Weekly Edition for August 31, 2023 is available.

A series of rabbit holes, some of which led to unshavedyaks, recently landed me on a book called Mastering Emacs.Given that I have been using Emacs "professionally" for more than16years-and first looked into it a good ways into the previous century-Ishould probably be pretty well-versed in that editor-cum-operating-system.Sadly, for a variety of reasons, that is not really true, but the book andsome concerted effort have been helping me down a path toward Emacs-ianenlightenment. Mastering Emacs may also help others who arestruggling in the frothy sea that makes up Emacs documentation.

The6.4.13,6.1.50,5.15.129,5.10.193,5.4.255,4.19.293, and4.14.324stable kernels have been released; each contains another set of importantfixes.

Security updates have been issued by Debian (qpdf, ring, and tryton-server), Fedora (mingw-qt5-qtbase and moby-engine), Red Hat (cups, kernel, kernel-rt, kpatch-patch, librsvg2, and virt:rhel and virt-devel:rhel), and Ubuntu (amd64-microcode, firefox, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-bluefield, linux-ibm, linux-oem-6.1, and openjdk-lts, openjdk-17).

"Sugar" is, to a certain extent, in the eye of the beholder-at least whenit comes to syntax. Programming languages are often made up of a (mostly)irreducible core, with lots of sugary constructs sprinkled on top-the syntactic sugar. No onewants to be forced to do without the extra syntax-at least not for theirfavorite pieces-but it is worth looking at how a language's constructs canbe built from the core. That is just what Brett Cannon has been doing forPython, on his blog and in talks,including a talk at PyCon back in April (YouTube video).

Security updates have been issued by Debian (flask-security and opendmarc), Fedora (qemu), Oracle (rust and rust-toolset:ol8), Red Hat (cups and libxml2), Scientific Linux (cups), SUSE (ca-certificates-mozilla, chromium, clamav, freetype2, haproxy, nodejs12, procps, and vim), and Ubuntu (faad2, json-c, libqb, linux, linux-aws, linux-lts-xenial, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, and linux-gke, linux-ibm-5.4).

The OpenChain site carries the sad news of thepassing of Satoru Ueda. Your editor first met Ueda San at the 2007 Linux Foundation Japan Symposium, where asmall group of dedicated developers and managers was working hard to bringopen-source development practices to the country. Ueda San was always astrong advocate for this cause and deserves much credit for the success ofLinux and open source in Japan. He was also always a warm and welcomingperson; he will be much missed.

The 6.5 kernel was releasedon August27 after a nine-week development cycle. By that time, some13,561 non-merge changesets had found their way into the mainlinerepository, the lowest number seen since the 5.15 release (12,377changesets) in late 2021. Nonetheless, quite a bit of significant work wasdone in this cycle; read on for a look at where that work came from.

August 26 was the 25th anniversary of the release of the Bugzilla bug tracker as open-source software under the Mozilla Public License (MPL). A blog post for the occasion has some announcements, including several upcoming releases, help wanted, and a new legal entity to house the project:

Security updates have been issued by Debian (chromium, clamav, librsvg, rar, and unrar-nonfree), Fedora (caddy, chromium, and xen), and SUSE (ca-certificates-mozilla, gawk, ghostscript, java-1_8_0-ibm, java-1_8_0-openjdk, php7, qemu, and xen).

Linus has, as expected, released the 6.5kernel.

The6.1.48,5.15.128, and5.10.192stable kernels have been released; each contains another set of importantfixes.Update: 6.1.49 has also beenreleased. "This upgrade is only for all users of the 6.1 series thatuse the x86 platform OR the F2FS file system. If that's not you, feel freeto ignore this release."

The OpenTF Foundation has announced that it is moving forward with its eponymous fork of HashiCorp Terraform, which was recently changed to a non-FOSS license by the company. The organization has applied to become part of the Linux Foundation, "with the end goal of having OpenTF as part of Cloud Native Computing Foundation". There is a GitHub repository for its manifesto, but the code repository for OpenTF is private for now, with plans to open it up in the next week or two. Work has been going on for the last week and more developers are coming on board:

The more one pays attention to the Internet of Things (IoT), the more onelearns to appreciate simple, unconnected devices. Your editor long agoacquired an aversion to products that advertise themselves as "smart"or "WiFi-enabled". There can be advantages, though, to devices thatcontain microprocessors, are Internet connected, and are remotelyaccessible, if they are implemented well. The OpenSprinkler sprinkler timer wouldappear to be a case in point.

Security updates have been issued by Debian (tryton-server), Fedora (youtube-dl), SUSE (clamav and krb5), and Ubuntu (cjose and fastdds).