LWN.net

The 6.9-rc4 kernel prepatch is out fortesting. "Nothing particularly unusual going on this week - some new hwmitigations may stand out, but after a decade of this I can't really callit 'unusual' any more, can I?"

The6.8.6,6.6.27,6.1.86,5.15.155,5.10.215,5.4.274, and4.19.312stable kernel updates have all been released; each contains a relativelylarge number of important fixes.

The kernel project merges dozens of drivers with every development cycle,and almost every one of those drivers is entirely uncontroversial.Occasionally, though, a driver submission raises wider questions, leadingto lengthy discussion and, perhaps, opposition. That is currently the casewith two separate drivers, both with ties to the networking subsystem. Oneof them is hung up on questions of whether (and how) all devicefunctionality should be made available to user space, while the other hasrun into turbulence because it drives a device that is unobtainable outsideof a single company.

Dirk Mueller has posted alengthy analysis of the XZ backdoor on the openSUSE News site, with afocus on openSUSE's response.

Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).

The Earliest Virtual Deadline First (EEVDF)scheduler was merged as an option for the 6.6 kernel. It represents amajor change to how CPU scheduling is done on Linux systems, but the EEVDFfront has been relatively quiet since then. Now, though, schedulerdeveloper Peter Zijlstra has returned from a long absence to post a patchseries intended to finish the EEVDF work. Beyond some fixes, this workincludes a significant behavioral change and a new feature intended to helplatency-sensitive tasks.

Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).

The LWN.net Weekly Edition for April 11, 2024 is available.

The Gentoo Linux project has announcedthat it is now an Associated Project of Software in the Public Interest(SPI), which will allow it to accept tax deductible donations in theUS and reduce its "non-technical workload":

Greg Kroah-Hartman has announced another round of stable kernelupdates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; eachcontains another set of important fixes, including the mitigations for therecently disclosed branch history injectionhardware vulnerability.

A recent book by LWN guest author Lee Phillips provides a nice introduction to the Julia programming language.Practical Juliadoes more than that, however. As its subtitle ("A Hands-On Introductionfor Scientific Minds") implies, the book focuses on bringing Julia toscientists, rather than programmers, which gives it something of adifferent feel from most other books of this sort.

On April 3 security researcher Bartek Nowotarskipublished the details of a new denial-of-service (DoS)attack, called a "continuation flood", against manyHTTP/2-capable webservers. While the attack is not terribly complex, it affects many independentimplementations of the HTTP/2 protocol, even though multiplesimilar vulnerabilities over the years have given implementers plenty of warning.

Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-starfive-6.5, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, and xorg-server, xwayland).

The mainline kernel has just received a set of commits mitigating thelatest x86 hardware vulnerability, known as "branch history injection".From this commit:

On February 20, Linaro held the initialget-together for what is intended to be a regular Linux Kernel Forum forthe Arm-focused kernel community. This gathering aims to conveneapproximately a few weeks prior to the merge window opening and prior tothe release of the current kernel version under development. Topicscovered in the first gathering include preparing 64-bit Arm kernels forlow-end embedded systems, memory errors and Compute ExpressLink (CXL), devlink objectives, and scheduler integration.

Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released.Changes include a number of additions to its QUIC protocol support, someyear-2038 improvements for 32-bit systems, and a lot of cryptographicfeatures with descriptions like "Added a new EVP_DigestSqueeze()API. This allows SHAKE to squeeze multiple times with different outputsizes." See the releasenotes for details.

There are many mechanisms for deferred work in the Linux kernel. One of them,workqueues, has seen increasing use as part ofthe move away from software interrupts. Alison Chaiken gave a talkat SCALEabout how they compare to software interrupts, the new challenges they pose forsystem administrators, and what tools are available tokernel developers wishing to diagnose problems with workqueues as they becomeincreasingly prevalent.

Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).

Version 4.2.0 of the Rivendellradio automation system has been released. Changes include a new datafeed for 'next' data objects, improvements to its podcast system,numerous bug fixes, and more.

The Google Open Source Blog is carrying anannouncement for a new JPEG library called "Jpegli". There are anumber of advantages claimed, including:

Sometimes the smallest patches create the biggest discussions. A case inpoint would be the process by which the PostgreSQL community - not a groupnormally prone to extended, strongly worded megathreads - resolved the question ofwhether to merge a brief patch adding a new configuration parameter. Sometimes, a proposal that looks like a security patch is not, infact, intended to be a security patch, but getting that point across can bedifficult.

Version 2.4.0 of the GNU Stow symbolic-link manager has been released.This marks the first release forGNU Stow since 2019. MaintainerAdam Spires wrote:

Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen).

The 6.9-rc3 kernel prepatch is out fortesting.

Wayne Davison has announcedthe release of rsync version 3.3.0, whichcontains a number of bug fixes and minor enhancements. Davison hasalso announced a change in maintainers and a move to a new GitHubproject:

The nominations have closed and campaigning is underway to see whowill be the next DebianProject Leader (DPL). This year, twocandidates are campaigning for the position Jonathan Carter hasheld for four eventful years: Sruthi Chandran andAndreas Tille. Topics that have emerged so far include how theprospective DPLs would spend project money, their opinions on handlingcontroversial topics, and project diversity.

OpenBSD 7.5 has been released. The list of changes and improvements is, asusual, long; it includes the pinsyscalls() functionality coveredhere in January.

The Eclipse Foundation, the organizationbehind the Eclipse IDE and many other software projects, announceda collaboration between several different open-source-software foundations tocreate a specification describing secure software development best practices.This work is motivated by the European Union's Cyber Resilience Act (CRA).

Version 7.0 of theFFmpeg audio/video toolkit is out. "The most noteworthy changes formost users are a native VVC decoder (currently experimental, until morefuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool".There's also the usual list of new formats and codecs, and a few deprecatedfeatures have been removed.

Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

The 6.8.4 and 6.6.25 stable kernels have been released.They both contain 11 reversions of workqueue patches.

V8, the JavaScript engine used in Chrome,announcedthat its memory sandbox is no longer experimental.

Among the numerous approaches to funding the development and advancement ofopen-source software, corporate sponsorship in the form of donations to umbrellaorganizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brienpresenteda slice of his recent research into the landscape of such sponsorship arrangements,with an overview of the identifiable trends of the past ten years and some initialinsights he hopes are valuable for sponsors and community members alike.

Version6.0 LTS of the Incus container management system has been released."This is a major milestone for Incus as it marks our first release withextended support, suitable for use in production environments where monthlyfeature releases aren't suitable." Changes include swap limits forcontainers, a new shell completion mechanism, support for the creation ofVLAN interfaces, improved live migration, and more.

Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).

The LWN.net Weekly Edition for April 4, 2024 is available.

AlmaLinux has announcedupdated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, ause-after-free vulnerability in the kernel that could be exploited togain local privilege escalation. This is notable because the fixmarks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):

David Malcolm writesabout some static-analyzer features that are coming in the GCC14release.

The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have beenreleased. Each contains an important set of fixes. Note that 6.7.12 isthe final release for the 6.7.y series, and that branch is nowend-of-life. Users should move to the 6.8.y branch.

The Rust programming language differs from C in many ways; thosedifferences tend to be what users admire in the language. But thosedifferences can also lead to an impedance mismatch when Rust code isintegrated into a C-dominated system, and it can be even worse in thekernel, which is not a typical C program. Memory models are a case inpoint. A programming language's view of memory is sufficiently fundamentaland arcane that many developers never have to learn much about it. It ishard to maintain that sort of blissful ignorance while working in thekernel, though, so a recent discussion of how to choose a memory model forkernel code in Rust is of interest.

The SUSE Security Team Blog is carrying adetailed article on SUSE's review of the KDE6 release.

Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).

The first stable release of Redict, a fork of the Redis in-memory databaseunder a copyleft license, has been announced.

Versions 5.6.0 and 5.6.1 of theXZcompression utility and librarywere shipped with a backdoor that targetedOpenSSH.Andres Freunddiscovered the backdoor bynoticing that failed SSH logins were taking a lot ofCPU time while doing somemicro-benchmarking, and tracking down the backdoor from there. It was introducedby XZ co-maintainer "Jia Tan" - a probable alias for person or persons unknown.The backdoor is a sophisticated attack with multiple parts, from the buildsystem, to link time, to run time.

A common theme in early-days anti-Linux FUD was that, since anybody cancontribute to the code, it cannot be trusted. Over two decades later, onerarely hears that line anymore; experience has shown that free-softwarecommunities are not prone to shipping overtly hostile code. But, as the backdooring of XZ has reminded us, theembedding of malicious code is, unfortunately, not limited to theproprietary realm. Our community will be busy analyzing this incident forsome time to come, but clear conclusions may be hard to come by.

Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).

At SCALEthis year Dan Schatzberg and Tejun Heo,both from Meta, gave back-to-back talks about someof the performance-engineering work that they do there. Schatzberg presented onthe extensible BPF scheduler, which has beendiscussed extensively on the kernel mailing list.Heo presented on IOCost - a control group (cgroup) I/O controlleroptimized for solid-state disks (SSDs) - and the benchmark suite that is necessary tomake it work well on different models of disk.

Version 10.0 of the NetBSD system has been released.

Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).

The 6.9-rc2 kernel prepatch is out fortesting. "Neither snow nor rain nor heat nor gloom of night stays kernel rc releases.Nor does Easter."