Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans).
The 6.1-rc4 kernel prepatch is out fortesting. "So as hoped for (and expected), things seem to be starting to calmdown, and rc4 is a pretty normal size for this stage in the process".
Version 4.8 of the SystemTap tracing tool is out. "Enhancements to this release include: kernel runtime improvementson multi-CPU systems, python3 tapset support through python3.11,tapset and template script for cve livepatching, bpf backendembedded-code assembler improvements".
The search for better performance from the kernel never ends. Recentlythere has been a stream of smaller patches that promise incrementalperformance gains, at least for some types of applications. Read on for anoverview of two of those patches, which make changes to the epoll systemcalls and to NUMA balancing. This work shows where developers are lookingfor performance improvements — and that not everybody measures performancethe same way.
Security updates have been issued by Debian (clickhouse, distro-info-data, and ntfs-3g), Fedora (firefox), Oracle (kernel), Slackware (mozilla), and SUSE (python-Flask-Security-Too).
Security updates have been issued by Debian (pypy3), Fedora (drupal7, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and php), Oracle (kernel, lua, openssl, pcs, php-pear, pki-core, python3.9, and zlib), Red Hat (kernel, kernel-rt, kpatch-patch, lua, openssl-container, pcs, php-pear, pki-core, python3.9, and zlib), Scientific Linux (kernel, pcs, and php-pear), SUSE (EternalTerminal, hsqldb, ntfs-3g_ntfsprogs, privoxy, rubygem-actionview-4_2, sqlite3, and xorg-x11-server), and Ubuntu (ntfs-3g, python3.10, and sqlite3).
The first Image-Based Linux Summit washeld in Berlin on October 5 and 6, 2022. The main goal of this summit was toagree on common concepts and tooling for how to build, deploy, and run modern,secure, image-based Linux distributions — a project that that the organizers,Christian Brauner, Luca Boccassi, and Lennart Poettering, have been working onfor some time. The result was a more refined vision of how Linux systemscan be built and deployed securely.
Greg Kroah-Hartman has announced the release of the 6.0.7, 5.15.77, 5.10.153, 5.4.223, 4.19.264, 4.14.298, and 4.9.332 stable kernels. As usual, theycontain important fixes throughout the kernel tree.
Version1.65.0 of the Rust language has been released. Improvements includegeneric associated types, a new let...else statement, and theability to break from labeled blocks:
It is not often that you see a Fedora change proposal for a version of thedistribution that will not be available for 18 months or so, but thatis exactly what was recently posted to the mailing list. The change targets the C source code in the myriad of packages that thedistribution ships; it would fix code that uses some ancient compatibilityfeatures that were removed by the C99 standard but are still supported byGCC. As might be guessed from the long runway proposed, there is quite a bit of work to do to get there.
Security updates have been issued by Debian (ffmpeg and linux-5.10), Fedora (libksba, openssl, and php), Gentoo (openssl), Mageia (curl, gdk-pixbuf2.0, libksba, nbd, php, and virglrenderer), Red Hat (kernel, kernel-rt, libksba, and openssl), SUSE (gnome-desktop, hdf5, hsqldb, kernel, nodejs10, openssl-3, php7, podofo, python-Flask-Security, python-lxml, and xorg-x11-server), and Ubuntu (backport-iwlwifi-dkms, firefox, ntfs-3g, and openssl).
The5.4.222,4.19.263, and4.14.297stable kernel updates have been released. The first two contain a singlepatch for a Clang compilation error; 4.14.297, instead, has a number offixes and speculative-execution mitigations.
At the recently concluded Netdev0x16 conference, which was held both in Lisbon, Portugal and virtually,Stanford professor John Ousterhout gave his personal views on wherenetworking in data centers needs to be headed. To solve the problems thathe sees, he suggested some "fairly significant changes" to thoseenvironments, including leaving behind the venerable—ubiquitous—TCPtransport protocol. While LWN was unable to attend the conference itself,due to scheduling and time-zone conflicts, we were able to view the video ofOusterhout's keynote talk to bring you this report.
The much-anticipated OpenSSL 3.0.7 release, which fixes some high-risksecurity problems, is available. The releasenotes list two vulnerabilities (CVE-2022-3786 and CVE-2022-3602) thathave not yet been documented on the OpenSSLvulnerabilities page. LWN commenter mat2 has provided the relevant information, though. Itis worth updating quickly, but many sites do not appear to be at immediaterisk.Update: the associated securityadvisory is now available.
Security updates have been issued by Debian (python3.7), Gentoo (android-tools, expat, firefox, libjxl, libxml2, pjproject, sqlite, thunderbird, and zlib), Oracle (compat-expat1), Slackware (php8 and vim), SUSE (kernel, libtasn1, podman, and pyenv), and Ubuntu (libtasn1-6).
Systemd version 252 has been released. As usual, the list of changes islong. It includes a new systemd-measure tool for the calculation of PCRvalues and a bunch of infrastructure to use the result for disk encryption:
The Linux security module (LSM) mechanism was created as a result of the first Kernel Summit in 2001; it wasdesigned to allow the development of multiple approaches to Linux security.That goal has been met; there are several security modules available withcurrent kernels. The LSM subsystem was not designed, though, to allowmultiple security modules to work together on the same system. Developershave been working to rectify that problem almost since the LSM subsystemwas merged, but with limited success; some small security modules can bestacked on top of the "major" ones, but arbitrary stacking is not possible.Now, a full 20 years aftersecurity-module support went into the 2.5 development kernel series, itlooks like a solution to the stacking problem may finally be gettingcloser.
Version 4.4 of the GNU make utility is out. There is a long list ofchanges and a fair number of potential compatibility issues; see theannouncement text for all the details.
The 5.10.151 kernel was released onOctober 28 with a small fix to the PAHOLE_FLAGS in the kernelbuild. October 29 saw the release of the 6.0.6, 5.15.76, and 5.4.221 stable kernels, each with the usualcollection of important fixes throughout the tree.Update: 5.10.152 has now also beenreleased with another set of important fixes.
Linux distributions were, as a general rule, designed during an era whenmost software of interest was written in C; as a result, distributionsare naturally able to efficiently package C applications and the librariesthey depend on. Modern languages, though, tend to be built around theirown package-management systems that are designed with different goals inmind. The result is that, for years, distributors have struggled to findthe best ways to package and ship applications written in those languages.A recent discussion in the Fedora community on the packaging of Rustapplications shows that the problems have not yet all been solved.
Fedora releases have traditionally happened later than their target date,though the project has done better on that score in recent years. BenCotton has announced inFedora Magazine that the upcoming Fedora 37 release, initially plannedfor October 25, won't be happening until November 15. Theimmediate cause is animpending OpenSSL update which fixes a vulnerability described as"critical".
The practice of requiring copyright assignments for contributions tofree-software projects has been in decline for years; the GNU Binutilsproject may be thelatest domino to fall in that regard. The Linux kernel project,unlike some others, has always allowed contributors to retain their copyrights,resulting in a code base that has widely distributed ownership. In such aproject, who owns the copyright to a given piece of code is not alwaysobvious. Somedevelopers (or their employers) are insistent about the placement ofcopyright notices in the code to document their ownership of parts of thekernel. A series of recent discussions within the Btrfs subsystem, though,has made it clear that there is no project-wide policy on when thesenotices are warranted — or even acceptable.
Mara Bos has written a lengthyblog post on whether the Rust language needs to be standardized.The answer is "no" — but she draws a distinction between a "standard"(maintained by some distant standards body) and a "specification".
Python has lots of different options for mutable data structures, bothdirectly in the language and in the standard library. Lists, dictionaries (or "dicts"), andsets are the foundation, but two of those maintain an order based on howthe elements are added, while sets do not. A recent discussion on the Python Discourse forum raised theidea of adding an ordered variant of sets; while it does not look likethere is a big push to add the feature, the discussion did show some ofwhat is generally needed to get new things into the language—and could welllead to its inclusion.
Arturo Borrero González has posted a detailedsummary of the Netfilter workshop that was recently held in Seville."This year, the number of participants was just eight people, and thisallowed the setup to be a bit more informal. We had kind of anun-conference style meeting, in which whoever had something prepared justwent ahead and opened a topic for debate."(Thanks to Paul Wise).
The6.0.4,5.15.75,5.10.150,5.4.220,4.19.262,4.14.296, and4.9.331stable kernel updates have all been released; each contains a relativelylarge set of important fixes. The 6.0.5update followed about 90 seconds later with a couple of additionalsmall fixes.
The QEMU emulator has a sizable set ofstorage features, including disk-image file formats like qcow2, snapshots, incremental backup, and storage migration, which are available to virtualmachines. This software-defined storage functionality that is availableinside QEMU has not been easily accessible outside of it, however. Kevin Wolf and Stefano Garzarellapresented at KVM Forum 2022 on the new qemu-storage-daemon program and the libblkiolibrary that make QEMU's storage functionality available even when the goalis not to run a virtual machine (VM).
Security updates have been issued by Debian (libbluray and wkhtmltopdf), Fedora (firefox, libksba, libmodsecurity, libxml2, qemu, and xmlsec1), Red Hat (389-ds-base, 389-ds:1.4, git-lfs, gnutls, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libksba, mysql:8.0, pki-core, postgresql:12, samba, sqlite, and zlib), Scientific Linux (389-ds-base, libksba, and pki-core), SUSE (bluez, firefox, jdom, kernel, libosip2, libxml2, multipath-tools, and python-Mako), and Ubuntu (barbican, mysql-5.7, mysql-8.0, openvswitch, and pillow).
Version3.11.0 of the Python language has been released."In the CPython release team, we have put a lot of effort into making3.11 the best version of Python possible. Better tracebacks, faster Python,exception groups and except*, typing improvements and much more."Among other things, this release claims a 1.22x speedup on the standardbenchmark suite thanks to the FasterCPython work.
Among the many quirks that make the C language so charming is the set ofbehaviors thatit does not define; these include whether a char variable is asigned quantity or not. The distinction often does not make a difference,but there are exceptions. Kernel code, which runs on many differentarchitectures, is where exceptions can certainly be found. A recentattempt to eliminate the uncertain signedness of char variablesdid not get far — at least not in the direction it originally attempted togo.
Greg Kroah-Hartman has announced the release of the 5.19.17 stable kernel. "Note this is theLAST 5.19.y kernel to be released. This branch is now end-of-life. You should move to the 6.0.y branch at this point in time."
The second 6.1 kernel prepatch is out fortesting. "Usually rc2 is a pretty quiet week, and it mostly started outthat way too, but then things took a turn for the strange. End result:6.1-rc2 ended up being unusually large."
All memory accesses in a BPF program arestatically checked for safety using the verifier, which analyzes the program in itsentirety before allowing it to run. While this allows BPF programs tosafely run in kernel space, it restricts how that program is able to usepointers. Until recently, one such constraint was that the size of a memoryregion referenced by a pointer in a BPF program must be statically knownwhen a BPF program is loaded. A recentpatch set by Joanne Koong enhances BPF to support loading programs withpointers to dynamically sized memory regions.
Security updates have been issued by Fedora (poppler), Oracle (firefox and thunderbird), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk, and java-17-openjdk), SUSE (bind, clone-master-clean-up, grafana, libksba, python3, tiff, and v4l2loopback), and Ubuntu (libreoffice).
Part of the early appeal of the World Wide Web was the promise that anybodycould create a site and publish interesting content to the world. A fewdecades later, that promise seems to have been transformed into the ability toprovide content for a small number of proprietary platforms run by hugecorporations.But, arguably, the dream of widespread independent publishing is enjoying aresurgence. The Ghost publishing platformis built around the goal of making publishing technology — and the abilityto make money from it — available with free software.
LWN.net