LWN.net

Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot).

The recent XZ backdoor has sparked a lot of discussion about how the open-sourcecommunity links and packages software. One possiblesecurity improvement being discussedis changing howprojects like systemd link to dynamic libraries that are only used foroptional functionality: usingdlopen() to load those libraries onlywhen required. This couldshrink the attack surface exposed by dependencies, but the approach is notwithout downsides - most prominently, it makes discovering which dynamiclibraries a program depends on harder.On April 11, Lennart Poettering proposed one way to eliminate that problemin a systemd RFC on GitHub.

Fedora40Beta was releasedon March26, and the final release is nearing completion. So far,the release is coming together nicely with majorupdates for GNOME, KDEPlasma, and the usual cavalcade ofsmaller updates and enhancements. As part of the release, the project also scuttled DeltaRPMs and OpenSSL 1.1.

Version0.81 of the PuTTY SSH client is out with a fix for CVE-2024-31497;some users will want to update and generate new keys:

Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).

The Open Source Security Foundation and the OpenJS Foundation have jointlyposted awarning about XZ-like social-engineering attacks after OpenJS wasseemingly targeted.

Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPFsince mid-2023. In July, Dwivedi postedthe first patch set in this effort, which adds support for basic stack unwinding.In February 2024, he postedthe second patch setaimed at letting the kernel release resources held by the BPF program when anexception occurs. This makes exceptions usable in many more contexts.

Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard).

The 6.9-rc4 kernel prepatch is out fortesting. "Nothing particularly unusual going on this week - some new hwmitigations may stand out, but after a decade of this I can't really callit 'unusual' any more, can I?"

The6.8.6,6.6.27,6.1.86,5.15.155,5.10.215,5.4.274, and4.19.312stable kernel updates have all been released; each contains a relativelylarge number of important fixes.

The kernel project merges dozens of drivers with every development cycle,and almost every one of those drivers is entirely uncontroversial.Occasionally, though, a driver submission raises wider questions, leadingto lengthy discussion and, perhaps, opposition. That is currently the casewith two separate drivers, both with ties to the networking subsystem. Oneof them is hung up on questions of whether (and how) all devicefunctionality should be made available to user space, while the other hasrun into turbulence because it drives a device that is unobtainable outsideof a single company.

Dirk Mueller has posted alengthy analysis of the XZ backdoor on the openSUSE News site, with afocus on openSUSE's response.

Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).

The Earliest Virtual Deadline First (EEVDF)scheduler was merged as an option for the 6.6 kernel. It represents amajor change to how CPU scheduling is done on Linux systems, but the EEVDFfront has been relatively quiet since then. Now, though, schedulerdeveloper Peter Zijlstra has returned from a long absence to post a patchseries intended to finish the EEVDF work. Beyond some fixes, this workincludes a significant behavioral change and a new feature intended to helplatency-sensitive tasks.

Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).

The LWN.net Weekly Edition for April 11, 2024 is available.

The Gentoo Linux project has announcedthat it is now an Associated Project of Software in the Public Interest(SPI), which will allow it to accept tax deductible donations in theUS and reduce its "non-technical workload":

Greg Kroah-Hartman has announced another round of stable kernelupdates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; eachcontains another set of important fixes, including the mitigations for therecently disclosed branch history injectionhardware vulnerability.

A recent book by LWN guest author Lee Phillips provides a nice introduction to the Julia programming language.Practical Juliadoes more than that, however. As its subtitle ("A Hands-On Introductionfor Scientific Minds") implies, the book focuses on bringing Julia toscientists, rather than programmers, which gives it something of adifferent feel from most other books of this sort.

On April 3 security researcher Bartek Nowotarskipublished the details of a new denial-of-service (DoS)attack, called a "continuation flood", against manyHTTP/2-capable webservers. While the attack is not terribly complex, it affects many independentimplementations of the HTTP/2 protocol, even though multiplesimilar vulnerabilities over the years have given implementers plenty of warning.

Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-starfive-6.5, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, and xorg-server, xwayland).

The mainline kernel has just received a set of commits mitigating thelatest x86 hardware vulnerability, known as "branch history injection".From this commit:

On February 20, Linaro held the initialget-together for what is intended to be a regular Linux Kernel Forum forthe Arm-focused kernel community. This gathering aims to conveneapproximately a few weeks prior to the merge window opening and prior tothe release of the current kernel version under development. Topicscovered in the first gathering include preparing 64-bit Arm kernels forlow-end embedded systems, memory errors and Compute ExpressLink (CXL), devlink objectives, and scheduler integration.

Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released.Changes include a number of additions to its QUIC protocol support, someyear-2038 improvements for 32-bit systems, and a lot of cryptographicfeatures with descriptions like "Added a new EVP_DigestSqueeze()API. This allows SHAKE to squeeze multiple times with different outputsizes." See the releasenotes for details.

There are many mechanisms for deferred work in the Linux kernel. One of them,workqueues, has seen increasing use as part ofthe move away from software interrupts. Alison Chaiken gave a talkat SCALEabout how they compare to software interrupts, the new challenges they pose forsystem administrators, and what tools are available tokernel developers wishing to diagnose problems with workqueues as they becomeincreasingly prevalent.

Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).

Version 4.2.0 of the Rivendellradio automation system has been released. Changes include a new datafeed for 'next' data objects, improvements to its podcast system,numerous bug fixes, and more.

The Google Open Source Blog is carrying anannouncement for a new JPEG library called "Jpegli". There are anumber of advantages claimed, including:

Sometimes the smallest patches create the biggest discussions. A case inpoint would be the process by which the PostgreSQL community - not a groupnormally prone to extended, strongly worded megathreads - resolved the question ofwhether to merge a brief patch adding a new configuration parameter. Sometimes, a proposal that looks like a security patch is not, infact, intended to be a security patch, but getting that point across can bedifficult.

Version 2.4.0 of the GNU Stow symbolic-link manager has been released.This marks the first release forGNU Stow since 2019. MaintainerAdam Spires wrote:

Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen).

The 6.9-rc3 kernel prepatch is out fortesting.

Wayne Davison has announcedthe release of rsync version 3.3.0, whichcontains a number of bug fixes and minor enhancements. Davison hasalso announced a change in maintainers and a move to a new GitHubproject:

The nominations have closed and campaigning is underway to see whowill be the next DebianProject Leader (DPL). This year, twocandidates are campaigning for the position Jonathan Carter hasheld for four eventful years: Sruthi Chandran andAndreas Tille. Topics that have emerged so far include how theprospective DPLs would spend project money, their opinions on handlingcontroversial topics, and project diversity.

OpenBSD 7.5 has been released. The list of changes and improvements is, asusual, long; it includes the pinsyscalls() functionality coveredhere in January.

The Eclipse Foundation, the organizationbehind the Eclipse IDE and many other software projects, announceda collaboration between several different open-source-software foundations tocreate a specification describing secure software development best practices.This work is motivated by the European Union's Cyber Resilience Act (CRA).

Version 7.0 of theFFmpeg audio/video toolkit is out. "The most noteworthy changes formost users are a native VVC decoder (currently experimental, until morefuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool".There's also the usual list of new formats and codecs, and a few deprecatedfeatures have been removed.

Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

The 6.8.4 and 6.6.25 stable kernels have been released.They both contain 11 reversions of workqueue patches.

V8, the JavaScript engine used in Chrome,announcedthat its memory sandbox is no longer experimental.

Among the numerous approaches to funding the development and advancement ofopen-source software, corporate sponsorship in the form of donations to umbrellaorganizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brienpresenteda slice of his recent research into the landscape of such sponsorship arrangements,with an overview of the identifiable trends of the past ten years and some initialinsights he hopes are valuable for sponsors and community members alike.

Version6.0 LTS of the Incus container management system has been released."This is a major milestone for Incus as it marks our first release withextended support, suitable for use in production environments where monthlyfeature releases aren't suitable." Changes include swap limits forcontainers, a new shell completion mechanism, support for the creation ofVLAN interfaces, improved live migration, and more.

Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).

The LWN.net Weekly Edition for April 4, 2024 is available.

AlmaLinux has announcedupdated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, ause-after-free vulnerability in the kernel that could be exploited togain local privilege escalation. This is notable because the fixmarks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):

David Malcolm writesabout some static-analyzer features that are coming in the GCC14release.

The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have beenreleased. Each contains an important set of fixes. Note that 6.7.12 isthe final release for the 6.7.y series, and that branch is nowend-of-life. Users should move to the 6.8.y branch.

The Rust programming language differs from C in many ways; thosedifferences tend to be what users admire in the language. But thosedifferences can also lead to an impedance mismatch when Rust code isintegrated into a C-dominated system, and it can be even worse in thekernel, which is not a typical C program. Memory models are a case inpoint. A programming language's view of memory is sufficiently fundamentaland arcane that many developers never have to learn much about it. It ishard to maintain that sort of blissful ignorance while working in thekernel, though, so a recent discussion of how to choose a memory model forkernel code in Rust is of interest.

The SUSE Security Team Blog is carrying adetailed article on SUSE's review of the KDE6 release.

Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).