DNS resolvers (those that handle DNSSEC, at least) are almost uniformlyvulnerable to an exploitthat has been named "KeyTrap". In short, the right type of packet cansend a DNS system into something close to an infinite loop, taking it outof service indefinitely.
Qubes OS is a security-focused desktop Linux distribution built on Fedora Linux and the Xen hypervisor. Qubes uses virtualization to run applications, system services, and devices access via virtual machines called "qubes" that have varying levels of trust and persistence to provide an open-source "reasonably secure" operating system with "serious privacy". The Qubes 4.2.0 release, from December 2023, brings a number of refinements to make Qubes OS easier to manage and use.
Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff).
Spritely is a project seeking tobuild a platform for sovereign distributed applications - applications whereusers run their own nodes in order to control their own data - as the basis of anew social internet.While there are many such existingprojects, Spritely takes an unusual approach based on a newinteroperable protocol forefficient, secure remote procedure calls (RPC). The project is in its early stages,with many additional features planned, but it is already possible to play aroundwith Goblins, the distributedactor library that Spritely intends to build on.
Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13).
The 6.8-rc5 kernel prepatch is out fortesting. "Absolutely nothing stands out here, although I do wishthings should have calmed down a bit more at this point in the releaseprocess."
Greg Kroah-Hartman has announced the release of the 6.7.5, 6.6.17,and 6.1.78 stable kernels. As is the norm,they contain important fixes throughout the kernel tree. So far, there are nonew CVEs reported onthe linux-cve-announce mailing list, which means that the new kernel CVE numbering authority (CNA)powers have not yet been used.
The futexmechanism provided by the kernel allows for the creation of efficient andflexible locking primitives in user space. Futexes work well for manyapplications, but not all. One of the exceptions, it seems, is thatperennially difficult-to-support use case: Windows games. With thispatch series, Elizabeth Figura seeks to provide the sort of lockingthat those games need, by way of a special-purpose virtual device.
Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow).
At FOSDEM2024 in Brussels, theAI and MachineLearning devroom hosted several talks about open-source AI models. Withtalks about a definition of open-source AI, "ethical" restrictions inlicenses, and the importance of open data sets, in particular fornon-English languages, the devroom provided an overview of the current stateof the domain.
Security updates have been issued by Debian (edk2, postgresql-13, and postgresql-15), Fedora (engrampa, vim, and xen), Mageia (mbedtls and quictls), Oracle (nss, openssh, and tcpdump), Red Hat (.NET 8.0), SUSE (hugin, kernel, pdns-recursor, python3, tomcat, and tomcat10), and Ubuntu (clamav, edk2, linux-gcp-6.2, linux-intel-iotg-5.15, linux-oem-6.1, and ujson).
The Fedora Project is working toward the releaseof Fedora Linux 40, and (as with each release) that means changesto the way the project works and the software included in its repositories. Mostof the changesset for Fedora 40 are uncontroversial, but one change is causing quitea stir. The KDE Special Interest Group's (SIG) proposal to adopt KDE Plasma 6 with only Wayland session support, which it interpreted as a mandate to block any X11 packages for Plasma. Others saw it as overreach by the SIG, and an attempt to block users and contributors from maintaining software they needed.
The Common Vulnerabilities andExposures (CVE) system was set up in 1999 as a way to referunambiguously to known vulnerabilities in software. That system has founditself under increasing strain over the years, and numerous projects haveresponded by trying to assert greater control over how CVE numbers areassigned for their code. On February 13, though, a big shoe dropped whenthe Linux kernel project announcedthat it, too, was taking control of CVE-number assignments. As is oftenthe case, though, the kernel developers are taking a different approach tovulnerabilities, with possible implications for the CVE system as a whole.
Security updates have been issued by Debian (bind9 and unbound), Fedora (clamav, firecracker, libkrun, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, and virtiofsd), Red Hat (.NET 6.0, dotnet6.0, and dotnet7.0), Slackware (bind and dnsmasq), and Ubuntu (dotnet6, dotnet7, dotnet8, linux-lowlatency, linux-raspi, linux-nvidia-6.2, and ujson).
Greg Kroah-Hartman has announcedthat the kernel project has been accepted as a CVE numbering authority(CNA). The way that CVE numbers will be handled by the kernel is describedin thisdocumentation patch:
The dynamic linker is a critical component of modern Linux systems, beingresponsible for setting up the address space of most processes. While staticallylinked binaries have become more popular over time as the tradeoffs thatoriginally led to dynamic linking become less relevant, dynamic linking is stillthe default. This article looks at what steps the dynamic linker takes toprepare a program for execution.
Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl).
Once again, runc-a toolfor spawning and running OCI containers-is drawing attention due to a highseverity container breakout attack. This vulnerability is interesting forseveral reasons: its potential for widespread impact, the continued difficultyin actually containing containers, the dangers of running containersas a privileged user, and the fact that this vulnerability is made possiblein part by a response to a previouscontainer breakout flaw in runc.
Fedora Magazine has announced the creation of Fedora Atomic Desktops: a way of branding Fedora's growing set of rpm-ostree spins. Joseph Gayso wrote "we've seen more of our mainline Fedora Linux spins make the jump to offer a version that implements rpm-ostree. It's reached the point where it can be hard to talk about all of them at the same time. Therefore we've introduced a new brand that will serve to simplify how we discuss rpm-ostree and how we name future atomic spins." LWN covered Project Bluefin, which is based on Fedora's rpm-ostree work, in December 2023.
Over on the Collabora blog, Helen Koike writesabout the DRM-CI project for running automated continuous integration (CI)tests on multiple graphics devices in several different labs. It uses theIGT GPUtools for testing, though there are plans to expand:
Gnuplot6.0 was released inDecember2023, bringing a host of significant improvements and newcapabilities to the open-source graphing tool. Here we survey the majornew features, including filled contours in 3D, adaptive plotting resolution, watchpoints, clippingof surfaces, sector plots for making things like pie charts, and newsyntax for conditionals in gnuplot's scripting language. In addition, therearedetailed examples of the features described.
Security updates have been issued by Debian (webkit2gtk), Fedora (atril, chromium, gnutls, python-aiohttp, and webkitgtk), Gentoo (libxml2), Mageia (gnutls, gpac, kernel, kernel-linus, microcode, pam, and postfix), Red Hat (container-tools:2.0, container-tools:3.0, container-tools:4.0, container-tools:rhel8, gimp, libmaxminddb, python-pillow, runc, and unbound), SUSE (cosign, netpbm, python, python-Pillow, python3, and python36), and Ubuntu (libde265, linux-gcp, linux-gcp-5.4, and linux-intel-iotg).
On February 2, Google announced this year's "Season of Docs", a program complementing its Summer of Code programby providing funding to open source projects to hire technical writers to improvetheir documentation. Interested projects have until April 2 to apply.
Mitchell Baker has announcedthat she is stepping down from the role of Mozilla CEO, effectiveimmediately. Laura Chambers will be the new CEO "for the remainder ofthe year".
The generation of random (or, at least, unpredictable) numbers is key tomany security technologies. For this reason, the provision of random dataas a CPU feature has drawn a lot of attention over the years. A properhardware-based random-number generator can address the problems that makerandomness hard to obtain in some systems, but only if the manufacturer canbe trusted to not have compromised that generator in some way. A recentdiscussion has brought to light a different problem, though: what happensif a hardware random-number generator can be simply driven into exhaustion?
The GNU C Library project hasbeen accepted as a CVE Numbering Authority (CNA), meaning that theproject is now in control of the CVE numbers assigned to its code.
At the beginning of November, we let it beknown that we were looking to hire a writer/editor to augment the LWNteam. In past attempts, we have found it difficult to attract writers whocould produce the kind of content that LWN readers expect. This timearound, as we have said before, was different; we had a number ofcandidates who could have filled the bill and were forced to make somedifficult choices.While "hire them all" was an attractive idea, it was not one that ourbudget would support. We did conclude, however, that we could stretch to asecond hire. So we are pleased to announce that the opportunity to bringJoe Brockmeier on board was too good to pass up - so we didn't. You willstart to see his work return to LWN within the next few days.
Go 1.22, the most recent version of the Go programming language, has been released. It comes with two language changes to for loops: a fix for a longstanding "gotcha" with accidentally sharing loop variables between iterations and adding the ability to range over integer values. There are also additions to the standard library, improved performance, and more. See the release notes for further information.
What is IP fragmentation, why is it important, and do people understandit? The answer to that last question is "not as well as they think". Thisarticle will also answer the rest of thosequestions and introduce fragquiz, a game that Iwrote to allow players to guess how IP packets will behave when they aretoo large for the network. As evidence that IP fragmentation is notwell-understood, a room full of networking experts played fragquiz and gota score that wasnowhere close to perfect. In addition, I will describe a new algorithm forfragmentation avoidance, which some colleagues and Ideveloped, that helped motivate development of fragquiz.
The GNU C Library (glibc)released version 2.39 on January 31, includingseveral new features. Notable highlights include new functions for spawningchild processes, support for shadow stacks on x86_64, new security features, andthe removal of libcrypt. The glibc maintainers had also hoped to includeimprovements to qsort(), which ended up not making it into thisrelease. Glibc releases are made every six months.
Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc).
Greg Kroah-Hartman has announced the release of the 6.7.4, 6.6.16,and 6.1.77 stable kernels. As usual, theycontain important fixes all over the kernel tree.
A common problem in kernel development is controlling when aspecific task should be done. Kernel code often executes in contexts wheresome actions (sleeping, for example, or calling into filesystems) are notpossible. Other actions, while possible, may prevent the kernel fromtaking care of a more important task in a timely manner. The kernelcommunity has developed a number of deferred-execution mechanisms designedto ensure that every task is handled at the right time. One of thosemechanisms, tasklets, has been eyed for removal for years; that removalmight just happen in the near future.
Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl).
The 6.8-rc3 kernel prepatch is out fortesting. "A slightly larger rc3 that I'd have hoped for, although atthis stage in the release process it's not something that really worries meyet."
The Zig language2024 roadmapwas presented in a talk last week onZig Showtime (a show coveringZig news). Andrew Kelley, the benevolent dictator for life of the Zig project,presented his goalsfor the language, largely focusing on compiler performance and continuingprogress toward stabilization for the language. He discussed details of his planfor incremental compilation, and addressed the sustainability of the project interms of both code contributions and financial support.
LWN.net