Git 2.39.1 has been released with a set of security fixes; there are alsoupdated versions of many older Git releases available. A pair of integeroverflow vulnerabilities can lead to code execution in some scenarios; seethe announcement and thisGitHub blog entry for more information.
Version109.0 of the Firefox browser has been released. The headline featurethis time is the enabling of ManifestVersion 3 support — a new extension mechanism that, among otherthings, gives a higher degree of control over what extensions can do.
It is rare to see an extensive and unhappy discussion over the selection ofcompiler options used to build a distribution, but it does happen. A casein point is the debate over whether Fedora should be built with framepointers or not. It comes down to a tradeoff between a performance loss oncurrent systems and hopes for gains that exceed that loss in the future —and somedisagreements over how these decisions should be made within the Fedoracommunity.
Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp).
Speculative-execution vulnerabilities come about when the CPU, while executingspeculatively, is able to access memory that would otherwise be denied toit. Most of these vulnerabilities would go away if the CPU were alwaysconstrained by the established memory protections. An obvious way to fixthese problems would be to make CPUs behave that way, but doing thatwithout destroying performance is not an easy task. So, instead, Intelhas developed a feature called "linear address-space separation" (LASS) topaper over parts of the problem; Yian Chen has posted apatch set adding support for this feature.
The release of the 4.9.337 stablekernel update on January 7 marked the end of an era: after just oversix years of maintenance, the 4.9.x series will receive no more updates. Thiskernel saw a lot of change after Linus Torvalds made the "final" releaseand left the building; it's time for a look at the "stable" portion of thiskernel's life to see what can be learned.
Greg Kroah-Hartman has announced the release of the 6.1.5, 6.0.19,and 5.15.87 stable kernels. As usual, theycontain lots of important fixes all over the kernel tree; users shouldupgrade. This is also the last release in the 6.0.y kernel series: "Allusers must move to the 6.1.y branch at this point in time, as this branch is now end-of-life."
The PyTorchcompromise that happened right at the end of 2022 was rather ugly, butits impact was not widespread—seemingly, at least. The incident doeshighlight some of the perils of relying on an external "supply chain" for the components thatare used to build one's software. It also would appear to be anothercase of "security researchers" run amok, though perhaps that part of the storyis only meant to cover the tracks—or ass—of the perpetrator.
Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0).
Python's formatted strings, or "f-strings", came relatively late to thelanguage, but have become a popular feature. F-strings allow a compactrepresentation for the common task of interpolating program data intostrings, often in order to output them in some fashion. Somerestrictions were placed on f-strings to simplify the implementation ofthem, but those restrictions are not really needed anymore and, infact, are complicating the CPython parser. That has led to a PythonEnhancement Proposal (PEP) to formalize the syntax of f-strings for thebenefit of Python users while simplifying the maintenance of theinterpreter itself.
In late 2021, LWN covered a plan toeliminate the Python global interpreter lock (GIL), thus improving thelanguage's thread-level concurrency. This plan has now been codified as PEP 703, which includesan extensive discussion of the changes that would be made.
Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).
The kernel's memory-management developers have been busy before and duringthe holidays; the result is a number of patch sets making significantchanges to that subsystem. It is time for a quick look at three of thoseprojects. Two of them aim to increase the sharing of page tables betweenprocesses, while the third takes advantage of the multi-generational LRU to create a betterpicture of what a process's working set actually is.
Linus has released 6.2-rc3 for testing."Here we are, another week done, and things are starting to look a lotmore normal after that very quiet holiday week that made rc2 so verysmall".
The6.1.4,6.0.18, and4.9.337stable kernel updates have been released; each contains another set ofimportant fixes.Greg Kroah-Hartman has also let it be knownthat 4.9.337 is the end of the line for the 4.9 kernel, which was releasedjust over six years ago. "This kernel is now END-OF-LIFE and you should move to 4.14.y at theleast, 6.1.y is the better option."
Most developers probably do not see the generation of random numbers asbeing a performance bottleneck for their programs, but there are seeminglyexceptions. Over the last few years, Jason Donenfeld has brought a newlevel of energy to the development of the kernel's random-number generator;he is now directing his efforts toward improving performance for user spacewith this patchseries that provides an implementation of the getrandom()system call in the kernel's "virtual dynamicshared object" (vDSO) area. The result is, indeed, better performance,but not all developers see this benefit as being worth the additionalcomplexity required to achieve it.
Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14).
The kernel's fscryptsubsystem enables filesystems to store files and directories in encrypted form, protecting them against offline attacks. Afew filesystems support encryption with fscrypt currently, but Btrfs is anexception, despite a number of attempts to add this feature. The problemis that, as so often seems to be the case, Btrfs works differently and doesnot fit well with one of the key assumptions in the design of fscrypt. With thispatch series, Sweet Tea Dorminy is working to enhance fscrypt to be abetter fit for filesystems like Btrfs.
Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus).
The Linux security module (LSM) subsystem has long had limitations onwhich modules could be combined in a given running kernel. Some parts ofthe problem have been solved over the years—"smaller" LSMs can be combinedat will with a single, more complex LSM—but combining (or "stacking")SELinux with, say, Smack or AppArmor has never been possible. Back inOctober, we looked at the most recentattempt to add that ability, which resulted in patches to add two new systemcalls for LSM. By the end of December, the number of new system calls hadrisen to three.
The Fedora community is currently discussing a proposal to start supportinga unifiedkernel image (UKI) for the distribution; these images would combineseveral pieces that are generally separate today (e.g. initrd, kernel, andkernelcommand line). There are a number ofadvantages to such a kernel image, at least for some kinds of systems, butthere is worry from some about where the endpoint of this work lies. Thereis a need to ensure that Fedora can still boot non-unified, perhaps locally built,kernels and can support other use cases that unification might preclude.
Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir).
Yet another new year is upon us, and that can only mean one thing: the timehas come for your editor to look into his crystal ball and make somepredictions for what 2023 will hold. Said crystal ball is known to sufferfrom speculative-execution problems and parity errors, but it's the bestthat LWN's budget will afford. Read on for a highly unreliable look atwhat's to come.
Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3).
The6.1.2,6.0.16, and5.15.86stable kernel updates have been released. As is typical for the firstpost-rc1 updates, each of these contains a huge number of important fixes.
Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3).
Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3).
The world got a special Christmas present from Linus Torvalds this year inthe form of the 6.2-rc1kernel prepatch. By the time the merge window closed, 13,687 non-mergechangesets had been pulled into the mainline for the 6.2 release. This wasthe busiest merge window since 5.13 (which brought in 14.231 changesets) inmid-2021, and quite a bit busier than 6.1 was — but comparable to the late5.x releases. Just under 4,000 of those changesets were pulled after the first-half summary was written; there werequite a few significant changes to be found in those late-arriving patches.
Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc).
LWN.net