LWN.net

Version 7.0.0of the VirtualBox virtualization system is out. Changes include supportfor fully encrypted virtual machines, a new performance-monitoring tool,improved theme support, and a number of new devices.

Security updates have been issued by Debian (connman, dbus, git, isc-dhcp, strongswan, and wordpress), Fedora (rubygem-pdfkit and seamonkey), Red Hat (gnutls, nettle, rh-ruby27-ruby, and rh-ruby30-ruby), SUSE (libgsasl, python, and snakeyaml), and Ubuntu (graphite2, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-bluefield, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe, linux-oracle, openssh, and pcre3).

Philip Herron and Arthur Cohen presented anupdate on the "gccrs" GCC front end for the Rust language at the2022 Kangrejos conference. Less thantwo weeks later — and joined by David Faust — they did it again at the 2022 GNU Tools Cauldron.This time, though, they were talking to GCC developers and refocused theirpresentation accordingly; the result was an interesting look into thechallenges of implementing a compiler for Rust.

Security updates have been issued by Debian (knot-resolver and libpgjava), Fedora (booth, dotnet3.1, expat, nheko, php-twig, php-twig2, php-twig3, poppler, python-joblib, and seamonkey), Mageia (colord, dbus, enlightenment, kitty, libvncserver, php, python3, and unbound), Slackware (libksba), SUSE (cyrus-sasl, ImageMagick, and xmlgraphics-commons), and Ubuntu (nginx and thunderbird).

Greg Kroah-Hartman has released the 5.4.217stable kernel with a set of important fixes, as usual.

The 6.1 merge window is well underway: since it opened, 5,752 non-mergechangesets have been pulled into the mainline repository. That isapproximately half of the work that had piled up in linux-next and marks agood time to look at what has been merged so far. Some long-awaited corechanges have landed for the next kernel release, but there are likely to bemore significant changes to come.

Security updates have been issued by Debian (dbus, isc-dhcp, and strongswan), Fedora (booth, php, php-twig, php-twig2, and php-twig3), Oracle (expat, prometheus-jmx-exporter, and squid), Red Hat (expat, openvswitch2.11, and squid), Scientific Linux (expat and squid), SUSE (exiv2, LibVNCServer, postgresql-jdbc, protobuf, python-PyJWT, python3, slurm, squid, and webkit2gtk3), and Ubuntu (libreoffice).

Back in May 2022, a mysterious set of patches titled insufficient TCPsource port randomness crossed the mailing lists and was subsequentlymerged (at -rc6) into the 5.18 kernel. Little information was available atthe time about why significant changes to the networking stack needed to bemade so late in the development cycle. That situation hasfinally changed with the publication of this paper by Moshe Kol,Amit Klein, and Yossi Gilad. It seems that the way the kernel chose portnumbers for outgoing network connections made it possible to uniquelyfingerprint users.

Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4).

The LWN.net Weekly Edition for October 6, 2022 is available.

The release of source code for NVIDIAgraphics hardware was perhaps something of a surprise; at least at a quickglance, it seemslike that could lead to an in-tree, officially supported driver. For manyyears, though, the nouveauproject has been working on an upstream driver for NVIDIA hardware, so anobvious question is what happens with nouveau in light of the NVIDIAannouncement. Kernel graphics maintainer Dave Airlie gave a talk at the2022 Linux Plumbers Conference (LPC) tohelp shed some light on that subject.

The New Yorker has alengthy article on the Network Time Protocol and its creator DavidMills.

Mahmoud Al-Qudsi providesextensive details on what it takes to implement a safe semaphore typein the Rust language.

The5.19.14,5.15.72,5.10.147,5.4.216, and4.19.261stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg).

The kernel's print function, printk(), has been the target ofnumerous improvement efforts over the years for avariety of reasons. One persistent problem with printk() has beenthat its latency is unacceptably high for the realtime Linux kernel; atthis point, printk() represents the last piece needing changesbefore the RT_PREEMPT patches can be fully merged. So there have been effortsto rework printk() for latency and lots of other reasons, butthose have not made it into the mainline; a recent discussion atthe 2022 Linux Plumbers Conference (LPC)seems to have paved the way for new solution to land in the mainline beforetoo long.

Jason Ekstrand announcesa new Vulkan driver for NVIDIA hardware on the Collabora blog. Itseems to be off to a good start, but there is some work yet to do:

The 5.19.13 stable kernel update is out."This release is to resolve a regression on some Intel graphicssystems that had problems with 5.19.12. If you do not have thisproblem with 5.19.12, there is no need to upgrade."

OpenSSH 9.1 has been released. It is advertised as a bug-fix release (andit addresses a few low-priority memory-safety bugs), butthere's also a new option to set the minimum RSA key size forauthentication, a few sftp extensions, and more.

Security updates have been issued by Debian (barbican), Fedora (libdxfrw, librecad, and python-oauthlib), Oracle (bind), Red Hat (bind and rh-python38-python), SUSE (bind, chromium, colord, libcroco, libgit2, lighttpd, nodejs12, python, python3, slurm, slurm_20_02, and webkit2gtk3), and Ubuntu (linux-azure, python-django, strongswan, and wayland).

Version 2.38.0 of the Git distributed version-control system has been released. It comes with lots of new features and bug fixes, some of the former are described in a GitHub blog post by Taylor Blau. Highlights include the promotion of the scalar addition for large repositories into Git core, improvements to multi-branch rebase operations with --update-refs, performance improvements, a bash prompt indication for unmerged indexes, and lots more.

The accepted sessions for the upcoming Netdev 0x16 have been posted. The conference will be held virtually and in-person in Lisbon, Portugal October 24-28. In addition, early-bird registration rates have been extended to October 4.

Linus Torvalds releasedthe 6.0 kernel on October 2. There were 15,402 non-mergechangesets pulled into the mainline for this release, growing the kernel byjust over 1.1 million lines of code. As usual, a lot went into thecreation of this kernel release; read on for a look at where some of thatwork came from.

Security updates have been issued by Debian (chromium, gdal, kernel, libdatetime-timezone-perl, libhttp-daemon-perl, lighttpd, mariadb-10.3, node-thenify, snakeyaml, tinyxml, and tzdata), Fedora (enlightenment, kitty, and thunderbird), Mageia (expat, firejail, libjpeg, nodejs, perl-HTTP-Daemon, python-mako, squid, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (buildah, connman, cosign, expat, ImageMagick, python36, python39, slurm, and webkit2gtk3), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and linux-gke-5.15).

Linus has released the 6.0 kernel asexpected.

The results arein on the Debian project's general-resolutionvote regarding non-free firmwarein the installer image. The winning optionallows the installer image to include firmware necessary to use the system:

Just over ten years ago, the Arm big.LITTLE architecture posed a challenge for the kernel's CPUscheduler: how should processes be assigned to CPUs when not all CPUs havethe same capacity? The situation has not gotten simpler since then; newsystems bring new quirks that must be kept in mind for optimal scheduling.At the 2022 Linux Plumbers Conference, LenBrown and Ricardo Neri talked about Intel's hybrid systems and the workthat is being done to schedule properly on those systems.

Security updates have been issued by Debian (libsndfile and libvncserver), Fedora (bash), Red Hat (httpd24-httpd, java-1.7.1-ibm, and java-1.8.0-ibm), and SUSE (krb5-appl, libjpeg-turbo, python310, and slurm_20_02).

Over on the Collabora blog, Marius Vlad writes about the recent Weston 11.0.0 release. Weston is the reference compositor for the Wayland display server protocol. Vlad looks at features of the release, including some things that are being deprecated and removed, as well as features coming in Weston 12.

The GDB debugger has a longhistory; it was first created in 1986. It may thus beunsurprising that some GDB development happens over relatively long timeframes but, even when taking that into account, the existence of an openbug first reported in2007 may be a little surprising. At the 2022 GNU Tools Cauldron,GDB maintainer Pedro Alves talked about why this problem has been difficultto solve, and what the eventual solution looks like.

When the kernel is running, it has access to its entire address space —usually including all of physical memory — evenif only a small portion of that address space is actually needed. Thatincreases the kernel's vulnerability to speculative attacks. An address-spaceisolation patch set aiming to change this situation has beencirculating for a few years, but has never been seriously considered formerging into the mainline. At the 2022 LinuxPlumbers Conference, Ofir Weisse sought to convince the developmentcommunity to reconsider address-space isolation.

Security updates have been issued by Debian (chromium, lighttpd, and webkit2gtk), Fedora (firefox, gajim, libofx, and python-nbxmpp), Gentoo (bluez, chromium, expat, firefox, go, graphicsmagick, kitty, php, poppler, redis, thunderbird, and zutty), Oracle (firefox and thunderbird), Red Hat (kernel), Slackware (xorg), SUSE (expat, libostree, lighttpd, python3-lxml, rust1.62, slurm, slurm_18_08, and vsftpd), and Ubuntu (libxi, linux-gcp, postgresql-9.5, and sqlite3).

The LWN.net Weekly Edition for September 29, 2022 is available.

Over the past few years, there has been quite a bit of progress in variouskernel features that can be used to create containers without requiringprivileges. Most of the containers these days run as root, whichmeans that a vulnerability leading to an escape from the container canresult in system compromise. Stéphane Graber gave a talk at the 2022 LinuxSecurity Summit Europe (LSS EU) to fill in some of the details of workthat he and others have been doing to run containers as unprivileged code.

The backers of the GNU Toolchain Infrastructure Project, which was thesubject of an intense discussion at the GNUTools Cauldron, have finally postedtheir plans publicly.

The openSUSE News site is lookingforward to the imminent preview release of the openSUSE Adaptable Linux Platform (ALP)distribution:

The5.19.12,5.15.71,5.10.146,5.4.215,4.19.260,4.14.295, and4.9.330stable kernel updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15).

Andrey Konovalov began his 2022 LinuxSecurity Summit Europe (LSS EU) talk with a bold statement: "fuzzing isuseless". As might be guessed, he qualified that assertion quickly byadding "without dynamic bug detectors". These bug detectors include"sanitizers" of various sorts, such as the Kernel AddressSanitizer (KASAN), but there are others. Konovalov looked in detail at KASANand gave an overview of thesanitizer landscape along with some ideas of ways to push these bugdetectors further—to find even more kernel bugs.

Version5.6 of the LXD container manager is out. Changes include the abilityto stream log messages to a Grafana Loki server, Infiniband support forvirtual machines, a restricted network access mode, and more.

Version 5.2 of the Bash shell has been released.

Yoshua Wuyts gives an overview of asyncRust and why it is interesting.

Security updates have been issued by Debian (dovecot and firefox-esr), Fedora (firefox and grafana), Red Hat (firefox and thunderbird), Slackware (dnsmasq and vim), SUSE (dpdk, firefox, kernel, libarchive, libcaca, mariadb, openvswitch, opera, permissions, podofo, snakeyaml, sqlite3, unzip, and vsftpd), and Ubuntu (expat, libvpx, linux-azure-fde, linux-oracle, squid, squid3, and webkit2gtk).

The CHERIarchitecture is the product of a research program to extend commonCPU architectures in a way that prevents many types of memory-related bugs (andvulnerabilities). At the 2022 GNU Tools Cauldron,Alex Coplan and Szabolcs Nagy described the work that has been done tobring GCC and the GNU C Library (glibc) to this architecture. CHERI is a fundamentallydifferent approach to how memory is accessed, and supporting it properly is anythingbut a trivial task.

Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport).

The 6.0-rc7 kernel prepatch is out fortesting.

Arch Linux has announcedthat Python 2 is being removed from the distribution's repositories."If you still require the python2 package you can keep it around, butplease be aware that there will be no security updates."

For better or worse, C is the lingua franca in the world of kernelengineering. The core logic of the Linux kernel is written entirely inC (with a bit of assembly), as are its drivers and modules. While C isrightfully celebrated forits powerful yet simple semantics, it is an older language that lacksmany of the features present in modern languages such asRust. TheBPF subsystem, on the other hand,provides a programming environment that allows engineers to writeprograms that can run safely in kernel space. At the 2022 Linux Plumbers Conference in Dublin, Ireland, Alexei Starovoitov presented an overviewof how BPF has evolved over the years to provide a new model for kernelprogramming.

The 5.19.11, 5.15.70, and 5.10.145 stable kernels are now available. Asusual, they contain important fixes throughout the kernel tree.

Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, freetype2, rubygem-rack, and virtualbox), and Ubuntu (etcd, libjpeg-turbo, linux-gcp, linux-gke, linux-raspi, linux-oem-5.17, linux-raspi-5.4, python-oauthlib, and python3.5).