LWN.net

Security updates have been issued by Debian (gnutls28, libtirpc, postgresql-11, and samba), Fedora (microcode_ctl, wpebackend-fdo, and xen), Oracle (.NET 6.0, galera, mariadb, and mysql-selinux, and kernel), SUSE (dbus-1 and python-numpy), and Ubuntu (booth).

Version1.63.0 of the Rust language has been released. Changes include theaddition of scoped threads, a new ownership model for raw file descriptors,and the completion of the borrow-checker transition:

The Project Zero blog has posted adetailed look at CVE-2021-0920 in the first of a two-part series on howthis bug created a vulnerability that was subsequently exploited.

We live in a 64-bit world, to the point that many distributors want to stopsupporting 32-bit systems at all. However, lurking within our 64-bitkernels is a subsystem that has not really managed to move past 32-bitaddresses. The quick merge-window failure of an attempt to use64-bit addresses in the I/O memory-management unit (IOMMU) subsystem showshow hard it can be to leave all of one's 32-bit history behind.

Greg Kroah-Hartman has announced the release of the 5.19.1, 5.18.17, 5.15.60, 5.10.136, 5.4.210, and 4.19.255 stable kernels.They contain a fairly small set of important fixes; users should upgrade.

Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment).

The LWN.net Weekly Edition for August 11, 2022 is available.

Offline computing and learning was something of a theme at GUADEC 2022 as therewere multiple talks by people from theEndless OS Foundation, whichtargets that use case. Dylan McCall and Manuel Quiñones had a talk on daytwo about a switch that Endless has made over the last few years away fromits home-rolled "knowledge apps" to apps based on the Kolibri learningplatform. While Endless has its roots in GNOME, and Kolibri runs wellin that environment, the switch will allow Endless to reach users who arenot running a GNOME desktop.

Security updates have been issued by Debian (gst-plugins-good1.0), Fedora (firefox and ghostscript), Gentoo (consul, firefox, libass, libraw, lxml, mdbtools, pam_u2f, spice, and thunderbird), Oracle (kernel, kernel-container, and vim), Red Hat (galera, mariadb, and mysql-selinux, kernel, and kernel-rt), Scientific Linux (kernel), SUSE (bind, java-11-openjdk, kernel, mokutil, ncurses, and u-boot), and Ubuntu (epiphany-browser, libcdio, linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle).

A tool to discover known security vulnerabilities in the Python packages installed ona system or required by a project, called pip-audit, was recentlydiscussed on the Python discussionforum. The developers of pip-audit raisedthe idea of adding the functionality directly into the pip package installer, rather thankeeping it as a separately installable tool. While the functionality provided bypip-audit was seen as a clear benefit to the ecosystem, moving itinside the pip "tent" was not as overwhelmingly popular. It is not obvious that auditing is part of the role that the packageinstaller should play.

Security updates have been issued by Debian (gnutls28 and unzip), Fedora (dovecot and net-snmp), Red Hat (kernel-rt and vim), and Ubuntu (gst-plugins-good1.0).

Security updates have been issued by Debian (chromium, libtirpc, and xorg-server), Fedora (giflib, mingw-giflib, and teeworlds), Mageia (chromium-browser-stable, kernel, kernel-linus, mingw-giflib, osmo, python-m2crypto, and sqlite3), Oracle (httpd, php, vim, virt:ol and virt-devel:ol, and xorg-x11-server), SUSE (caddy, crash, dpkg, fwupd, python-M2Crypto, and trivy), and Ubuntu (gdk-pixbuf, libjpeg-turbo, and phpliteadmin).

As Jeff Mahoney notes in thismessage to the openSUSE factory list, the reiserfs filesystem has beenunmaintained for years and lacks many of the features that users have cometo expect. He has thus proposed removing reiserfs from openSUSE Tumbleweedimmediately.

The merge window for the kernel that will probably be called "6.0" hasgotten off to a strong start, with 6,820 non-merge changesets pulled intothe mainline repository in the first few days. The work pulled so farmakes changes all over the kernel tree; read on for a summary of what hashappened in the first half of this merge window.

Security updates have been issued by CentOS (firefox, thunderbird, and xorg-x11-server), Debian (xorg-server), Gentoo (Babel, go, icingaweb2, lib3mf, and libmcpp), Oracle (389-ds:1.4, go-toolset:ol8, httpd, mariadb:10.5, microcode_ctl, and ruby:2.5), Red Hat (xorg-x11-server), Scientific Linux (xorg-x11-server), SUSE (buildah, go1.17, go1.18, harfbuzz, python-ujson, qpdf, u-boot, and wavpack), and Ubuntu (gnutls28, libxml2, mod-wsgi, openjdk-8, openjdk-8, openjdk-lts, openjdk-17, openjdk-18, and python-django).

The Register reportsthat GitLab is planning to start deleting repositories belonging to freeaccounts if they have been inactive for at least a year.

The Linux Security Module (LSM) subsystem works by way of an extensive setof hooks placed strategically throughout the kernel. Any specific securitymodule can attach to the hooks for the behavior it intends to govern and beconsulted whenever a decision needs to be made. The placement of LSM hooksoften comes with a bit of controversy; developers have been known to objectto the performance cost of hooks in hot code paths, and sometimes there are misunderstandings over how integration withLSMs should be handled. The disagreement over a security hook for thecreation of user namespaces, though, is based on a different sort ofconcern.

On his blog, Federico Mena Quintero posted a transcript of his recent talk at GUADEC 2022 on the technical debt in the GNOME accessibility infrastructure—and what he has been doing to help pay that down. He began the talk by describing the infrastructure and how it came about:

Security updates have been issued by Fedora (lua), Oracle (kernel), Red Hat (389-ds:1.4, django, firefox, go-toolset and golang, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, java-1.8.0-ibm, java-17-openjdk, kernel, kernel-rt, kpatch-patch, mariadb:10.5, openssl, pcre2, php, rh-mariadb105-galera and rh-mariadb105-mariadb, ruby:2.5, thunderbird, vim, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox and thunderbird), SUSE (drbd, java-17-openjdk, java-1_8_0-ibm, keylime, ldb, samba, mokutil, oracleasm, pcre2, permissions, postgresql-jdbc, python-numpy, samba, tiff, u-boot, and xscreensaver), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, nvidia-graphics-drivers-510-server, nvidia-graphics-drivers-515, nvidia-graphics-drivers-515-server).

The LWN.net Weekly Edition for August 4, 2022 is available.

A rural Mexican state was the setting for an initiative to use the GNOME-based Endless OS toimproveeducation in indigenouscommunities. Over the last severalyears, the Endless OS Foundationhas teamed up with the Fundación Alfredo HarpHelú Oaxaca (FAHHO) to deliver offline-first computers to thosecommunities, but also to assist these communities in preserving their nativelanguages. In a talk at GUADEC 2022, Rob McQueenprovided a look at the project and what it has accomplished.

The 5.18.16,5.15.59,5.10.135, and5.4.209stable kernel updates have been released; each contains another set ofimportant fixes.

Daniel Vetter continues hisseries on locking in the kernel.

Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), and Ubuntu (linux-oem-5.14, linux-oem-5.17 and ntfs-3g).

Jonathan Blandford, who is alongtime GNOME contributor—and a cruciverbalistfor longer still—thought it was time for GNOME to have acrossword puzzleapplication. So he set out to create one, which turned into something of a yak-shaving exercise,but also, ultimately, into Crosswords. Blandfordcame to GUADEC 2022to give a talk describing his journey bringing this brainexerciser (andproductivity bane) to the GNOME desktop.

Version 1.19 of the Go programminglanguage has been released. "Most of its changes are in theimplementation of the toolchain, runtime, and libraries. As always, therelease maintains the Go 1 promise of compatibility. We expect almost allGo programs to continue to compile and run as before". This releaseincludes some memory-model tweaks, a LoongArch port, improvements in thedocumentation-comment mechanism, and more.

Version2.36 of the GNU C Library has been released. Changes include supportfor the new DT_RELR relocation format,wrappers for theprocess_madvise(),process_mrelease(),pidfd_open(),pidfd_getfd(), andpidfd_send_signal() system calls,wrappers for the new filesystem mounting API,a DNS stub resolver that only does IPv4 queries,support for the BSDarc4random() API (despite some last-minutediscussion),LoongArch architecture support,and more.

Security updates have been issued by Debian (curl and jetty9), Fedora (dovecot), Gentoo (vault), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and squid), SUSE (booth, dovecot22, dwarves and elfutils, firefox, gimp, java-11-openjdk, kernel, and oracleasm), and Ubuntu (linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, net-snmp, and samba).

The 5.19 kernel was released,after a one-week delay to deal with the fallout from the Retbleedmitigations, on July 31. By that time, 16,399 commits (15,134non-merge and 1,265 merges) had found their way into the mainlinerepository, making this development cycle the busiest since 5.13 (16,030non-merge changesets and 1,157 merges). Tradition dictates that now is the time for a lookat where the changes in 5.19 came from, and we've learned not to go againsttradition.

The 2022 Linux Plumbers Conference (LPC) has announced its schedule. The conference will be held in Dublin, Ireland, September 12-14.

Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, gnutls, go-bindata, goaltdns, gobuster, godep, godoctor, godotenv, gojq, golist, goloris, gomtree, google-guest-agent, gotags, gotun, grafana, gron, grpcurl, hakrevdns, hcloud, htmltest, httprobe, hulk, ignition, jid, kata-containers, kiln, kompose, kubernetes, libldb, manifest-tool, mass3, meg, meshbird, micro, mingw-harfbuzz, mingw-poppler, moby-engine, mqttcli, nats-server, nebula, netscanner, oci-seccomp-bpf-hook, ohmybackup, onionscan, open-policy-agent, origin, osbuild-composer, podman-tui, popub, powerline-go, reposurgeon, restic, runc, samba, shellz, shhgit, skopeo, snapd, snowcrash, source-to-image, subfinder, syncthing, sysutil, terrier, thunderbird, tiedot, toolbox, vgrep, vultr, vultr-cli, webanalyze, webkit2gtk3, weldr-client, wgctrl, xe-guest-utilities-latest, xen, xq, yggdrasil, yubihsm-connector, and a vast number of golang packages), Mageia (chromium-browser-stable, firefox, gdk-pixbuf2.0, python-ujson, and webmin), Red Hat (firefox and thunderbird), Slackware (gnutls), and SUSE (chromium, firefox, mozilla-nss, rubygem-tzinfo, samba, and xen).

Linus has released the 5.19 kernel.

Version 21 of the Ubuntu-based Linux Mint distribution is out; it isavailable in theCinnamon,MATE, andXfce flavors.This is along-term-support release that will receive updates until 2027.

Jakub Kicinski providesan overview of some changes to the in-kernel TLS implementation comingin the next development cycle:

Greg Kroah-Hartman has announced the release of the 5.18.15, 5.15.58, 5.10.134, 5.4.208, 4.19.254, 4.14.290, and 4.9.325 stable kernels. As usual, thesekernels contain important fixes throughout the tree. Note that theRetbleed mitigations have not been backported any further back thanthe 5.10.x series at this point.

As a general rule, virtualization mechanisms are designed to provide strongisolation between a host and the guest systems that it runs. The guestsare not trusted, and their ability to access or influence anything outsideof their virtual machines must be tightly controlled. So a patch seriesallowing guests to execute arbitrary system calls in the host context mightbe expected to be the cause of significantly elevated eyebrows across thenet. Andrei Vagin has posted such aseries with the expected results.

Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0).

The relatively new io_uring subsystem haschanged the way asynchronous I/O is done on Linux systems and improvedperformance significantly. It has also, however, begun to run up a recordof disagreements with the kernel's security community. A recentdiscussion about security hooks for the new uring_cmd mechanismshows how easily requirements can be overlooked in a complex system with nooverall supervision.

Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen).

The LWN.net Weekly Edition for July 28, 2022 is available.

While GUADEC, the GNOME community's annual conference, has always been heldin Europe (or online-only) since it began in 2000, this year's editionwas held in North America, specifically in Guadalajara, México,July 20-25. Rob McQueen gave a talk on the first day of theconference about providing solutions that bring some level of digitalsafety andautonomy to users—and how GNOME can help make that happen. McQueen is the CEO of the Endless OSFoundation, which is an organization geared toward those goals; he was alsorecently reelected as the president of the GNOME Foundation board of directors.

Daniel Vetter offers someadvice for developers of locking schemes in the kernel.

Nicholas Nethercote marksthe 20th anniversary of the Valgrind 1.0 release.

Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim).

Docker has transformed the waymany people develop and deploy software. It wasn't the firstimplementation of containers on Linux, but Docker's ideas about howcontainers should be structured and managed were different from itspredecessors. Those ideas matured into industry standards, and anecosystem of software has grown around them. Docker continues to be amajor player in the ecosystem, but it is no longer the only whale in thesea — Red Hat has also done a lot of work oncontainer tools, and alternative implementations arenow available for many of Docker's offerings.

Security updates have been issued by Debian (spip), Mageia (libtiff and logrotate), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (gpg2, logrotate, and phpPgAdmin), and Ubuntu (python-bottle).

The CreativeCommons CC0 license is essentially a public-domain declaration (or asclose as is possible in jurisdictions that lack a public domain). TheFedora project has allowed the distribution of code under this license,but, as announcedby Richard Fontana, that policy is changing and CC0 will no longer beallowed for code:

A 64-bit pointer can address a lot of memory — far more than just about anyapplication could ever need. As a result, there are bits within that pointer thatare not really needed to address memory, and which might be put to otherneeds. Storing a few bits of metadata within a pointer is a common enoughuse case that multiple architectures are adding support for it at thehardware level. Intel is no exception; support for its "Linear AddressMasking" (LAM) feature has been slowly making its way toward the mainlinekernel.

Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1).

The Debian project, Debian.ch, and Software in the Public Interest recentlyfiled a WIPO action to take control of the "debian.community" domain name,which has been used by Daniel Pocock to attackthe Debian project and its members. Red Hat had made a similar attempt to take control ofWeMakeFedora.org earlier this year, but that attempt failed. The Debianaction succeeded, though; on July 19, WIPO decidedin favor of the action and ordered the domain name transferred.That domain name can no longer be used, but the attacks seem certain tocontinue.