LWN.net

Security updates have been issued by Debian (nss), Fedora (rubygem-rmagick), openSUSE (xen), Red Hat (firefox and nss), SUSE (kernel and xen), and Ubuntu (mailman and nss).

The Linux random-number generator (RNG) seems to attract an outsized amount of attention (and work) for what is, or seemingly should be, a fairly smallcomponent of the kernel. In part that is because random numbers, andtheir quality, are extremely important to a number of securityprotections, from unpredictable IP-packet sequence numbers to cryptographickeys. A recent post ofversion 43 of the Linux Random Number Generator (LRNG) by Stephan Müller is not likely to go any further than itspredecessors, but the discussion around it may lead to support for afeature that some distributions need.

Firefox 95.0 is nowavailable. With this version the RLBoxsandboxing technology is enabled on all platforms, as is the SiteIsolation security architecture, which protects against side-channelattacks.Firefox ESR91.4.0 is also available with various securityfixes.

Security updates have been issued by CentOS (nss), Debian (roundcube and runc), openSUSE (aaa_base, brotli, clamav, glib-networking, gmp, go1.16, hiredis, kernel, mozilla-nss, nodejs12, nodejs14, openexr, openssh, php7, python-Babel, ruby2.5, speex, wireshark, and xen), Oracle (kernel and nss), Red Hat (kpatch-patch, nss, rpm, and thunderbird), SUSE (brotli, clamav, glib-networking, gmp, kernel, mariadb, mozilla-nss, nodejs12, nodejs14, openssh, php7, python-Babel, and wireshark), and Ubuntu (busybox, mariadb-10.3, mariadb-10.5, python-django, and samba).

For those who would like to catch up on what the Linux Foundation has beendoing, the 2021annual report is available as an 87-page PDF file.

Reference counts are a commonly used mechanism for tracking the life cycleof objects in a computing system. As long as every user of an objectcorrectly maintains its references by incrementing and decrementing thereference count, that object will persist for as long as itis neededand will be properly destroyed once the last user is done. The "correctly"in that sentence is important, though; things do not workas well in the presence of reference-counting errors. Networkingdeveloper Eric Dumazet is working on areference-count tracking system that could prove useful for findingthese errors in the networking subsystem and, someday, throughout the kernel.

Security updates have been issued by Arch Linux (isync, lib32-nss, nss, opera, and vivaldi), Debian (gerbv and xen), Fedora (autotrace, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, libsndfile, nss, pfstools, php-pecl-imagick, psiconv, q, R-magick, rss-glx, rubygem-rmagick, seamonkey, skopeo, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, vim, vips, and WindowMaker), Mageia (golang, kernel, kernel-linus, mariadb, and vim), openSUSE (aaa_base, python-Pygments, singularity, and tor), Red Hat (nss), Slackware (mozilla), SUSE (aaa_base, kernel, openssh, php74, and xen), and Ubuntu (libmodbus, lrzip, samba, and uriparser).

The fourth 5.16 kernel prepatch is out fortesting. "Nothing looks all that scary, although I certainly hopethe kvm side will calm down".

The CentOS blog has announced the release of CentOS Stream 9:

It is natural, when looking at the kernel development process, to focus onpatches that find their way to acceptance and become a part of futurekernels. But there can be value in looking at work that doesn't clear thebar; in failing, these patches often reveal things about the kernel and thecommunity that creates it. Such is the case with the proof-of-conceptnamespacefspatch series recently posted by Yordan Karadzhov. One should notexpect to see namespacefs in a future kernel but, in failing, this workshowed a real use case and why it is hard to satisfy that use case in thekernel.

Security updates have been issued by CentOS (krb5 and mailman), Debian (gmp and librecad), Fedora (php-symfony4 and wireshark), Mageia (bluez, busybox, docker-containerd, gfbgraph, hivex, nss, perl/perl-Encode, and udisks2/libblockdev), openSUSE (permissions), Oracle (mailman and mailman:2.1), Red Hat (mailman, mailman:2.1, and nss), Scientific Linux (mailman and nss), and SUSE (nodejs14).

Writing (correct) concurrent code that uses locking to avoid raceconditions is difficult enough. When the objective is to use lockless algorithms, relying on memorybarriers instead of locks to eliminate locking overhead, the problembecomes harder still. Bugs are easy to create and hard to find in this type of code.There may be some help on the way, though, in the form of thispatch set from Marco Elver that enhances the KernelConcurrency Sanitizer (KCSAN) with the ability to detect some types of missingmemory barriers.

Version1.57.0 of the Rust language is out. "Rust 1.57 brings panic! toconst contexts, adds support for custom profiles to Cargo, and stabilizesfallible reservation APIs."

Over on the Project Zero blog, Tavis Ormandy has a lengthy postmortem on a vulnerability that he found in the Network Security Services (NSS) cryptography library. The vulnerability is a bog-standard buffer overflow that has existed in the library since 2012 despite various kinds of static analysis, testing, and fuzzing that Mozilla and others have applied to it over the years. He found it with a new fuzzing technique:

Security updates have been issued by CentOS (kernel, openssh, and rpm), Debian (nss), Fedora (seamonkey), Mageia (glibc), openSUSE (go1.16, go1.17, kernel, mariadb, netcdf, openexr, poppler, python-Pygments, python-sqlparse, ruby2.5, speex, and webkit2gtk3), Oracle (nss), Red Hat (nss), SUSE (clamav, glibc, gmp, go1.16, go1.17, kernel, mariadb, netcdf, OpenEXR, openexr, openssh, poppler, python-Pygments, python-sqlparse, ruby2.1, ruby2.5, speex, webkit2gtk3, and xen), and Ubuntu (nss and thunderbird).

The LWN.net Weekly Edition for December 2, 2021 is available.

A seemingly straightforward question aimed at candidates for the in-progressFedoraelections led to a discussion on the Fedora devel mailing list thatbranched into a few different directions. The question was related to astruggle that the distribution has had before: whether using non-free Gitforges is appropriate. One of thedifferences this time, though, is that the focus is on where source-git (or src-git)repositories will be hosted, which is a separate question from where the dist-git repositorylives.

The Software Freedom Conservancy providesan update on its suit against Vizio forcopyleft license violations. Vizio's response was not to release thesource code:

Stable kernels 5.15.6, 5.10.83, 5.4.163, and 4.19.219 have been released. They all containimportant fixes throughout the tree. Users of those series should upgrade.

Security updates have been issued by Debian (rsync, rsyslog, and uriparser), Fedora (containerd, freeipa, golang-github-containerd-ttrpc, libdxfrw, libldb, librecad, mingw-speex, moby-engine, samba, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and samba), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem-5.13, linux-oracle, linux-raspi, and linux-oem-5.14).

Version1.7 of the Julia programming language has been released. The list ofnew features is long; see the release announcement and this LWN article for the details.

While there are few rules on the names of variables, classes, functions,and so on (i.e. identifiers) in the Python language, there are someguidelines on how those things should be named. But, of course, thoseguidelines were not always followed in the standard library, especially in the early years of the project. Asuggestion to add aliases to the standard library foridentifiers that do not follow the guidelines seems highly unlikely to goanywhere, but it led to an interesting discussion on the python-ideas mailing list.

Security updates have been issued by Debian (samba), Fedora (kernel), openSUSE (netcdf and tor), SUSE (netcdf and python-Pygments), and Ubuntu (imagemagick).

One of the key features of the extended BPF virtual machine is the verifierbuilt into the kernel that ensures that all BPF programs are safe to run.BPF developers often see the verifier as a bit of a mixed blessing, though;while it can catch a lot of problems before they happen, it can also behard to please. Comparisons with a well-meaning but rule-bound and pickybureaucracy would not be entirely misplaced. The bpf_loop()proposal from Joanne Koong is an attempt to make pleasing the BPFbureaucrats a bit easier for one type of loop construct.

Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen).

The 5.16-rc3 kernel prepatch is out fortesting. "So rc3 is usually a bit larger than rc2 just because people had sometime to start finding things.So too this time, although it's not like this is a particularly bigrc3."

Version8.1.0 of the PHP language has been released. This release includes anumber of new features, including enumerations,read-onlyproperties,fibers, and more.Meanwhile, anew foundation has been created to support development of PHP:

Greg Kroah-Hartman has announced the release of six new stable kernels: 5.10.82, 5.4.162, 4.19.218, 4.14.256, 4.9.291, and 4.4.293. These kernels contain lots ofimportant fixes throughout the tree; users of those series should upgrade.

Security updates have been issued by Fedora (freerdp, gnome-boxes, gnome-connections, gnome-remote-desktop, guacamole-server, hydra, java-1.8.0-openjdk-aarch32, medusa, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, php, pidgin-sipe, remmina, vinagre, and weston), openSUSE (kernel and netcdf), and SUSE (kernel and netcdf).

The 5.15.5 stable kernel has beenreleased. As usual, it contains lots of important fixes throughout thekernel tree. Users should upgrade.

Security updates have been issued by Fedora (busybox, getdata, and php), Mageia (couchdb, freerdp, openexr, postgresql, python-reportlab, and rsh), openSUSE (bind, java-1_8_0-openjdk, and kernel), SUSE (java-1_7_0-openjdk), and Ubuntu (icu).

Security updates have been issued by Debian (openjdk-17), Fedora (libxls, roundcubemail, and vim), openSUSE (bind, java-1_8_0-openjdk, and redis), Red Hat (kernel, kernel-rt, kpatch-patch, krb5, mailman:2.1, openssh, and rpm), Scientific Linux (kernel, krb5, openssh, and rpm), SUSE (bind, java-1_8_0-openjdk, redis, and webkit2gtk3), and Ubuntu (bluez).

Security updates have been issued by Debian (mbedtls), Red Hat (kernel and rpm), and Ubuntu (freerdp2).

Amazon has announceda preview release of its upcoming AL2022 distribution. The company plansto support AL2022 for five years after its release.

The second 5.16 kernel prepatch is out fortesting. "Nothing especially noteworthy stands out for the lastweek, it all felt pretty normal for a rc2 week".

Security updates have been issued by Debian (firebird3.0, libmodbus, and salt), Fedora (js-jquery-ui and wordpress), Mageia (arpwatch, chromium-browser-stable, php, rust, and wireshark), openSUSE (barrier, firefox, hylafax+, opera, postgresql12, postgresql13, postgresql14, and tomcat), SUSE (ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma, ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma, firefox, kernel, postgresql, postgresql13, postgresql14, postgresql10, postgresql12, postgresql13, postgresql14, postgresql96, and samba), and Ubuntu (libreoffice).

The5.15.4,5.14.21,5.10.81, and5.4.161 stable kernels have been released.Each contains another set of important updates, but it's worthnoting that 5.4.161hasn't been through the usual review process due to an amusing bit ofscripting confusion.

One does not normally expect a lot of disagreement over a 13-line patchthat effectively tweaks a single line of code. Occasionally, though, sucha patch can expose a disagreement over how the behavior of the kernelshould be managed. This patchfrom Drew DeVault, who is evidently taking a break from stirring upthe npm community, is a case in point. It brings to light the questionof how the kernel community should pick default values for configurableparameters like resource limits.

Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird).

The kernel provides a number of macros internally to allow code to generatewarnings when something goes wrong. It does not, however, provide a lot ofguidance regarding what should happen when a warning is issued. AlexanderPopov recently posted apatch series adding an option for the system's response to warnings;that series seems unlikely to be applied in anything close to its currentform, but it did succeed in provoking a discussion on how warnings shouldbe handled.

Greg Kroah-Hartman has released two more stable kernels. 5.14.20 reverts three patches from the5.14.19 release, while 5.10.80 is one of themassive updates mentioned yesterday. Theother massive release mentioned, 5.15.3, is still underreview and can be expected in the next day or two. As usual, thekernels released contain important fixes and users should upgrade.Update: 5.15.3 was also released.

Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils).

The LWN.net Weekly Edition for November 18, 2021 is available.

Even encrypted data sent on the internet leaves some footprints—metadataabout where packets originate, where they are bound, and when they are sent. Mix networks aremeant to hide that metadata by routing packets through various intermediatenodes to try to thwart the traffic analysis used by nation-state-leveladversaries to identify "opponents" of various kinds. Tor is perhaps thebest-known mix network, but there are others that make differenttradeoffs to increase the security of their users. Rollercoasteris a recently announced mechanism that extends the functionality of mixnetworks in order to more efficiently communicate among groups.

Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr).

The 5.14.19 and 5.4.160 stable kernels have been released;these updates contain a huge number of important fixes. The equallymassive 5.15.3and 5.10.80updates were also intended for release but, as the result of some problemsthat turned up in testing, they will be going through onemore round of review first.

The Trojan Source vulnerabilities have beenrippling through various developmentcommunities since their disclosure on November 1. The oddities that can arise when handling Unicode, andbidirectional Unicode in particular, in a programming language have led Rust, forexample, to check forthe problematic code points in strings and comments and, by default,refuse to compile if they are present. Python has chosen a different path,but work is underway to help inform programmers of the kinds of pitfalls thatTrojan Source has highlighted.

Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim).

Version 2.34.0 of the Git source-code management system is out."It is comprised of 834 non-merge commits sincev2.33.0, contributed by 109 people, 29 of which are new faces". SeethisGitHub blog post for a look at some of the more significant changes inthis release:

Linus Torvalds released5.16-rc1 and ended the 5.16 merge window on November 14, asexpected. At that point, 12,321 non-merge changesets had been pulled intothe mainline; about 5,500 since our summary ofthe first half of the merge window was written. As is usually the case,the patch mix in the latter part of the merge window tended more towardfixes, but there were a number other changes as well.