Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp).
Over on the Google Security blog, Jonathan Metzman announced the release of ClusterFuzzLite, which is "a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before". ClusterFuzzLite is a descendant of OSS-Fuzz, which we looked at in 2017.
The memory-management subsystem remains one of the most complex parts ofthe kernel, with an ongoing reliance on various heuristics forperformance. It is thus not surprising that developers continue to try toimprove its functionality. A number of memory-management patches arecurrently in circulation; read on for a look at the freeing of page-tablepages, kvmalloc() flags, memory clearing, and NUMA "home nodes".
Greg Kroah-Hartman has announced the release of eight stable kernels: 5.15.2, 5.14.18, 5.10.79, 5.4.159, 4.19.217, 4.14.255, 4.9.290, and 4.4.292. They contain a relatively small setof important fixes, but, as usual, users should upgrade.
Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), and Ubuntu (openexr, postgresql-10, postgresql-12, postgresql-13, and samba).
While the "Trojan Source" vulnerabilitieshave, thus far, generated far more publicity than examples of actualexploits, addressing the problem still seems like a good thing to do.There are several places where defenses could be put into place; texteditors, being the place where developers look at a lot of code, are oneobvious example. The discussion of how to enhance Emacs in this regard hasmade it clear, though, that there are multiple opinions about how an editorshould flag potential attacks.
On November 10, the Go programming language community celebrated the 12th anniversary of its release as open-source software. The post covers a number of different topics, including the consolidation of web sites at go.dev, releases and their features over the last year, as well as a look to the future:
Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py).
Python supports default values for arguments to functions, but thosedefaults are evaluated at function-definition time. A proposal to adddefaults that are evaluated when the function is called has been discussedat some length on the python-ideas mailing list. The idea came about, in part,due to yet another resurrection of the proposalfor None-aware operators in Python. Late-bound defaults would helpwith one use case for those operators, but there are other, strongerreasons to consider their addition to the language.
There is a set of new Samba releases out there. They fix a long andintimidating list of security issues and seem worth upgrading to for anybut the most protected of Samba servers.
The Julia programming language hasits roots in high-performance scientific computing, so it is no surprisethat it has facilities for concurrent processing. Those features are notwell-known outside of the Julia community, though, so it is interesting tosee the different types of parallel and concurrent computation that thelanguage supports. In addition, the upcoming release of Juliaversion 1.7 brings an improvement to the language'sconcurrent-computation palette, in the form of "task migration".
The x86 instruction set is large, but that doesn't mean it can't get biggeryet. Upcoming Intel processors will feature a new set of instructionsunder the name of "Advanced Matrix Extensions" (AMX) that can be used tooperate on matrix data. After a somewhat bumpy developmentprocess, support for AMX has found its way into the upcoming 5.16 kernel.Using it will, naturally, require some changes by application developers.
Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu).
Back in September, LWN reported on a seriesof block-layer optimizations that enabled a suitably equipped system tosustain 3.5 million I/O operations per second (IOPS). Thatoptimization work has continued since then, and those 3.5 million IOPSwould be a deeply disappointing result now. A recent disagreement over theaddition of a new feature has highlighted the potential cost of a heavilyoptimized block layer, though; when is a feature deemed important enough tooutweigh the drive for maximum performance?
Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd).
As of this writing, Linus Torvalds has pulled exactly 6,800 non-mergechangesets into the mainline repository for the 5.16 kernel release. Thatis probably a little over half of what will arrive during this mergewindow, so this is a good time to catch up on what has been pulled so far.There are many significant changes and some large-scale restructuring ofinternal kernel code, but relatively few ground-breaking newfeatures.
Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird).
A new security vulnerability that was disclosedon November 1 has some interesting properties. "Trojan Source", as it has beendubbed, is effectively an attack on human perceptions, especially as theyare filtered through the tools used for source-code review. While thespecifics of the flaw are new, this kind of trickery is not completelynovel, but Trojan Source finds another way to confuse the humans who arein the loop.
Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).
While it is often relatively straightforward to determine what packageprovided a binary that is misbehaving—crashing for instance—on Fedora andother Linux distributions, there are situations where it may be harder todo so. A feature recently proposed for Fedora 36—currentlyscheduled for the end of April 2022—would embed information into thebinaries themselves to show where they came from. It is part of amulti-distribution effort to standardize how this information is stored inthe binaries (and the libraries they use) to assist crash-reporting and other tools.
Stable kernels 5.14.16, 5.10.77, 5.4.157, 4.19.215, 4.14.254, 4.9.289, and 4.4.291 have been released. They containimportant fixes and users should upgrade.
Firefox 94.0 has beenreleased. Linux users should see improvedWebGL performance and reduced power consumption for many workloads. Theabout:unloadspage shows the user information about open tabs and allows them to releasesystem resources by unloading tabs without closing them. SiteIsolation provides better protection against side-channel attacks. Seethe announcement for more new features in this release.Firefox ESR91.3 is also available, with various stability, functionality, and securityfixes.
Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman).
The long-running and sometimes acrimonious discussion on the memory folio patch set has come to an end:the folio patches were the first thing pulled into the mainline repositoryfor the 5.16 development cycle. Now the developers involved just have todo all of the other work identified as necessary to clean up thememory-management subsystem and isolate it from other parts of the kernel.
The 5.15 kernel was released onOctober 31, with the code name appropriately changed to "Trick orTreat". By that time, 12,377 non-merge changesets had been merged into themainline, adding a net total of 332,000 lines of code. Read on for a lookat where the contributions to the 5.15 kernel came from.
The latest branded and trademarked vulnerability type is called "Trojan Source". By playing trickswith Unicode bidirectional support, an attacker can create malicious codethat appears to be benign to reviewers. "The attack is to usecontrol characters embedded in comments and strings to reorder source codecharacters in a way that changes its logic." Various releases,including Rust1.56.1,are being made to address this problem.
Version 3.4 of The Yocto Project has been released. Yocto provides a system for building embedded Linux distributions. This release comes with "Linux kernel 5.14, glibc 2.34 and ~280 other recipe upgrades", support for building and cross-compiling Rust code, tons of new recipes, a way to create a SPDX bill of materials (BoM), overlayfs and seccomp support, optimizations, bug fixes, and more. The fullrelease notes have further information.
For all of you youngsters out there, the Internet has always beenomnipresent, computers are something you carry in your pocket, the Unixwars are about as relevant as the War of 1812, and the term "NIS" doesn'tring a bell. But, for a certain class of Unix old-timer, NIS has a distinctplace in history — and, perhaps, in still-deployed systems. So thesuggestion that Fedora might drop support for NIS has proved to be a bit ofa wakeup call for some.
Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).
Software Freedom Conservancy has had several exemptions granted that it requested to the Digital Millennium Copyright Act (DMCA) by the US Library of Congress for activities of interest to free-software developers:
One does not normally expect to see a great deal of angst over a one-pageshell script, even on the Internet. But Debian is special, so it has beenhaving an extended discussion over the fate of the which commandthat has been escalated to the Debian Technical Committee. The amount ofattention that has been given to a small, nonstandard utility shines alight on Debian's governance processes and the interaction of traditionwith standards.
The oss-securitymailing list is specifically set up for reports and discussion of security flaws inopen-source software after their embargo, if any, has expired. But theresponse to a recentreportof the fix for a security flaw in the Linux kernel went in a differentdirection than usual. The report did not break the two-week embargoperiod, instead it was "late", which has highlighted some problems in themanagement of flaws of this nature.
LWN.net