Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15).
Andrey Konovalov began his 2022 LinuxSecurity Summit Europe (LSS EU) talk with a bold statement: "fuzzing isuseless". As might be guessed, he qualified that assertion quickly byadding "without dynamic bug detectors". These bug detectors include"sanitizers" of various sorts, such as the Kernel AddressSanitizer (KASAN), but there are others. Konovalov looked in detail at KASANand gave an overview of thesanitizer landscape along with some ideas of ways to push these bugdetectors further—to find even more kernel bugs.
Version5.6 of the LXD container manager is out. Changes include the abilityto stream log messages to a Grafana Loki server, Infiniband support forvirtual machines, a restricted network access mode, and more.
Security updates have been issued by Debian (dovecot and firefox-esr), Fedora (firefox and grafana), Red Hat (firefox and thunderbird), Slackware (dnsmasq and vim), SUSE (dpdk, firefox, kernel, libarchive, libcaca, mariadb, openvswitch, opera, permissions, podofo, snakeyaml, sqlite3, unzip, and vsftpd), and Ubuntu (expat, libvpx, linux-azure-fde, linux-oracle, squid, squid3, and webkit2gtk).
The CHERIarchitecture is the product of a research program to extend commonCPU architectures in a way that prevents many types of memory-related bugs (andvulnerabilities). At the 2022 GNU Tools Cauldron,Alex Coplan and Szabolcs Nagy described the work that has been done tobring GCC and the GNU C Library (glibc) to this architecture. CHERI is a fundamentallydifferent approach to how memory is accessed, and supporting it properly is anythingbut a trivial task.
Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport).
Arch Linux has announcedthat Python 2 is being removed from the distribution's repositories."If you still require the python2 package you can keep it around, butplease be aware that there will be no security updates."
For better or worse, C is the lingua franca in the world of kernelengineering. The core logic of the Linux kernel is written entirely inC (with a bit of assembly), as are its drivers and modules. While C isrightfully celebrated forits powerful yet simple semantics, it is an older language that lacksmany of the features present in modern languages such asRust. TheBPF subsystem, on the other hand,provides a programming environment that allows engineers to writeprograms that can run safely in kernel space. At the 2022 Linux Plumbers Conference in Dublin, Ireland, Alexei Starovoitov presented an overviewof how BPF has evolved over the years to provide a new model for kernelprogramming.
At the 2022 LinuxSecurity Summit Europe (LSS EU), Gustavo A. R. Silva reported in onwork he has been doing on "flexible" arrays in the kernel. While thesearrays provide some ... flexibility ... they are also a source of bugs,which can often result in security vulnerabilities. He has been working on waysto make the use of flexible arrays safer in the kernel.
Version1.64.0 of the Rust language has been released. Changes include thestabilization of the IntoFuturetrait, easier access to C-compatible types, the availability ofrust-analyzer viarustup, and more.
Public hosting systems for free software have come and gone over the yearsbut one of them, Sourceware, has beensupporting the development of most of the GNU toolchain for nearly25 years. Recently, an application was made to bringSourceware under the umbrella of the Software Freedom Conservancy (SFC), at least forfundraising purposes. It turns out that there is a separate initiative,developed in secret until now, with a different vision for the future ofSourceware. The 2022 GNUTools Cauldron was the site of an intense discussion on how thisimportant community resource should be managed in the coming years.
Konstantin Ryabitsev has announcedthe availability of rendereddocumentation from linux-next on kernel.org. This will be useful foranybody wanting to see what the documentation for the next kernel releasewill look like.
The Debian project has begun voting onchanges to its approach to firmware needed to install a workingdistribution. The original ballot options described in this article are still there, but this isDebian so there are several others as well. Some of the additions includechanges to the Debian Social Contract that explicitly allow the shipping offirmware needed to use Debian on hardware requiring that firmware.
The traditional mechanism for launching a program in a new process on Unixsystems—forking and execing—has been with us for decades, but it is notreally the most efficient of operations. Various alternatives have beentried along the way but have not supplanted the traditional approach. A newmechanism created by Josh Triplett adds process creationto the io_uring asynchronous I/O API andshows great promise; he came to the 2022Linux Plumbers Conference (LPC) to introduce io_uring_spawn.
The5.19.10,5.15.69,5.10.144,5.4.214,4.19.259,4.14.294, and4.9.329stable kernel updates have all been released; each contains another set ofimportant fixes.
Security updates have been issued by Fedora (dokuwiki and rizin), SUSE (libcontainers-common, permissions, sqlite3, and wireshark), and Ubuntu (tiff, vim, and xen).
After a two-year hiatus, the 2022 Linux Kernel Maintainers Summit returnedto an in-person format in Dublin, Ireland on September 15. Around 30kernel developers discussed a number of process-related issues relating tothe kernel community. LWN had the privilege of being there and is able,once again, to report from the event. This years sessions includeddiscussions of regression handling, the imminent merging of Rust support,BPF, the kernel development process, and more.
Security updates have been issued by Debian (connman and e17), Fedora (curl, open-vm-tools, pcs, and python-lxml), Mageia (curl, dpkg, freecad, gimp, libtar, libtiff, mediawiki, ostree, python-lxml, schroot, SDL12, sdl2, wireshark, and zlib), Oracle (kernel and php:7.4), Red Hat (php:7.4), Slackware (vim), SUSE (chromium, kernel, libarchive, libtirpc, mupdf, python-rsa, ruby2.5, and virtualbox), and Ubuntu (linux-intel-iotg).
Nobody should need more memory than a 64-bit pointer can address — or sodevelopers tend to think. The range covered by a pointer of that sizeseems to be nearly infinite. During the Kernel Summit track at the 2022 Linux Plumbers Conference, MatthewWilcox took the stage to make the point that 64 bits may turn out tobe too few — and sooner than we think. It is not too early to startplanning for 128-bit Linux systems, which he termed "ZettaLinux", and wedon't want to find ourselves wishing we'd started sooner.
Security updates have been issued by Debian (bzip2, chromium, glib2.0, libraw, mariadb-10.3, and mod-wsgi), Fedora (kdiskmark, wordpress, and zlib), Oracle (.NET 6.0, .NET Core 3.1, mariadb:10.3, nodejs:14, nodejs:16, ruby:2.7, and ruby:3.0), Red Hat (.NET 6.0, php:7.4, and webkit2gtk3), SUSE (389-ds, flatpak, kernel, libgit2, and thunderbird), and Ubuntu (sqlite3, vim, and wayland).
Parts of the Rust language may look familiar to C programmers, but the twolanguages differ in fundamental ways. One difference that turns out to beproblematic for kernel programming is the stability of data in memory — orthe lack thereof. A challenging session at the 2022 Kangrejos conference wrestled withways to deal with objects that should not be moved behind the programmer'sback.
Greg Kroah-Hartman has announced the release of the 5.19.9, 5.15.68, 5.10.143, 5.4.213, 4.19.258, 4.14.293, and 4.9.328 stable kernels. As usual, theycontain important fixes throughout the kernel tree; users of those seriesshould upgrade.
Security updates have been issued by Debian (nova, pcs, and rails), Fedora (firejail, moby-engine, and pspp), Oracle (.NET 6.0, gnupg2, kernel, python3, and rsyslog rsyslog7), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (kernel), and Ubuntu (intel-microcode, poppler, and webkit2gtk).
Typically, an urgent security release of a project is not for atwo-year-old CVE, but such is the case for a recentPython release of four versions of the language. The bug is adenial of service (DoS) that can be caused by converting enormous numbers tostrings—or vice versa—but it was not deemed serious enough to fixwhen it was first reported. Evidently more recent reports, including a remote exploit of thebug, have raised its importance—causing a rushed-out fix. But thefix breaks some existing Python code, and the process of handling theincident has left something to be desired, leading the project to look atways to improve its processes.
Security updates have been issued by CentOS (open-vm-tools), Debian (freecad and sqlite3), Fedora (qt5-qtwebengine and vim), SUSE (firefox, kernel, libzapojit, perl, postgresql14, and samba), and Ubuntu (dotnet6, dpdk, gdk-pixbuf, rust-regex, and systemd).
Security updates have been issued by Debian (connman and python-oslo.utils), Fedora (libapreq2), Red Hat (booth, gnupg2, kernel, kernel-rt, mariadb:10.3, nodejs:14, nodejs:16, python3, ruby:2.7, and ruby:3.0), SUSE (chromium, opera, python2-numpy, and rubygem-kramdown), and Ubuntu (poppler).
While the Rust language has appeal for kernel development, many developers areconcerned by the fact that there is only one compiler available; there aremany reasons why a second implementation would be desirable. At the 2022Kangrejos gathering, three developersdescribed projects to build Rust programs with GCC in two different ways. A fully featured, GCC-based Rustimplementation is still going to take some time, but rapid progress isbeing made.
Security updates have been issued by Fedora (mediawiki), SUSE (libEMF, libnl-1_1, libnl3, mariadb, nodejs16, php8-pear, postgresql12, and rubygem-rake), and Ubuntu (linux-raspi, linux-raspi-5.4, and tiff).
Greg Kroah-Hartman has announced the release of the 5.19.8, 5.15.66, and 5.10.142. As usual, those contain importantfixes throughout the kernel tree. Immediately thereafter, he released5.15.67 to fix a permissions problem on akernel build script.
Huge pages are a mechanism implemented by the CPU that allows the managementof memory in larger chunks. Use of huge pages can increase performancesignificantly, which is why the kernel has a "transparent huge page"mechanism to try to create them when possible. But a huge page will onlybe helpful if most of the memory contained within it is actually in use;otherwise it is just an expensive waste of memory. This patchset from Alexander Zhu implements a mechanism to detect underutilizedhuge pages and recover that wasted memory for other uses.
Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq).
Starting a Python application typically results in a flurry of imports asmodules from various locations (and the modules they import) get addedinto the application process. All of that occurs before the applicationeven gets started doing whatever it is the user actually launched it for;that delay can be significant—and annoying. Beyond that, many of thoseimports may not be necessary at all for the code path being followed, soeagerly doing the import is purely wasted time. A proposal back in Maywould add a way for applications to choose lazy imports, where the importis deferred until the module is actually used.
Security updates have been issued by Fedora (curl, protobuf-c, and vim) and SUSE (gimp, java-1_8_0-openj9, libostree, openvswitch, python-bottle, python-Flask-Security-Too, and zabbix).