LWN.net

Of all the attacks on cryptographic code, timing attacks may be among themost insidious. An algorithm that appears to be coded correctly, perhapseven with a formal proof of its correctness, may be undermined byinformation leaked as the result of data-dependent timing differences.Both Arm and Intel have introduced modes that are intended to help defendagainst timing attacks, but the extent to which those modes should be usedin the kernel is still under discussion.

Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).

Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, and lots more. Check out the release notes for further information.

Faith Ekstrand beginsan exploration of using the Rust language to write Vulkan graphicsdrivers.

OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe isexploitable. Other new features include support for channel-inactivitytimeouts, better control over sftp protocol parameters, and more.

Version2.37 of the GNU C Library has been released. This looks like arelatively low-key release, with the one "major new feature" described as:

On January 30, the GitHub blog carried abrief notice that the checksums of archives (such as tarballs)generated by the site had just changed. GitHub's engineers were seeminglyunaware of the consequences of such a change — consequences that wereimmediately evident to anybody familiar with either packaging systems or Hyrum's law. Those checksums werewidely depended on by build systems, which immediately broke when thechange went live; the resulting impact ofjawbones hitting the floor was observed by seismographs worldwide. Thechange has been reverted for now, but it is worth looking at how GitHubmanaged to casually break vast numbers of build systems — and why this sortof change will almost certainly happen again.

Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).

The LWN.net Weekly Edition for February 2, 2023 is available.

Version 1.20 of the Go languagehas been released.

The discussions about the world of Python packaging and theproblems caused by its disparate tools and incompatible ecosystems arestill ongoing. Last week, we looked at thebeginnings of the conversation in mid-November, as the discussionturned toward a possible convergence between two of the majorpackage-management players: pip and conda. There are numerousbarriers to bringing the two closer together, inertia not least, but theadvantages for users of both, as well as new users to come, could besubstantial.

The Qubes OS news site has adetailed article on work being done to ensure the integrity of thesystem at boot time.

Version 7 ofthe Ubuntu-based elementary OS distribution has been released.

The6.1.9,5.15.91, and5.10.166stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim).

Kees Cook has posted adetailed document describing the work to improve safety offlexible-length arrays in the kernel.

When it comes to home automation, people often end up with devicessupporting the Zigbee or Z-Wave protocols, but those devices arerelatively expensive. When I was looking for a way to keep an eye on thetemperature at home a few years ago, I bought a bunch of cheaptemperature and humidity sensors emitting radio signals in the unlicensedISM (Industrial, Scientific, and Medical) frequency bands instead. Thanks to rtl_433 and, more recently, rtl_433_ESP and OpenMQTTGateway,I was able to integrate their measurements easily into my home-automationsystem.

Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo).

Over at Linux.com, Yocto Project architect Richard Purdie writes about various kinds of problems that the project is experiencing, some of which stem from its success and growth. It is a story that will likely resonate with other open-source projects.

If legacy networks are like individual homes with a few doorswhere a handful of people have the key, then cloud-based environments are likeapartment complexes that offer both higher density and greater flexibility,but which include more key holders and potential entry points. The importanceof protecting virtual machines (VMs) running in these environments — fromboth the host and other tenants — has become increasingly clear.The Linux Secure VM ServiceModule (SVSM) isa new, Rust-based, open-source project that aims to help preserve the confidentialityand integrity of VMs on AMD hardware.

Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific Linux (thunderbird), SUSE (ffmpeg, krb5, nginx, python39-setuptools, sssd, systemd, tiff, and virtualbox), and Ubuntu (linux-azure, linux-azure-5.4, linux-raspi2, linux-azure-fde, and mysql-5.7, mysql-8.0).

The 6.2-rc6 kernel prepatch is out fortesting.

Version1.67.0 of the Rust language has been released. The list of newfeatures is relatively short; it includes support for #[must_use]on async functions and a new multi-producer, single-consumer channelimplementation.

Memory allocation within the kernel is a complex business. The amount ofphysical memory available on any given system will be strictly limited,meaning that an allocation request can often only be satisfied by takingmemory from somebody else, but some of the options for reclaiming memorymay not be available when a request is made. Additionally,some allocation requests haverequirements dictating where that memory can be placed or how quickly theallocation must be made. The kernel'smemory-allocation functions have long supported a set of "GFP flags" usedto describe the requirements of each specific request. Those flags willprobably undergo some changes soon as the result of thispatch set posted by Mel Gorman; that provides an opportunity to look atthose flags in some detail.

Security updates have been issued by Debian (bind9, chromium, and modsecurity-apache), Fedora (libgit2, mediawiki, and redis), Oracle (go-toolset:ol8, java-1.8.0-openjdk, systemd, and thunderbird), Red Hat (java-1.8.0-openjdk and redhat-ds:12), SUSE (apache2, bluez, chromium, ffmpeg-4, glib2, haproxy, kernel, libXpm, podman, python-py, python-setuptools, samba, xen, xrdp, and xterm), and Ubuntu (samba).

The BPF subsystem exposes many aspects of the kernel's internal algorithmsand data structures; this naturally leads to concerns about maintaininginterface stability as the kernel changes. The longstanding position thatBPF offers no interface-stability guarantees to user space has alwaysseemed a little questionable; kernel developers have, in the past, foundthemselves having to maintain interfaces that were not intended to bestable. Now the BPF community is starting to think about what it mightmean to provide explicit stability promises for at least some of itsinterfaces.

Paul McKenney looks ata couple of Rust crates in an attempt to determine whether theyactually implement the read-copy-update algorithm; in the process, he givesan overview of the numerous RCU variants in the kernel.

Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy).

The LWN.net Weekly Edition for January 26, 2023 is available.

While there are still systems with both byte orders,little-endian has largely "won" the battle at this point since the vast majority of today'ssystems store data with the least-significant byte first (at the lowestaddress). But when the X11 protocol was developed in the 1980s, there were lots of systems of each byte order, so the X protocol allowed either orderand the server (display side) would swap the bytes to its byte order asneeded. Over time, the code for swapping data in the messages, which was written in amore-trusting era, has bit-rotted so that it is now alargely untested attack surface that is nearly always unused. PeterHutterer has been doing some work to stop using that code by default, bothin upstream X.org code and in downstream Fedora.

The Free Software Foundation has announceda bylaw change requiring a 66% vote by the FSF board for any new or revisedcopyright licenses. The FSF has also announcedan expansion of its board of directors and a call for nominations fromamong its associate members.

Kostya Shishkov has just posted theconcluding installment of an extensive history of the FFmpeg project:

Users of the openSUSE Leap 15.3 distribution will want to be looking atmoving on; support for that release has come to an end. "The currentlymaintained stable release is openSUSE Leap 15.4, which will be maintaineduntil around end of 2023 (same lifetime as SLES 15 SP4 regularsupport)".

Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind, java-1.8.0-openjdk, kernel, and sssd), SUSE (mozilla-nss, rubygem-websocket-extensions, rust1.65, rust1.66, and samba), and Ubuntu (mysql-5.7, mysql-5.7, mysql-8.0, pam, and samba).

The Python community is currently struggling with a longtime difficulty inits ecosystem: how to develop, package, distribute, and maintain librariesand applications. The current situation is sub-optimal in severaldimensions due, at least in part, to the existence of multiple,non-interoperable mechanisms and tools to handle some of those needs. Lastweek, we had an overview of Pythonpackaging as a prelude to starting to dig into the discussions. Inthis installment, we start to look at the kinds of problems that exist—andthe barriers to solving them.

Version 8.0 of the WINEWindows compatibility layer has been released. The headline featureappears to be the conversion to PE ("portable executable") modules:

The Open Source Technology Improvement Fund has announced thecompletion of a security audit of the Git source.

The6.1.8,5.15.90,5.10.165,5.4.230,4.19.271, and4.14.304stable kernel updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (kernel and spip), Fedora (kernel), Mageia (chromium-browser-stable, docker, firefox, jpegoptim, nautilus, net-snmp, phoronix-test-suite, php, php-smarty, samba, sdl2, sudo, tor, viewvc, vim, virtualbox, and x11-server), Red Hat (bash, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, pcs, postgresql-jdbc, sqlite, sssd, sudo, systemd, and usbguard), Scientific Linux (firefox, java-11-openjdk, and sudo), SUSE (freeradius-server, python-mechanize, and upx), and Ubuntu (exuberant-ctags, haproxy, ruby2.5, ruby3.0, and wheel).

Back in 2019, a high-profile containervulnerability led to the adoption of some complex workarounds and afrenzy of patching. The immediate problem wasfixed, but the incident was severe enough that security-consciousdevelopers have continued to look for ways to prevent similarvulnerabilities in the future. Thispatch set from Giuseppe Scrivano takes a rather simpler approach to theproblem.

Jamie Zawinski remindsus that the 25th anniversary of the Netscape open-source announcement —a crucial moment in free-software history — has just passed.

After a brief break of ... a dozen years or so ... Jon Masters has announcedthe return of his kernel podcast:

Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools).

The 6.2-rc5 kernel prepatch is out.

Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield).

The Google Project Zero page showshow to compromise the kernel by using a NULL pointer to repeatedlyforce an oops and overflow a reference count.

Code that is added to the kernel can stay there for a long time; there iscode in current kernels that has been present for over 30 years.Nothing is forever, though. The kernel development community is currentlydiscussing the removal of two architectures and one filesystem, all ofwhich seem to have mostly fallen out of use. But, as we will see, removalof code from the kernel is not easy and is subject to reconsideration evenafter it happens.

Version 3.0 of the Pandocdocument-conversion tool has been released; the list of new features isquite long, including "chunked" HTML output, support for complex figures,and much more.

Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).

The LWN.net Weekly Edition for January 19, 2023 is available.