Version 2.38 of the GNU Binutils tool set has been released. Changesinclude new hardware support (including for the LoongArch architecture),various Unicode-handling improvements, a new --thin option toar for the creation of thin archives, and more.
Version 5.24of the KDE-based Plasma desktop is out; this is a long-term-supportrelease. Changes include various task-manager improvements, a new overviewmode, fingerprint-reader support, improved Wayland support, and more.
It's been two whole days since the last set of stable kernel releases, butthe long wait is over:5.16.8,5.15.22,5.10.99,5.4.178,4.19.228,4.14.265, and4.9.300have all been released. Each contains yet another set of important fixes.
This is a few days old, but evidently thereis still need for this message: Konstantin Ryabitsev explainshow it is easy to cause a commit to appear falsely to be part of a GitHubrepository:
Go 1.18, the biggest release of the Go language since Go 1.0 in March 2012, is expectedto be released in February. The first beta was released in December with two features which, each on their own, would havemade the release a big one. It adds support for generic types and nativesupport for fuzz testing.In the blog post announcing thebeta, core developer Russ Cox emphasized that the release "representsan enormous amount of work".
Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen).
Version 4.1.0 of the secure-desktop-oriented Qubes OS distribution has beenreleased. "Theculmination of years of development, this release brings a host of newfeatures, major improvements, and numerous bug fixes". New featuresan experimental GUI domain separate from dom0, the "Qrexec" policy system,progress toward a reproducible build, and more. See below and this article for more information.
Digital photography opens up a whole new world of photo postprocessingopportunities, especially if the photographer uses their camera's rawformat to take advantage of all of the data collected by the sensor. Onthe other hand, using raw images means doing without all of the processingdone by the camera and taking on a range of complex tasks. Raw photoeditors are designed to work with raw images as a key part of aphotographer's workflow. Your editor recently reviewed the darktable editor, but there areother options available in the free-software community. RawTherapee is a GPLv3-licensed raweditor that is in some ways simpler than darktable — but that is not thesame as saying that it is simple.
Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django).
The 5.17-rc3 kernel prepatch is out fortesting. Linus says: "Things look fairly normal so far, with apretty average number of commits for an rc3 release".
The5.16.6,5.15.20,5.10.97, and5.4.177stable kernel updates have been released. Unfortunately, aproblem was reported almost immediately after that release, leading tothe reversion of a broken patch and the subsequent release of5.16.7,5.15.21, and5.10.98.It's worth noting that numerous groups tested the first set of releases andreported successful results (they can be seen as replies to the-rc1 posting), but nobody hit this problem in time.
Version1.20.0 of the GStreamer multimedia system is out. Changes include a new high-levelplayback library replacing GstPlayer, decoding support for WebM Alpha,updated Rust bindings, and more; see the announcement for lots of details.
Loading a BPF program into the kernel involves a lot of steps, includingverification, permissions checking, linking to in-kernel helper functions,and compilation to the native instruction format. Underneath all of that,though, lies one other simple task: allocating some memory to store thecompiled BPF program in the kernel's address space. It turns out that thisallocation can be somewhat wasteful of memory in current kernels, especially onsystems where large numbers of BPF programs are loaded. Thispatch set from Song Liu seeks to remedy this problem by introducing yetanother specialized memory allocator into the kernel.
Version2.35 of the GNU C Library has been released. New features includeUnicode 14.0.0 support, support for the C.UTF-8 locale, a bunch of new mathfunctions, support for restartablesequences, and much more; see the announcement for details.
Persistent memory has a number of advantages; it is fast, CPU-addressable,available in large quantities and, of course, persistent. But it also,arguably, poses a higher risk of suffering corruption as a result of bugsin the kernel. Protecting against this possibility is the objective of thispatch set from Ira Weiny, which makes use of Intel's "protection keyssupervisor" (PKS) feature to make it harder for the kernel to inadvertently writeto persistent memory.
With a more lengthy than usual message, Greg Kroah-Hartman has released the4.4.302 stable kernel; it will be the lastfrom the stable kernel team in the 4.4.x series. "Do not use itanymore unless you really know what you are doing." He notes that the Civil Infrastructure Platform (CIP) projectis considering maintaining 4.4 into the future; those interested should contact CIP. He also added some statistics showing a nearly six-year lifetime for the branch with 8.44changes per day from over 3500 developers.
The nasty vulnerability in pkexechas been rippling through the Linux world,leading to lots of security updates to the underlying polkitauthorization toolkit. It also led to a recent discussion on the Fedoradevel mailing list about whether pkexec, which runs aprogram as another user, is actuallyneeded—or wanted—in some or all of the distribution's editions. But pkexecis used by quite a few different Fedora components, particularly indesktop-oriented editions, and it could perhaps be a better choice than thealternatives for running programs with the privileges of another user.
Version 7.3 of the LibreOffice "Community" edition is out."In addition to the majority of code commits being focused oninteroperability with Microsoft's proprietary file formats, there is awealth of new features targeted at users migrating from Office, to simplifythe transition".
Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron).
The problem of how to deprecate pieces of the Python languagein a minimally disruptive way has cropped in various guises over the last few years—in truth,it has been wrangled with throughout much of language's 30-year history.The scars of the biggest deprecation, that of Python 2, are still ratherfresh, both for users and the core developers, so no one wants (or plans)a monumental change of that sort. But the language community does want tocontinue evolving Python, which means leaving some "baggage" behind; howto do so without leaving further scars is a delicate balancing act, as yetanother discussion highlights.
The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities:
For anybody who feels they haven't had enough stable kernel releasesrecently, the 5.16.5,5.15.19,5.10.96, and5.4.176stable kernel updates have been released; each contains another set ofimportant fixes.
Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba).
"Restartable sequences" are small segments of user-space code designed toaccess per-CPU data structures without the need for heavyweight locking.It is a relatively obscure feature, despite having been supported by theLinux kernel since the 4.18 release. Among other things, there is nosupport in the GNU C Library (glibc) for this feature. That is about tochange with the upcoming glibc 2.35release, though, so a look at the user-space APIfor this feature is warranted.
The vote hasconcluded in the Debian project on a general resolution affecting theway such resolutions are discussed in the future. The changes, as proposedby Russ Allbery, have been adopted with the required three-to-onesupermajority, though the overall level of voting was low.The new process is mostly as described in this article from Octoberwith a few changes. The end result may be to shorten the discussion periodfor controversial issues and make the end of that period more predictable.
Greg Kroah-Hartman has announced another set of eight stable kernels: 5.16.4, 5.15.18, 5.10.95, 5.4.175, 4.19.227, 4.14.264, 4.9.299, and 4.4.301. These are relatively small updatesthat, as usual, contain important fixes; users should upgrade.
Version2.0.0 of the Debian-based Nitrux distribution is available."This new version brings together the latest software updates, bugfixes, performance improvements, and ready-to-use hardware support."
By now, most readers are likely to be familiar with the Polkit vulnerability known as CVE-2021-4034.The fix for Polkit is relatively straightforward and is being rolled outacross the net. The root of this problem, though, lies in amisunderstanding about how programs are run on Unix-like systems. Thisproblem is highly likely to exist in other programs, so it would be nice tofind a more general solution. The best place to address this issue may bein the kernel, but properly working around thismisunderstanding without causing regressions is not an easy task.
Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk).
The Linux Storage, Filesystem, Memory-Management, and BPF Summit isscheduled for May 2 to 4 in Palm Springs, California; with luckit will actually happen this year. As usual, it is an invitation-onlyevent, with a preference for those who bring interesting topics to discuss.The call forproposals is out now, with a request for proposals to arrive beforeMarch 1.
Version 2.0 of GNU Poke, a binary-data editor, has been released. "Alot of things have changed and improved with respect to the 1.x series; wehave fixed many bugs and added quite a lot of new exciting and usefulfeatures." Look below for an extensive list of changes.
Greg Kroah-Hartman has announced the release of the 5.16.3, 5.15.17, 5.10.94, 5.4.174, 4.19.226, 4.14.263, 4.9.298, and 4.4.300 stable kernels. These all contain ahuge number of fixes all over the tree, so huge that 5.16.3 broke the scriptsused to create stable kernels; users should upgrade.
In mid-December, Thorsten Behrens, a board member for the Document Foundation (TDF),posted aseemingly simple proposal for an "attic" that would become the home ofabandoned projects. No specific projects were named as the first intendedresidents of the attic, but the proposalclearly related to the LibreOfficeOnline (LOOL) project. The followingdiscussion made it clear that the unhappiness around LOOL has yet to fadeaway, and that the Foundation still has some work to do when it comes todefining its relationship with its corporate members.
Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim).
Back in May, we looked at a Google proposalto replace third-partycookies with something called the"Federated Learning of Cohorts"(FLoC). Third-party cookies were once used to track users all over the webso that advertisers could, supposedly, target their ads better, but, of themajor browsers, only Google's Chrome browser fails to block them today. Googletook a fair amount of flak for FLoC, since it was not perceived to be muchof a win for users' privacy—and was mostly a sop to the (Google-dominated)web-advertising industry. Now the company is back with a differentproposal that could, eventually, replace third-party cookies in Chrome: Topics.
A few weeks back, we looked at a proposalto add an integrity-management feature to Fedora. One of the sellingpoints was that the integrity checking could be done using the PGPsignatures that are already embedded into the RPM package files that Fedorauses. But the kernel needs to be able to verify PGP signatures in orderfor the Fedora feature to work. That addition to the kernel has been proposed, butsome in the kernel-development community seem less than completelyenthusiastic about bringing PGP support into the kernel itself.
Qualys has announcedthe disclosure of a local-root vulnerability in Polkit. They are callingit "PwnKit" and have even provided a proof-of-concept video.
Version 2.35.0 of the Gitsource-code management system has been released. There are a lot ofchanges, as usual; see the announcement and this GitHubblog entry for details.
Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan).
LWN.net