LWN.net

Security updates have been issued by Arch Linux (c-ares, firefox, fossil, gitlab, jupyterlab, loki, lynx, opera, prosody, and vivaldi), Debian (amd64-microcode, exiv2, ffmpeg, thunderbird, and trafficserver), Fedora (libsndfile, rust-argh, rust-argh_derive, rust-argh_shared, rust-askalono-cli, rust-asyncgit, rust-bugreport, rust-crosstermion, rust-diskonaut, rust-dua-cli, rust-fancy-regex, rust-fedora-update-feedback, rust-filetreelist, rust-git-version, rust-git-version-macro, rust-gitui, rust-heatseeker, rust-jql, rust-pulldown-cmark, rust-sd, rust-shadow-rs, rust-skim, rust-textwrap, rust-tokei, rust-tui, rust-tui-react, rust-unicode-linebreak, rust-unicode-truncate, rust-urlencoding, rust-versions, rust-weezl, and zola), Mageia (dino, firefox, glibc, libvirt, mariadb, qtwebengine5, spice, sylpheed, claws-mail, and webkit2), openSUSE (grafana, kernel, libdnf, and openscad), Oracle (.NET 5.0, .NET Core 3.1, and virt:ol and virt-devel:rhel), Red Hat (compat-exiv2-026, exiv2, firefox, sssd, and thunderbird), SUSE (cpio and kernel), and Ubuntu (mariadb-10.3, mariadb-10.5).

The 5.14-rc6 kernel prepatch is out fortesting. "Nothing particular stands out to me. Go test, we should begetting pretty close to done with this release..."

The5.13.11,5.10.59,5.4.141,4.19.204,4.14.244,4.9.280, and4.4.281stable kernel updates have been released; each contains a relatively smallnumber of important fixes.

Debian 11, codenamed "bullseye", has been released after just over two years of development. It has lots of updates, including to half a dozen different desktop environments, lots of tools and programming languages, and, of course, more. It is available for nine different architectures.

The KDE project has announced the release of KDE Gear 21.08, which updates the over 200 apps that are part of the project. The announcement highlights updates in many of the desktop tools that KDE Plasma users are accustomed to, including the Okular document viewer, the Dolphin file manager, Elisa music player, and Gwenview image viewer. The Konsole terminal application got updated as well:

Device drivers, along with the hardware they control, have long beenconsidered to be a trusted part of the system. This faith has been underassault for some time, though, and it fails entirely in some situations,including virtual machines that do not trust the host system they arerunning under. The recently covered virtio-hardening work is one response to thissituation, but that only addresses a small portion of the drivers builtinto a typical kernel. What is to be done about the rest? The driver-filterpatch from Kuppuswamy Sathyanarayanan demonstrates one possibleapproach: disable them altogether.

Security updates have been issued by Debian (commons-io, curl, and firefox-esr), Fedora (perl-Encode), openSUSE (golang-github-prometheus-prometheus, grafana, and python-reportlab), Oracle (.NET Core 2.1, 389-ds:1.4, cloud-init, go-toolset:ol8, nodejs:12, nodejs:14, and rust-toolset:ol8), SUSE (aspell, firefox, kernel, and rpm), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and postgresql-10, postgresql-12, postgresql-13).

The Linux Foundation has announced the formation of the eBPF Foundation:

While it may seem like the number of developers would be the limiting factorin a free-software project, the truth of the matter is that, for all butthe smallest of project, the scarcest resource is reviewer time. Lots ofpeople like to crank out code; rather fewer can find the time to take aclose look at somebody else's patches. Free-software projects have takena number of different approaches to address the review problem; the PostgreSQL developercommunity is currently struggling with its review load and consideringchanges to its commitfest process in response.

Greg Kroah-Hartman has announced the release of the 5.13.10, 5.10.58, 5.4.140, and 4.19.203 stable kernels. As usual, they allcontain important fixes throughout the kernel tree; users of those seriesshould upgrade.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (firefox-esr, libspf2, and openjdk-11-jre-dcevm), Fedora (bluez, fetchmail, and prosody), Oracle (edk2, glib2, kernel, and libuv), Red Hat (.NET Core 3.1), SUSE (cpio), and Ubuntu (firefox and openssh).

The LWN.net Weekly Edition for August 12, 2021 is available.

Child pornography and other types of sexual abuse of children are unquestionablyheinous crimes; those who participate in them should be caught and severelypunished. But some recent efforts to combat these scourges have gone a goodways down the path toward a kind of AI-driven digital panopticon that willinvade the privacy of everyone in order to try to catch people who areviolating laws prohibiting those activities. It is thus no surprise that privacyadvocates are up in arms about an Apple plan to scan iPhone messages andan EU measureto allow companies to scan private messages, both looking for "child sexual abuse material" (CSAM). As with many things of thisnature, there are concerns about the collateral damage that these efforts willcause—not to mention the slippery slope that is being created.

David A. Wheeler listssome of the security-related projects he is overseeing at the LinuxFoundation. For example:

Security updates have been issued by Debian (ceph), Fedora (buildah, containernetworking-plugins, and podman), openSUSE (chromium, kernel, php7, python-CairoSVG, python-Pillow, seamonkey, and transfig), Red Hat (microcode_ctl), SUSE (kernel and libcares2), and Ubuntu (c-ares).

Version6 of the elementary OS distribution is now available. "It’s beena long road to elementary OS 6—what with a whole global pandemic dropped onus in the middle of development—but it’s finally here. elementary OS 6 Odinis available to download now. And it’s the biggest update to the platformyet!" Headline changes include a new dark-mode theme, a switch toFlatpak for application packaging, arewritten email client, and more.

Linux Mint 20.2 "Uma" wasreleased in Cinnamon,MATE, andXfce editions on July 8. This newversion of the popular desktop-oriented distribution has severalimprovements, including changes to the Update Manager, a new "StickyNotes" app, a bulk file-renaming tool,improved file search, and better memory management inCinnamon. Mint 20.2 is a long-term support (LTS) release that willreceive security updates until 2025.

The 4.4.280 stable kernel update isavailable; it contains a small set of fixes, mostly focused on the futexsubsystem.

The Firefox91 release is available. Changes include stronger tracking-cookieprotection, use of HTTPS within anonymous windows whenever possible, andmore.

Security updates have been issued by CentOS (flatpak and microcode_ctl), Debian (c-ares, lynx, openjdk-8, and tomcat9), Fedora (kernel), openSUSE (apache-commons-compress, aria2, djvulibre, fastjar, kernel, libvirt, linuxptp, mysql-connector-java, nodejs8, virtualbox, webkit2gtk3, and wireshark), Oracle (kernel, kernel-container, and microcode_ctl), Red Hat (glib2, kernel, kernel-rt, kpatch-patch, and rust-toolset-1.52 and rust-toolset-1.52-rust), Scientific Linux (microcode_ctl), SUSE (kernel), and Ubuntu (c-ares, gpsd, and perl).

Traditionally, in virtualized environments, the host is trusted by itsguests, and mustprotect itself from potentially malicious guests. With initiativeslike confidential computing, this rule is extended in the other direction: theguest no longer trusts the host. This change of paradigm requiresadding boundary defenses in places where there have been none before.Recently, Andi Kleen submitted a patchset attempting to add the needed protections in virtio. The discussionthat resulted from this patch set highlighted the need to securevirtio for a wider range of use cases.

Security updates have been issued by Debian (ansible and bluez), Fedora (curl, kernel, mod_auth_openidc, rust-rav1e, and webkit2gtk3), Mageia (kernel and kernel-linus), openSUSE (php7 and python-reportlab), Oracle (ruby:2.7), Red Hat (microcode_ctl), SUSE (fastjar, kvm, mariadb, php7, php72, php74, and python-Pillow), and Ubuntu (docker.io).

The fifth 5.14 prepatch is out for testing."Things are looking perfectly normal. Size is nominal, diffstat lookspretty normal, and the changes are all in the usual places"

The5.13.9,5.10.57,5.4.139,4.19.202,4.14.243,4.9.279, and4.4.279stable kernel updates have been released. Each contains a small set ofimportant fixes. Users of 4.4 should note that 4.4.280is already in the review process; it is due on August 10.

The memfd_secret() system call has, in one form or another, beencovered here since February 2020. In thebeginning, it was a flag to memfd_create(),but its functionality was later moved to a separate system call. Therehave been many changes during this feature's development, but its corepurpose remains the same: allow a user-space process to create a range of memory that isinaccessible to anybody else — kernel included. That memory can be used tostore cryptographic keys or any other data that must not be exposed toothers. This new system call was finally merged for the upcoming 5.14release; what follows is a look at the form this call will take in themainline kernel.

Security updates have been issued by Debian (tomcat8), Mageia (bluez, exiv2, fetchmail, libsndfile, nodejs, php-pear, python-pillow, and rabbitmq-server), openSUSE (apache-commons-compress, balsa, djvulibre, mariadb, mysql-connector-java, nodejs8, opera, and spice-vdagent), Red Hat (ruby:2.7), SUSE (apache-commons-compress, djvulibre, java-11-openjdk, libsndfile, mariadb, nodejs8, and spice-vdagent), and Ubuntu (docker.io).

The Android12 beta release first appeared in May of this year. As is almostobligatory, this release features "the biggest design change inAndroid's history"; what's an Android release without requiringusers to relearn everything? That historical event was not meant toinclude one change that many beta testers are noticing, though: a kernelregression that breaks a significant number of apps. This problem has justbeen fixed, but it makes a good example of why preventing regressions canbe so hard and how the kernel project responds to them when they do happen.

Security updates have been issued by Debian (jetty9 and openexr), openSUSE (mariadb and virtualbox), Red Hat (go-toolset-1.15 and go-toolset-1.15-golang), SUSE (djvulibre and mariadb), and Ubuntu (opencryptoki).

The LWN.net Weekly Edition for August 5, 2021 is available.

The GPSD project provides adaemon for communicating with various GPS devices in order to retrieve thelocation information that those sensors provide. But the GPS satellitesalso provide highly accurate time information that GPSD canextract for use by Network TimeProtocol (NTP) servers. A bug in the GPSD code will cause time togo backward in October, though, which may well cause some havoc if affected NTPservers donot get an update before then.

Stable kernels 5.13.8, 5.10.56, 5.4.138, 4.19.201, 4.14.242, 4.9.278, and 4.4.278 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (asterisk, libpam-tacplus, and wordpress), Fedora (buildah and podman), openSUSE (thunderbird and webkit2gtk3), Oracle (kernel and varnish:6), SUSE (kernel, kvm, and webkit2gtk3), and Ubuntu (libdbi-perl and php-pear).

Over on the Google Security Blog, Kees Cook describes his vision for approaches to assuring kernel security in a more collaborative way. He sees a number of areas where companies could work together to make it easier for everyone to use recent kernels rather than redundantly backporting fixes to older kernel versions. It will take more engineers working on things like testing and its infrastructure, security tool development, toolchain improvements for security, and boosting the number of kernel maintainers:

Neovim 0.5, the fifth major version of the Neovimeditor, which descends from the venerable vieditor by way of Vim, wasreleasedon July 2. This release is the culmination of almost two years of work,and it comes with some major features that aim to modernize the editingexperience significantly. Highlights include native support for the LanguageServer Protocol (LSP), which enables advanced editing features for a wide variety oflanguages, improvements toits Lua APIs for configuration and plugins, and better syntax highlightingusing Tree-sitter. Overall, the 0.5 release is a solid upgrade for the editor; the improvements shouldplease the existing fan base and potentially draw in new users and contributorsto the project.

Security updates have been issued by Arch Linux (chromium, nodejs, nodejs-lts-erbium, and nodejs-lts-fermium), Debian (pyxdg, shiro, and vlc), openSUSE (qemu), Oracle (lasso), Red Hat (glibc, lasso, rh-php73-php, rh-varnish6-varnish, and varnish:6), Scientific Linux (lasso), SUSE (dbus-1, lasso, python-Pillow, and qemu), and Ubuntu (exiv2, gnutls28, and qpdf).

On his blog, Colin Watson has a lengthy reflection on moving the code for Ubuntu's Launchpad software-collaboration web application from Python 2 to Python 3. He looks at some of the problem areas for upgrading, both in general and for Launchpad specifically, some pain points that were encountered, lessons learned, and the nine known regressions that reached the Launchpad production code during the process.

The kernel-development community is a busy place, with thousands of emailsflying by every day and many different projects under development at anygiven time. Much of that work ends up inspiring articles at LWN, but there is no way to evercover all of it, or even all of the most interesting parts. What followsis a first attempt at what may become a semi-regular LWN feature: a quick lookat some of the work that your editor is tracking that may or may not showup as the topic of a full article in the future. The first set of topicsincludes memory folios, task isolation, and a lightweight threadingframework from Google.

Version 2.34 of the GNU C library has been released. Significant changesinclude the folding of libpthread, libdl, libutil, and libanl into the mainlibrary, support for 64-bit (year-2038 safe) times on 32-bit systems,support for the close_range() system call, a handful of securityfixes, and many other changes.

Stable kernels 5.13.7, 5.10.55, 5.4.137, and 4.19.200 have been released. As usual, thereare important fixes and users should upgrade.

Security updates have been issued by Arch Linux (389-ds-base, consul, containerd, geckodriver, powerdns, vivaldi, webkit2gtk, and wpewebkit), Debian (aspell, condor, libsndfile, linuxptp, and lrzip), and Fedora (bluez, buildah, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, kernel, kernel-tools, mbedtls, mingw-exiv2, mingw-python-pillow, mrxvt, python-pillow, python2-pillow, redis, and seamonkey).

The 5.14-rc4 kernel prepatch is out fortesting. "Nothing to see here, entirely normal rc4".

The C programming language is famously prone to memory-safety problemsthat lead to buffer overflows and a seemingly endless stream of securityvulnerabilities. But, even in C, it is possible to improve thesituation in many cases. One of those is the memcpy() family offunctions, which are used to efficiently copy or overwrite blocks ofmemory; with a bit of help from the compiler, those functions can beprevented from writing past the end of thedestination object they are passed. Enforcing that condition in the kernelis harder than one might expect, though, as thismassive patch set from Kees Cook shows.

Security updates have been issued by Debian (libsndfile and openjdk-11), Fedora (php-pear and seamonkey), openSUSE (fastjar and php7), SUSE (php72, qemu, and sqlite3), and Ubuntu (libsndfile, php-pear, and qpdf).

The change in copyright-assignment policy proposed in June for the GNU C Library projecthas nowbeen adopted:

On its blog, the Free Software Foundation (FSF) hasannounceda call for white papers about GitHubCopilot and the questions surroundingit. The FSF will pay $500 for papers that it publishes because they"help elucidate the problem":

Filesystem developers tend to disagree with each other about many things,but they are nearly unanimous in their dislike for the truncate()system call, which chops data off the end of a file. Implementingtruncate() tends to be full of traps for the unwary — the kind oftraps that can lead to lost data. But it turns out that a similaroperation, called "hole punching", may be worse. This operation has beensubject to difficult-to-hit but real race conditions in many filesystemsfor years; thispatch set from Jan Kara may finally be at a point where it can fill thehole in hole punching.

Security updates have been issued by Debian (webkit2gtk), Fedora (ruby and webkit2gtk3), Mageia (aspell and varnish), openSUSE (git), SUSE (ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema and git), and Ubuntu (libsndfile, mariadb-10.3, and webkit2gtk).

The LWN.net Weekly Edition for July 29, 2021 is available.

Backlogs in bug triage, code review, and other elements of the developmentprocess are nothing new for free-software projects; there is clearly a lotmore interest in creating new features (and the bugs that go with them, ofcourse) than in taking on the less-satisfying bits. For a large projectlike CPython, though, the backlog can seriously impede progress—potentiallychasing off contributors whose work falls through the cracks. In orderto address that, the Python Software Foundation (PSF) hasraised some funds to hireŁukasz Langa as the CPython "Developer-in-Residence". Langa will beworking to help clear the backlog, while also looking into other areas ofinterest to the PSF and the Pythonsteering council.

Stable kernels 5.13.6, 5.10.54, 5.4.136, 4.19.199, 4.14.241, 4.9.277, and 4.4.277 have been released. They all containimportant fixes and users should upgrade.