LWN.net

Security updates have been issued by Fedora (golang), Mageia (curl, filezilla, jdom/jdom2, netty, pdfbox, perl-Mojolicious, perl-Net-CIDR-Lite, perl-Net-Netmask, python-urllib3, python3, quassel, transfig, and virtualbox), openSUSE (umoci), Red Hat (rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and SUSE (firefox, glibc, libsndfile, linuxptp, qemu, and umoci).

The annual Linux Plumbers Conference (LPC) is a gathering of a relativelysmall subset of the developers working on the low-level (plumbing) detailsof Linux systems. It covers topics from below the kernel through the user-spacecomponents that underlie the interfaces and applications that most Linuxusers interact with. This year's event will be heldvirtually September 20‑24; it is shaping up to be anothergreat edition of one of the premier open-registration Linux technical conferences on thecalendar.

Security updates have been issued by Debian (drupal7), Fedora (linux-firmware), openSUSE (qemu), Oracle (kernel and thunderbird), Red Hat (thunderbird), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird), SUSE (dbus-1, libvirt, linuxptp, qemu, and slurm), and Ubuntu (aspell and mysql-5.7, mysql-8.0).

One of the fundamental invariants of computing is that, regardless of howmuch memory is installed in a system, it is never enough. This isespecially true of systems with tight performance constraints, where everypage of memory is allocated and in use, making it difficult to findmore when it is badly needed. One way to make more memoryavailable is to kill one or more processes, freeing their resources forother users. But that often does not work as quickly or reliably as userswould like. In an attempt to improve the situation, Suren Baghdasaryan hasproposedthe addition of a system call named process_mrelease().

Security updates have been issued by Debian (aspell, intel-microcode, krb5, rabbitmq-server, and ruby-actionpack-page-caching), Fedora (chromium, containernetworking-plugins, containers-common, crun, fossil, podman, skopeo, varnish-modules, and vmod-uuid), Gentoo (leptonica, libsdl2, and libyang), Mageia (golang, lib3mf, nodejs, python-pip, redis, and xstream), openSUSE (containerd, crmsh, curl, icinga2, and systemd), Oracle (containerd), and Red Hat (thunderbird).

The third 5.14 kernel prepatch is out fortesting.

The5.13.5,5.10.53, and5.4.135stable kernels have been released; each contains another set of importantfixes.

After a long pause, the K-9 Android mail client project has released version5.800. "The user interface has been redesigned. Some of you willlove it, some will hate it. You’re welcome and we're sorry." There arealso a number of improvements to make background operation work better oncurrent Android systems.

The DAMON patch set was first covered herein early 2020; this work, now in its34th revision, enables the efficient collection of information aboutmemory-usage patterns on Linux systems. That data can then be used toinfluence the kernel's memory-management subsystem; one possible way to dothat is to more aggressively reclaim memory that is not being used. Tothat end, DAMON author SeongJae Park is proposing aDAMON-based mechanism to perform user-controllable proactive reclaim.

Security updates have been issued by Arch Linux (chromium, curl, impacket, jdk11-openjdk, jre-openjdk, jre-openjdk-headless, jre11-openjdk-headless, kernel, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libpano13, linux-hardened, linux-lts, linux-zen, nvidia-utils, opera, systemd, and virtualbox), CentOS (java-11-openjdk and kernel), Debian (lemonldap-ng), Fedora (curl and podman), Gentoo (icedtea-web and velocity), openSUSE (bluez, go1.15, go1.16, kernel, thunderbird, transfig, and wireshark), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and kernel-container), SUSE (bluez, curl, kernel, qemu, thunderbird, transfig, and wireshark), and Ubuntu (curl).

Disagreements over which patches should find their way into stable updatesare not new — or uncommon. So when the topic came up again recently, therewas little reason to expect anything but more of the same. And, for themost part, that is what ensued but, in this exchange, we were also able tosee the core issue that drives these discussions. There are, in theend, two fundamentally different views of what the stable tree should be.

Security updates have been issued by Debian (pillow and redis), Fedora (kernel-headers, kernel-tools, kernelshark, libbpf, libtraceevent, libtracefs, nextcloud, and trace-cmd), Gentoo (chromium and singularity), Mageia (kernel, kernel-linus, and systemd), openSUSE (caribou, chromium, curl, and qemu), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and systemd), Slackware (curl), SUSE (curl, kernel, linuxptp, python-pip, and qemu), and Ubuntu (ruby2.3, ruby2.5, ruby2.7).

The LWN.net Weekly Edition for July 22, 2021 is available.

A local root hole in the Linux kernel, called Sequoia, was disclosedby Qualys on July 20. A full system compromise is possible untilthe kernel is patched (or mitigations that may not be fully effective are applied). Atits core, the vulnerability relies on a path through the kernel where64-bit size_t values are "converted" to signed integers, which effectivelyresults in an overflow. The flaw was reported to Red Hat on June 9,along with a localsystemddenial-of-service vulnerability, leading to a kernel crash, found at the same time.Systems with untrusted local users need updates for both problems applied as soon asthey are available—out ofan abundance of caution, other systems likely should be updated as well.

Security updates have been issued by Arch Linux (ant, code, dino, firefox-ublock-origin, go, libuv, nextcloud-app-mail, nodejs-lts-erbium, nodejs-lts-fermium, openvswitch, putty, racket, telegram-desktop, and wireshark-cli), Debian (kernel, linux-4.19, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and krb5), Gentoo (systemd), Mageia (perl-Convert-ASN1 and wireshark), openSUSE (caribou, containerd, crmsh, fossil, icinga2, kernel, nextcloud, and systemd), Red Hat (389-ds:1.4, glibc, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel-rt, kpatch-patch, libldb, perl, RHV-H, rpm, shim and fwupd, and systemd), Slackware (kernel), SUSE (caribou, containerd, crmsh, curl, dbus-1, kernel, qemu, and systemd), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.3, linux-hwe, linux-lts-xenial, linux-kvm, linux-oracle, linux-raspi, linux-raspi2-5.3, linux-oem-5.10, nvidia-graphics-drivers-390, nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-460, nvidia-graphics-drivers-460-server, nvidia-graphics-drivers-470, and systemd).

Alyssa Rosenzweig goesinto the details of the reverse-engineering of the Mali "Valhall" GPUinstruction set.

There is a lot of buzz around the Rust programming language thesedays—which strikes some folks as irritating, ridiculous, or both. But theidea of a low-level language that can replace C, with fewer built-in security pitfalls, isattractive for any number of projects. Recently, the Tor Project announced the Arti project as acomplete Rust rewrite of Tor's core protocols, which provideinternet privacy and anonymity. In addition, Tor announced that Arti received a grantto support its development over the next year or so.

The Stockfish project, whichdistributes a chess engine under GPLv3, has announcedthe filing of a GPL-enforcement lawsuit against ChessBase, which has been(and evidently still is) distributing proprietary versions of the Stockfishcode.

The5.13.4,5.12.19,5.10.52,5.4.134,4.19.198,4.14.240,4.9.276, and4.4.276stable updates have all been released. These are relatively large updatesonce again, and they include the fix for the just-disclosed local root vulnerability. Note that the5.12.x series ends with the 5.12.19 release.

Security updates have been issued by Debian (kernel, libjdom1-java, rabbitmq-server, and systemd), Fedora (glibc), Gentoo (libpano13, libslirp, mpv, pjproject, pycharm-community, and rpm), Mageia (glibc, libuv, mbedtls, rvxt-unicode, mxrvt, eterm, tomcat, and zziplib), openSUSE (dbus-1, firefox, go1.15, lasso, nodejs10, nodejs12, nodejs14, and sqlite3), SUSE (go1.15), and Ubuntu (containerd).

Commit 8cae8cd89f05went into the mainline kernel repository on July 19; it puts a limiton the size of buffers allocated in the seq_file mechanism and mentions "intoverflow pitfalls". For more information, look to thisQualys advisory describing the vulnerability:

The lowly file descriptor is one of the fundamental objects in Linuxsystems. A file descriptor, which is a simple integer value, can refer to anopen file — or to a network connection, a running process, a loaded BPFprogram, or a namespace. Over the years, the use of file descriptors to refer to transient objectshas grown to the point that it can be difficult to justify an API thatuses anything else. Interestingly, though, the io_uring subsystem looks as if it is movingtoward its own number space separate from file descriptors.

As an example of what a "real" device driver in Rust would look like,Wedson Almeida Filho has posteda translation of the PL061 GPIO driver alongside the original. Forease of reading, the resulting HTML has been reformatted a bit and placedbelow; viewing in a wide window is recommended.

Stable kernels 5.13.3, 5.12.18, 5.10.51, and 5.4.133 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (chromium, firefox, mbedtls, nextcloud, python-pillow, ruby, ruby2.6, ruby2.7, systemd, thunderbird, varnish, and vivaldi), Debian (thunderbird), Fedora (chromium, firefox, and linux-firmware), Gentoo (apache, commons-fileupload, dovecot, and mediawiki), openSUSE (firefox, fossil, go1.16, and icinga2), Oracle (firefox, kernel, and kernel-container), Red Hat (nettle), and SUSE (firefox and go1.16).

The 5.14-rc2 kernel prepatch is out fortesting. Linus says:

Non-uniform memory access (NUMA) systems have an architecture that attachesmemory to "nodes" within the system. CPUs, too, belong to nodes; memorythat is attached to the same node as a CPU will be faster to access (fromthat CPU) than memory on other nodes. This aspect of performance hasimportant implications for programs running on NUMA systems, and the kerneloffers a number of ways for user space to optimize their behavior. The NUMAabstraction is now being extended, though, and that is driving a need fornew ways of influencing memory allocation; the multi-preferencememory policy patch set is an attempt to meet that need.

Security updates have been issued by CentOS (firefox), Debian (firefox-esr), Fedora (linuxptp), Gentoo (commons-collections), Mageia (aom, firefox, python-django, thunderbird, and tpm2-tools), openSUSE (claws-mail, kernel, nodejs10, and nodejs14), Red Hat (nettle), Scientific Linux (firefox), SUSE (firefox, kernel, nodejs10, and nodejs14), and Ubuntu (libslirp and qemu).

Your editor has worked in the computing field for rather longer than hecares to admit; for all of that time it has been said that a day will comewhen all that tedious programming work will no longer be necessary.Instead, we'll just say what we want and the computer will figure it out.Arguably, the announcement of GitHubCopilot takes us another step in that direction. On the way, though,it raises some interesting questions about copyright and free-softwarelicensing.

Security updates have been issued by Debian (firefox-esr and php7.0), Fedora (firefox, mingw-djvulibre, and seamonkey), Gentoo (fluidsynth, openscad, and urllib3), openSUSE (ffmpeg, nodejs12, and sqlite3), Red Hat (firefox), and SUSE (ffmpeg, kernel, nodejs10, nodejs12, nodejs14, and sqlite3).

For those who appreciate detailed descriptions of how to exploit a kernelvulnerability, thisreport on a netfilter bug by Andy Nguyen should certainly satisfy.

The LWN.net Weekly Edition for July 15, 2021 is available.

CentOS 8 is reaching its end of life (EOL) at the end of 2021, thoughit was originallyslated to be supported until 2029. That change was announced last December, but it may still come asa surprise to some, perhaps many, of the users of the distribution. Whilethe systems running CentOS 8 will continue to do so, earlynext year they will stop getting security (and other) updates. The CentOSproject sees CentOSStream as a viable alternative, but usersmay not agree—should the project simply leave CentOS 8 systems as ticking time bombsin 2022 and beyond?

The5.13.2,5.12.17,5.10.50, and5.4.132stable kernel updates are out. They are huge; when asked why, GregKroah-Hartman responded:

Security updates have been issued by CentOS (xstream), Debian (linuxptp), Fedora (glibc and krb5), Gentoo (pillow and thrift), Mageia (ffmpeg and libsolv), openSUSE (kernel and qemu), SUSE (kernel), and Ubuntu (php5, php7.0).

The Linux kernel is, as a whole, licensed under the GPLv2, but variousparts and pieces are licensed under other compatible licenses and/ordual-licensed. That picture was much murkier only a few years back, beforethe SPDX in the kernel project cleaned up the licensing information in most of the kernel source by specifyingthe licenses, by name rather than boilerplate text, directlyin the files. A recent move to add yetanother license into the mix is encountering some headwinds, but thelicense in question was already being used in a few kernel files, and hasbeen for four years at this point.

Version90 of the Firefox browser is out. The headline feature this timearound, beyond working links in PDF output, is a newversion of the SmartBlock feature which appears to have been designedwith a specific goal in mind: "Third-party Facebook scripts areblocked to prevent you from being tracked, but are now automatically loaded'just in time' if you decide to 'Log in with Facebook' on anywebsite."

Tails is a privacy focused distribution and Tails 4.20"completely changes how to connect to the Tor network fromTails" with the new Tor Connection assistant.

Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip).

The 5.14 merge window closed with the 5.14-rc1release on July 11. By that time, some 12,981 non-merge changesets hadbeen pulled into the mainline repository; nearly 8,000 of those arrivedafter the first LWN 5.14 merge-window summarywas written. This merge window has thus seen fewer commits than itspredecessor, which saw 14,231 changesets before the 5.13-rc1 release. Thatsaid, there is still a lot of interesting work that has found its way intothe kernel this time around.

Security updates have been issued by Fedora (djvulibre), Gentoo (connman, gnuchess, openexr, and xen), openSUSE (arpwatch, avahi, dbus-1, dhcp, djvulibre, freeradius-server, fribidi, gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, gupnp, hivex, icinga2, jdom2, jetty-minimal, kernel, kubevirt, libgcrypt, libnettle, libxml2, openexr, openscad, pam_radius, polkit, postgresql13, python-httplib2, python-py, python-rsa, qemu, redis, rubygem-actionpack-5_1, salt, snakeyaml, squid, tpm2.0-tools, and xstream), Red Hat (xstream), and SUSE (bluez, csync2, dbus-1, jdom2, postgresql13, redis, slurm_20_11, and xstream).

Version 4.3of the Solus "home computing" distribution has been released. "Thisrelease delivers new desktop environment updates, software stacks, andhardware enablement."

Linus has released 5.14-rc1 and closed themerge window for this development cycle:

The 5.12.16,5.10.49,5.4.131,4.19.197,4.14.239,4.9.275, and4.4.275stable kernels have been released. Each contains a relatively small set ofimportant fixes.

Security updates have been issued by Arch Linux (gitlab, nodejs, openexr, php, php7, rabbitmq, ruby-addressable, and spice), Fedora (suricata), Gentoo (binutils, docker, runc, and tor), Mageia (avahi, botan2, connman, gstreamer1.0-plugins, htmldoc, jhead, libcroco, libebml, libosinfo, openexr, php, php-smarty, pjproject, and python), openSUSE (apache2, bind, bouncycastle, ceph, containerd, docker, runc, cryptctl, curl, dovecot23, firefox, graphviz, gstreamer-plugins-bad, java-1_8_0-openj9, java-1_8_0-openjdk, libass, libjpeg-turbo, libopenmpt, libqt5-qtwebengine, libu2f-host, libwebp, libX11, lua53, lz4, nginx, ovmf, postgresql10, postgresql12, python-urllib3, qemu, roundcubemail, solo, thunderbird, ucode-intel, wireshark, and xterm), and SUSE (permissions).

The Tor project, which provides tools for internet privacy and anonymity, has announced a rewrite of the Tor protocols in Rust, called Arti. It is not ready for prime time, yet, but based on a grant from Zcash Open Major Grants (ZOMG), significant work is ongoing; the plan is "to try bring Arti to a production-quality client implementation over the next year and a half". The C implementation is not going away anytime soon, but the idea is that Arti will eventually supplant it. The project sees a number of benefits from using Rust, including:

Computing devices are wonderful; they surely must be, since so manyof us have so many of them. The proliferation of computers leads directlyto a familiar problem, though: the files we want are always on the wrongmachine. One solution is synchronization services that keep a set of filesup to date across a multitude of machines; a number of companies havecreated successful commercial offerings based on such services. Some ofus, though, are stubbornly resistant to the idea of placing our data in thehands of corporations and their proprietary systems. For those of us whowould rather stay in control of our data, systems like Syncthing offer a possible solution.

Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd).

While it has often been said that there is no such thing as bad publicity,the new owners of the Audacityaudio-editor project may beg to differ. The project has only recentlyweathered the controversies around its acquisition by the Muse Group,proposed telemetry features, and imposition ofa new license agreement on its contributors. Now, the posting of a newprivacy policy has set off a new round of criticism, with some accusing theproject of planning to ship spyware. Thesituation with Audacity is not remotely as bad as it has been portrayed,but it is a lesson on what can happen when a project loses the trust of itsuser community.

Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi).