Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2).
CPU scheduling can be a challenging task; the scheduler must ensure thatevery process gets a fair share of the available CPU time while, at thesame time, respecting CPU affinities, avoiding the migration of processesaway from their cached memory contents, and keeping all CPUs in the systembusy. Even then, users can become grumpy if specific processes do not gettheir CPU share quickly; from that comes years of debates over desktopresponsiveness, for example. The latency-nicepriority proposal recently resurrected by Vincent Guittot aims toprovide a new tool to help latency-sensitive applications get their CPUtime more quickly.
Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db).
Python has often been touted as a "batteries included" language because ofits rich standard librarythat provides access to numerous utility modules and is distributed withthe language itself. But those libraries need maintenance, of course, andthat is provided by the Python core development team. Over the years, ithas become clear that some of the modules are not really being maintainedany longer and they probably are not really needed by most Pythonusers—either because better alternatives exist or because they addressextremely niche use cases. A long-running project to start the removal of thosemodules has recently been approved.
Debian's annual ritual of electing a project leader is underway. There arethree candidates this time: Felix Lechner, Hideki Yamane, and incumbentJonathan Carter. Platforms for the candidates are being placed on this page as theybecome available.
Disruptive changes are not much fun for anyone involved, though they may benecessary at times. Moving away from the SHA-1 hash function, atleast for cryptographic purposes, is probably one of those necessary disruptivechanges. There are betteralternatives to SHA-1, which has been "broken" from a cryptographic perspective for quite some time now, and most of thesoftware components that make up a distribution can be convinced to useother hash functions. But there are still numerous hurdles to overcome inmaking that kind of a switch as a recent discussion on the Fedora develmailing list shows.
The OpenSSL project has disclosed avulnerability wherein an attacker presenting a malicious certificatecan cause the execution of an infinite loop. It is thus adenial-of-service vulnerability for any application — server or client —that handles certificates from untrusted sources. The OpenSSL 3.0.2 and1.1.1n releases contain fixes for the problem. This advisory makes it clear that LibreSSL,too, suffers from this vulnerability; updated releases are available there too.
Red Hat recently filed a request to have the domain name WeMakeFedora.orgtransferred from its current owner, Daniel Pocock, alleging trademarkviolations, bad faith, and more. The judgmentthat came back will not have been to the company's liking:
For those who do everything in the Emacs editor: the ELPA repository hasjust gained an OpenStreetMap viewer. A quick test (example shown on theright) suggests that it works reasonably well; click below for the details.
Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh).
When the kernel first gained support forhuge pages, most of the work was left to user space. System administratorshad to set aside memory in the special hugetlbfs filesystem for huge pages, andprograms had to explicitly map memory from there. Over time, the transparent huge pages mechanism automated thetask of using huge pages. That mechanism is not perfect, though, and someusers feel that they have better knowledge of when huge-page use makes sensefor a given process. Thus, huge pages are now coming full circle with this patchset from Zach O'Keefe returning huge pages to user-space control.
One of the key characteristics of a random-number generator (RNG) is itsunpredictability; by definition, it should not be possible to know what thenext number to be produced will be. System security depends on this unpredictabilityat many levels. An attacker who knows an RNG's future output may be ableto eavesdrop on (or interfere with) network conversations, compromisecryptographic keys, and more. So it is a bit disconcerting to know thatthere is a common event that can cause RNG predictability: the forking orduplication of avirtual machine. Linux RNG maintainer Jason Donenfeld is working on asolution to this problem.
Greg Kroah-Hartman has announced the release of seven stable kernels—thesecontain mitigations for the Spectre branch history injectionvariant: 5.16.14, 5.15.28, 5.10.105, 5.4.184, 4.19.234, 4.14.271, and 4.9.306. Users should upgrade.
Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion).
Linked lists are conceptually straightforward; they tend to be taughttoward the beginning of entry-level data-structures classes. It might thusbe surprising that the kernel community is concerned about its longstandinglinked-list implementation and is not only looking for ways to solve someproblems, but has been struggling to find that solution. It now appearsthat some improvements might be at hand: after more than 30 years, the kerneldevelopers may have found a better way to safely iterate through a linked list.
Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat).
The curl utility is a command-lineprogram (and associated library) for interacting with various network protocols; it is commonly usedto do things like transferring data from a remote server over HTTP or HTTPSusing a URL. But curl also supports a lot more protocols, some of whichare probably rarely used, obsolete, deprecated, or all three. As a recentdiscussion on the Fedora devel mailing list shows, though, it is hard tofind agreement that support for only some of those protocols should be installed by default,while others might be left in an optional package for those who need them.
Version 3.1 ofthe Blender artistic suite is out. The list of changes is long and can beseen in the video-heavy announcement page; it includes Apple Metal support,a new "point cloud" object, and much more.
A few days prior to the expected 5.17 release, the mainline kernel has justreceived a series of Spectre mitigations for the x86 and ARM architectures.The vulnerability this time is called "branch history injection"; it hasbeen deemed CVE-2022-0001 and CVE-2022-0002. Some information can be foundin thisIntel disclosure, thisARM advisory, and this VUSec page:
Users of the elementary OSdistribution may want to be aware of the turmoil in its parent company, asreportedby Brian Lunduke. "The Short Version: The company behind elementaryOS has been losing money for quite some time. Two co-founders are notpleased with each other and are attempting to part ways… and it is gettingmessy".
As part of the recent discussion on switchingto secret voting for Debian general resolutions (GRs), which hasresulted in a ongoing GR of its own, thesubject of voting systems that embody various attributes some would like tosee for voting in Debian has been brought up. One of the systems mentioned, Belenios, provides anopen-source "verifiable online voting system". Whether or notDebian chooses to switch to secret voting, Belenios would seem to provide whatother projects or organizations may be looking for as a mechanism to handletheir voting needs.
DENT is a special-purpose Linuxdistribution aimed at router deployments; "DENT utilizes the LinuxKernel, Switchdev, and other Linux based projects as the basis for buildinga new standardized network operating system without abstractions oroverhead". Version2.0 has been released:
Version98.0 of the Firefox browser is out. The big change this time is a new"optimized download flow" that is alleged to make the process of downloadingfiles go much more smoothly. There are also somesignificant security fixes in this release.
Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis).
It is a good bet that a significant amount of code in the kernel isentirely unused. Even so, that code must still be maintained and shipped,posing an ongoing cost to the development community. What should be donewith code that is unmaintained and, possibly, unused? Answering thatquestion requires understanding which users still exist, if any, and takinga hard look at what the future support requirements for that code will be.The kernel community has recently discussed this problem in the context offilesystems, and the Reiserfs filesystem in particular, with a focus on the approaching 2038 deadline.
Linus has released 5.17-rc7, which ishopefully the final prepatch in this development series: "as thingsstand, I expect that final 5.17 will be next weekend unless somethingsurprising comes up".
Google's Chrome browserseemingly dominates the Internet at this point, but that does not mean that everybody wants to run it. Chrome, of course, isbuilt on an open-source project called Chromium but is notan open-source product itself; it includes a number of proprietary add-ons.But the Chromium source is out there and can, with some effort, be used tobuild a working, open-source browser; a number of distributors do so.But Chromium is famously hard to package, and distributors have, at times,struggled to keep up with it; a recent discussion in the Fedora communityhas brought new attention to this problem.
The disclosure of the Meltdown and Spectre vulnerabilities put a spotlighton the risks that come with sharing address spaces too widely. Even if theprotection mechanisms provided by the hardware should prevent access tosensitive data, those vulnerabilities can often be used to leak that data anyway. So, fromthe beginning, mitigation strategies have included reducing the sharing ofaddress spaces, but there is more that could be done and ongoing interest in doing so. Now, thispatch set posted by Junaid Shahid (containing work from Ofir Weisse andinspired by earlierpatches from Alexandre Chartre) shows what would be required to createa general address-space isolation (ASI) mechanism for the kernel.
Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4).
Perhaps February was "compiler modernization" month. The Linux kernelrecently decided to move to the C11 standardfor its code; Python has just undergone a similar process fordetermining which flavor of C to use for building itsCPython reference implementation. A calculation in the CPython interpreterwent awry when built with a pre-release version of the upcoming GCC 12; thatregression led down a path that ended up with the adoption of C11 for CPython as well.
The5.16.12,5.15.26,5.10.103,5.4.182,4.19.232,4.14.269, and4.9.304stable kernel updates have all been released; each contains another set ofimportant fixes.
Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc).
Debian has been working on some "constitutional maintenance" of late; ageneral resolution (GR) on tweaks to the project's decision-making processes passed at the end of January. As part of thediscussion surrounding those changes, the question of secret voting cameup; currently, Debian publicly lists every voter for a GR and their ranking of theoptions. Another GR has been proposed to change that, but the discussionhas shown that the definition of "secret" is not exactly the same foreveryone. In addition, secret voting is not the only change being proposed.
LWN.net