LWN.net

Kees Cook has posted adetailed document describing the work to improve safety offlexible-length arrays in the kernel.

When it comes to home automation, people often end up with devicessupporting the Zigbee or Z-Wave protocols, but those devices arerelatively expensive. When I was looking for a way to keep an eye on thetemperature at home a few years ago, I bought a bunch of cheaptemperature and humidity sensors emitting radio signals in the unlicensedISM (Industrial, Scientific, and Medical) frequency bands instead. Thanks to rtl_433 and, more recently, rtl_433_ESP and OpenMQTTGateway,I was able to integrate their measurements easily into my home-automationsystem.

Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo).

Over at Linux.com, Yocto Project architect Richard Purdie writes about various kinds of problems that the project is experiencing, some of which stem from its success and growth. It is a story that will likely resonate with other open-source projects.

If legacy networks are like individual homes with a few doorswhere a handful of people have the key, then cloud-based environments are likeapartment complexes that offer both higher density and greater flexibility,but which include more key holders and potential entry points. The importanceof protecting virtual machines (VMs) running in these environments — fromboth the host and other tenants — has become increasingly clear.The Linux Secure VM ServiceModule (SVSM) isa new, Rust-based, open-source project that aims to help preserve the confidentialityand integrity of VMs on AMD hardware.

Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific Linux (thunderbird), SUSE (ffmpeg, krb5, nginx, python39-setuptools, sssd, systemd, tiff, and virtualbox), and Ubuntu (linux-azure, linux-azure-5.4, linux-raspi2, linux-azure-fde, and mysql-5.7, mysql-8.0).

The 6.2-rc6 kernel prepatch is out fortesting.

Version1.67.0 of the Rust language has been released. The list of newfeatures is relatively short; it includes support for #[must_use]on async functions and a new multi-producer, single-consumer channelimplementation.

Memory allocation within the kernel is a complex business. The amount ofphysical memory available on any given system will be strictly limited,meaning that an allocation request can often only be satisfied by takingmemory from somebody else, but some of the options for reclaiming memorymay not be available when a request is made. Additionally,some allocation requests haverequirements dictating where that memory can be placed or how quickly theallocation must be made. The kernel'smemory-allocation functions have long supported a set of "GFP flags" usedto describe the requirements of each specific request. Those flags willprobably undergo some changes soon as the result of thispatch set posted by Mel Gorman; that provides an opportunity to look atthose flags in some detail.

Security updates have been issued by Debian (bind9, chromium, and modsecurity-apache), Fedora (libgit2, mediawiki, and redis), Oracle (go-toolset:ol8, java-1.8.0-openjdk, systemd, and thunderbird), Red Hat (java-1.8.0-openjdk and redhat-ds:12), SUSE (apache2, bluez, chromium, ffmpeg-4, glib2, haproxy, kernel, libXpm, podman, python-py, python-setuptools, samba, xen, xrdp, and xterm), and Ubuntu (samba).

The BPF subsystem exposes many aspects of the kernel's internal algorithmsand data structures; this naturally leads to concerns about maintaininginterface stability as the kernel changes. The longstanding position thatBPF offers no interface-stability guarantees to user space has alwaysseemed a little questionable; kernel developers have, in the past, foundthemselves having to maintain interfaces that were not intended to bestable. Now the BPF community is starting to think about what it mightmean to provide explicit stability promises for at least some of itsinterfaces.

Paul McKenney looks ata couple of Rust crates in an attempt to determine whether theyactually implement the read-copy-update algorithm; in the process, he givesan overview of the numerous RCU variants in the kernel.

Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy).

The LWN.net Weekly Edition for January 26, 2023 is available.

While there are still systems with both byte orders,little-endian has largely "won" the battle at this point since the vast majority of today'ssystems store data with the least-significant byte first (at the lowestaddress). But when the X11 protocol was developed in the 1980s, there were lots of systems of each byte order, so the X protocol allowed either orderand the server (display side) would swap the bytes to its byte order asneeded. Over time, the code for swapping data in the messages, which was written in amore-trusting era, has bit-rotted so that it is now alargely untested attack surface that is nearly always unused. PeterHutterer has been doing some work to stop using that code by default, bothin upstream X.org code and in downstream Fedora.

The Free Software Foundation has announceda bylaw change requiring a 66% vote by the FSF board for any new or revisedcopyright licenses. The FSF has also announcedan expansion of its board of directors and a call for nominations fromamong its associate members.

Kostya Shishkov has just posted theconcluding installment of an extensive history of the FFmpeg project:

Users of the openSUSE Leap 15.3 distribution will want to be looking atmoving on; support for that release has come to an end. "The currentlymaintained stable release is openSUSE Leap 15.4, which will be maintaineduntil around end of 2023 (same lifetime as SLES 15 SP4 regularsupport)".

Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind, java-1.8.0-openjdk, kernel, and sssd), SUSE (mozilla-nss, rubygem-websocket-extensions, rust1.65, rust1.66, and samba), and Ubuntu (mysql-5.7, mysql-5.7, mysql-8.0, pam, and samba).

The Python community is currently struggling with a longtime difficulty inits ecosystem: how to develop, package, distribute, and maintain librariesand applications. The current situation is sub-optimal in severaldimensions due, at least in part, to the existence of multiple,non-interoperable mechanisms and tools to handle some of those needs. Lastweek, we had an overview of Pythonpackaging as a prelude to starting to dig into the discussions. Inthis installment, we start to look at the kinds of problems that exist—andthe barriers to solving them.

Version 8.0 of the WINEWindows compatibility layer has been released. The headline featureappears to be the conversion to PE ("portable executable") modules:

The Open Source Technology Improvement Fund has announced thecompletion of a security audit of the Git source.

The6.1.8,5.15.90,5.10.165,5.4.230,4.19.271, and4.14.304stable kernel updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (kernel and spip), Fedora (kernel), Mageia (chromium-browser-stable, docker, firefox, jpegoptim, nautilus, net-snmp, phoronix-test-suite, php, php-smarty, samba, sdl2, sudo, tor, viewvc, vim, virtualbox, and x11-server), Red Hat (bash, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, pcs, postgresql-jdbc, sqlite, sssd, sudo, systemd, and usbguard), Scientific Linux (firefox, java-11-openjdk, and sudo), SUSE (freeradius-server, python-mechanize, and upx), and Ubuntu (exuberant-ctags, haproxy, ruby2.5, ruby3.0, and wheel).

Back in 2019, a high-profile containervulnerability led to the adoption of some complex workarounds and afrenzy of patching. The immediate problem wasfixed, but the incident was severe enough that security-consciousdevelopers have continued to look for ways to prevent similarvulnerabilities in the future. Thispatch set from Giuseppe Scrivano takes a rather simpler approach to theproblem.

Jamie Zawinski remindsus that the 25th anniversary of the Netscape open-source announcement —a crucial moment in free-software history — has just passed.

After a brief break of ... a dozen years or so ... Jon Masters has announcedthe return of his kernel podcast:

Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools).

The 6.2-rc5 kernel prepatch is out.

Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield).

The Google Project Zero page showshow to compromise the kernel by using a NULL pointer to repeatedlyforce an oops and overflow a reference count.

Code that is added to the kernel can stay there for a long time; there iscode in current kernels that has been present for over 30 years.Nothing is forever, though. The kernel development community is currentlydiscussing the removal of two architectures and one filesystem, all ofwhich seem to have mostly fallen out of use. But, as we will see, removalof code from the kernel is not easy and is subject to reconsideration evenafter it happens.

Version 3.0 of the Pandocdocument-conversion tool has been released; the list of new features isquite long, including "chunked" HTML output, support for complex figures,and much more.

Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).

The LWN.net Weekly Edition for January 19, 2023 is available.

On today's Fedora systems, a reboot cycle—for a kernel update,say—is normally a fairly quick affair, but that is not always true. Thesystem will wait for services to shut down cleanly and will wait for up to two minutesbefore killing a service and moving on. A recent proposal to change thedefault timeout to 15 seconds, while still allowing some services torequire more time, ran into more opposition than was perhaps anticipated.Not everyone was comfortable shortening the timeout period, though thedecision has now been made to reduce it, but not as far as was proposed.

The6.1.7,5.15.89,5.10.164,5.4.229,4.19.270, and4.14.303stable kernels have all been released; each contains another big set ofimportant fixes.

Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3).

Over the past several months, there have been wide-ranging discussions inthe Python community about difficulties users have with installing packagesfor the language. There is a bewildering array of options forpackage-installation tools and Python distributions focused on particular usecases (e.g. scientific computing); many of those options do notinteroperate well—or at all—so they step on each others' toes.The discussions have focused on where solutions might be found to make iteasier on users, but lots of history and entrenched use cases need to beovercome in order to get there—or even to make progress in that direction.

Git 2.39.1 has been released with a set of security fixes; there are alsoupdated versions of many older Git releases available. A pair of integeroverflow vulnerabilities can lead to code execution in some scenarios; seethe announcement and thisGitHub blog entry for more information.

Version109.0 of the Firefox browser has been released. The headline featurethis time is the enabling of ManifestVersion 3 support — a new extension mechanism that, among otherthings, gives a higher degree of control over what extensions can do.

Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).

It is rare to see an extensive and unhappy discussion over the selection ofcompiler options used to build a distribution, but it does happen. A casein point is the debate over whether Fedora should be built with framepointers or not. It comes down to a tradeoff between a performance loss oncurrent systems and hopes for gains that exceed that loss in the future —and somedisagreements over how these decisions should be made within the Fedoracommunity.

Dave Täht describesthe Flent network-testing tool and its use in great detail.

Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp).

The fourth 6.2 kernel prepatch is out fortesting.

Libre Arts looksforward to progress in a long list of creative-art projects this year.

The6.1.6,5.15.88, and5.10.163stable kernel updates have been released; each contains another set ofimportant fixes.

Speculative-execution vulnerabilities come about when the CPU, while executingspeculatively, is able to access memory that would otherwise be denied toit. Most of these vulnerabilities would go away if the CPU were alwaysconstrained by the established memory protections. An obvious way to fixthese problems would be to make CPUs behave that way, but doing thatwithout destroying performance is not an easy task. So, instead, Intelhas developed a feature called "linear address-space separation" (LASS) topaper over parts of the problem; Yian Chen has posted apatch set adding support for this feature.

Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.4, linux-hwe, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4,, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).