LWN.net

Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk).

The Unix signalinterface is complex and hard to work with; some developers have argued that its design is"unfixable". So when Walt Drummond proposedincreasing the number of signals that Linux systems could manage, eyebrowscould be observed at increased altitude across the Internet. The proposedincrease seems unlikely to happen, but the underlying goal — to support adecades-old feature from other operating systems — may yet become areality.

Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-5.10, and linux-oem-5.14).

The LWN.net Weekly Edition for January 6, 2022 is available.

The OpenSSH suite of tools forsecure remote logins is used widely within our communities; it alsounderlies things like remote Git repository access.A recent experimental feature for the upcoming OpenSSH 8.9 releasewill help close a security hole that can be exploited by attacker-controlled SSH servers (e.g. sshd) when the user is forwardingauthentication to a local ssh-agent. Insteadof allowing the keys held in the agent to be used for authenticating to anyhost where they might work, SSH agent restriction will allow users to specify where and how those keys can beused.

The5.15.13,5.10.90,5.4.170,4.19.224,4.14.261,4.9.296, and4.4.298stable kernel updates have all been released. These medium-size updatesall contain another set of important fixes.

Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django).

File-integrity management for the Fedora distributionhas been the overarching theme of a number of different feature proposalsover the last year or so. In general, they have been met with skepticism,particularly with regard to how well the features mesh with Fedora'sgoals, but also in how they will change the process of building RPMpackages. A new proposal that would allow systems to (optionally) perform remoteattestation is likewise encountering headwinds; there are severaldifferent concerns being raised in the discussion of it.

The Gentoo Linux project looks back at2021.

Version 1.22.0 of the NumPy scientific computing module is out."NumPy 1.22.0 is a big release featuring the work of 153contributors spread over 609 pull requests. There have been manyimprovements". Those improvements include the "essentiallycomplete" annotation of the main namespace, a preliminary version ofthe proposed Array API, and more.

Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server).

It is 2022 already, and that can only mean one thing: it's time for youreditor to make a (bigger) fool of himself by posting a set ofpredictions for what may come in the new year. One should never pass up anopportunity for a humbling experience, after all. There can be no doubtthat interesting things will happen this year; let's see how many randomdarts thrown in that direction can hit close to the mark.

Longtime GnuPG maintainer Werner Koch has posted an update on the project,mostly focused on the new associated "GnuPG VS-Desktop" business that is,it seems, going quite well:

The GIMP project has put out areport summarizing a year of development on this image-manipulationapplication.

Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana).

Kernel developer Ingo Molnar has been quiet for a while; now we know why.He has just announced a massiveset of patches (touching over half of the files in the kernel tree)reworking how header files are handled.

The eighth and final 5.16 kernel prepatchis out for testing. "Please, as you emerge from your holiday-inducedfood coma, do give it a quick test so that we can all be happy about thefinal release next weekend".

Version1.0 of the GNOME libadwaita library is out; this will be of interest toGNOME application developers. "Libadwaita is a library implementingthe GNOME HIG, complementing GTK. For GTK 3 this role has increasingly beenplayed by Libhandy, and so Libadwaita is a direct Libhandysuccessor."

Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl).

When the goal is to push bits over the network as fast as the hardware cango, any overhead hurts. The cost of copying data to be transmittedfrom user space into the kernel can be especially painful; it adds latency,takesvaluable CPU time, and can be hard on cache performance. So it isunsurprising that the developers working with io_uring, which is all about performance, haveturned their attention to zero-copy network transmission. Thispatch set from Pavel Begunkov, now in its second revision, looks to besignificantly faster than the MSG_ZEROCOPY option supported by currentkernels.

Security updates have been issued by Debian (advancecomp, apache-log4j2, postgis, spip, uw-imap, and xorg-server), Mageia (kernel and kernel-linus), Scientific Linux (log4j), and SUSE (kernel-firmware and mariadb).

The5.15.12,5.10.89,5.4.169,4.19.223,4.14.260,4.9.295, and4.4.297stable kernel updates have all been released. These should be the lastupdates for this year; as usual, they all contain more important fixes andupdates.

Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl).

The kernel's thread model is relatively straightforward and performsreasonably well, but that's not enough for all users. Specifically, thereare use cases out there that benefit from a lightweight threading modelthat gives user space control over scheduling decisions. Back in May 2021,Peter Oskolkov posted a patch set implementing an abstraction known as user-managedconcurrency groups, or UMCG. Several revisions later, many observersstill lack a clear idea of what this patch is supposed to do, much lesswhether it is a good idea for the kernel. Things have taken a turn,though, with Peter Zijlstra's reimplementationof UMCG.

Security updates have been issued by Debian (djvulibre, libzip, monit, novnc, okular, paramiko, postgis, rdflib, ruby2.3, and zziplib), openSUSE (chromium, kafka, and permissions), and SUSE (net-snmp and permissions).

The 5.16-rc7 kernel prepatch is out fortesting. "Obviously the holidays are a big reason it's all small, soit's not like this is a sign of us having found all bugs, and we'll keep atthis for at least two more weeks".

Security updates have been issued by Debian (apache-log4j2, libextractor, libpcap, and wireshark), Fedora (grub2, kernel, libopenmpt, log4j, mingw-binutils, mingw-python-lxml, and seamonkey), Mageia (golang, lapack/openblas, and samba), and openSUSE (go1.16, libaom, log4j12, logback, and runc).

The Jami communication tool has released a major new stable version called "Taranis"; the blog post announcement explains: "Taranis, the Gallic and Celtic god of the sky, lightning and thunder, will be the baptismal name of this new version of Jami." The mailing-list announcement describes the tool this way:

Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (httpd and singularity), Mageia (ldns, netcdf, php, ruby, thrift/golang-github-apache-thrift, thunderbird, and webkit2), openSUSE (go1.16, go1.17, libaom, and p11-kit), and SUSE (go1.16, go1.17, htmldoc, libaom, libvpx, logstash, openssh-openssl1, python3, and runc).

Version3.8.0 of the Darktable photo-processing application has been released.Significant changes include a new keyboard shortcut system, a newdiffuse-or-sharpen module, a new "scene-referred" blurs module "tosynthesize motion and lens blurs in a parametric and physically accurateway", support for the Canon CR3 raw format, and more.

Systemd 250 has been released. To say that the list of new features islong would be a severe understatement; the developers have clearly beenbusy.

Version 5.0 ofthe Krita painting program has been released."This is a huge release, with a lot of new features andimprovements". Changes include a reworkedresource system, dithered gradients, faster color management, a reworkedanimation subsystem, and more; see the release notesfor details.

Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird).

The LWN.net Weekly Edition for December 23, 2021 is available.

It may have seemed questionable at times, but we have indeed survived yetanother year — LWN's 22nd year of publication. That can only mean onething: it is time to take a look back at ourill-advised attempt to make predictions in January and see how it allworked out. Shockingly, some of those predictions were at least partiallyon the mark. Others were ... not quite so good.

Back at the beginning of 2020, it was predicted that retirements would increaseduring this decade. In 2021, the predictionwas that retirements would increase over the next couple of years. It ishappening and LWN is no exception. I am retiring at the end of this yearafter more than 20 years with LWN.So who am I and how did I get here? To some, I'm a name at the bottom ofsome LWN page. To a few, I'm the one that reminds them when their LWN groupsubscription is about to expire. You might have even met me at aconference. Not that I have been to very many. Mostly I tend to be quietlyin the background watching the LWN mailbox, looking for brief items andquotes of the week (sorry I haven't found much lately), proofreadingarticles, managing subscriptions, and more. But I'm older than most of youand this is my last LWN weekly edition. Getting here is a bit of story.

Today's stable kernel updates are5.15.11,5.10.88,5.4.168,4.19.222,4.14.259,4.9.294, and4.4.296.Each contains another set of important fixes.

Security updates have been issued by CentOS (firefox, ipa, log4j, and samba), Debian (sogo, spip, and xorg-server), Fedora (jansi and log4j), Mageia (apache, apache-mod_security, kernel, kernel-linus, and x11-server), openSUSE (log4j and xorg-x11-server), Oracle (kernel, log4j, and openssl), and SUSE (libqt4 and xorg-x11-server).

Fedora is among the group of Linux distributions that, by default, lockout the root account such that it does not have a password and cannot belogged into. But, traditionally, "rescue mode" boots the system intosingle-usermode, which requires a root password—difficult to provide if it does not exist. A Fedora proposal to remove the need for the password inthat case, and just drop into a root shell, does not seem likely to go farin that form,but it would seem to have pointed toward some better solutions for theunderlying problem.

The Linux Foundation has announcedthe posting of a report on its research into diversity, equity, andinclusion in open-source communities.

Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox).

A clarion call from the Electronic Frontier Foundation (EFF) warning about upcoming changes to the Chromebrowser's extension API was not the first such—from the EFF or fromothers. The time of the switch to ManifestV3, as the new API is known, is growing closer; privacy advocates areconcerned that it will preclude a number of techniques that browserextensions use for features like ad and tracker blocking. Part of theconcern stems from the fact that Google is both the developer of a popularweb browser and the operator of an enormous advertising network so itsincentives seem, at least, plausibly misaligned.

Techdirt looksat the problem of copyleft trolls, and those who target users ofCreative Commons materials in particular.

Security updates have been issued by Debian (apache-log4j2, firefox-esr, libssh2, modsecurity-apache, and tang), Fedora (lapack, log4j, rust-libsqlite3-sys, rust-rusqlite, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (bind, botan2, chromium-browser-stable, dovecot, hiredis, keepalived, log4j, matio, mediawiki, olm, openssh, pjproject, privoxy, vim, and watchdog), openSUSE (barrier, nim, and python-pip), Oracle (ipa and samba), Scientific Linux (ipa and samba), SUSE (log4j), and Ubuntu (apache-log4j2, htmldoc, python3.6, python3.7, python3.8, and python3.8, python3.9).

The 5.16-rc6 kernel prepatch is out fortesting.

Just in time for the upcoming holidays, "KDE's educational suite of more than 170 activities and pedagogical games", GCompris, has released version 2.0. It includes new and updated games and activities, including:

The Google Security Blog looksinto the ripple effects of the Log4j vulnerability.

There are some parts of the kernel where even the most experienced andcapable developers fear to tread; one of those is surely the code thatimplements signals. The nature of the signal API almost guarantees thatany implementation will be full of subtle interactions and complexities,and the version in Linux doesn't disappoint. So the inclusion of asignal-handling change late in the 5.16 merge window might have beenexpected to have the potential for difficulties; it didn't disappointeither.

Greg Kroah-Hartman has announced the release of the 5.15.10, 5.10.87, and 5.4.167 stable kernels. These are fairlysmall updates, but, unlike yesterday's singleself-test bug fix updates, do contain important fixes throughout the tree; usersshould upgrade.

Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts).