Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen).
The 5.16-rc3 kernel prepatch is out fortesting. "So rc3 is usually a bit larger than rc2 just because people had sometime to start finding things.So too this time, although it's not like this is a particularly bigrc3."
Version8.1.0 of the PHP language has been released. This release includes anumber of new features, including enumerations,read-onlyproperties,fibers, and more.Meanwhile, anew foundation has been created to support development of PHP:
Greg Kroah-Hartman has announced the release of six new stable kernels: 5.10.82, 5.4.162, 4.19.218, 4.14.256, 4.9.291, and 4.4.293. These kernels contain lots ofimportant fixes throughout the tree; users of those series should upgrade.
Security updates have been issued by Fedora (freerdp, gnome-boxes, gnome-connections, gnome-remote-desktop, guacamole-server, hydra, java-1.8.0-openjdk-aarch32, medusa, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, php, pidgin-sipe, remmina, vinagre, and weston), openSUSE (kernel and netcdf), and SUSE (kernel and netcdf).
Security updates have been issued by Fedora (busybox, getdata, and php), Mageia (couchdb, freerdp, openexr, postgresql, python-reportlab, and rsh), openSUSE (bind, java-1_8_0-openjdk, and kernel), SUSE (java-1_7_0-openjdk), and Ubuntu (icu).
Security updates have been issued by Debian (openjdk-17), Fedora (libxls, roundcubemail, and vim), openSUSE (bind, java-1_8_0-openjdk, and redis), Red Hat (kernel, kernel-rt, kpatch-patch, krb5, mailman:2.1, openssh, and rpm), Scientific Linux (kernel, krb5, openssh, and rpm), SUSE (bind, java-1_8_0-openjdk, redis, and webkit2gtk3), and Ubuntu (bluez).
The second 5.16 kernel prepatch is out fortesting. "Nothing especially noteworthy stands out for the lastweek, it all felt pretty normal for a rc2 week".
The5.15.4,5.14.21,5.10.81, and5.4.161 stable kernels have been released.Each contains another set of important updates, but it's worthnoting that 5.4.161hasn't been through the usual review process due to an amusing bit ofscripting confusion.
One does not normally expect a lot of disagreement over a 13-line patchthat effectively tweaks a single line of code. Occasionally, though, sucha patch can expose a disagreement over how the behavior of the kernelshould be managed. This patchfrom Drew DeVault, who is evidently taking a break from stirring upthe npm community, is a case in point. It brings to light the questionof how the kernel community should pick default values for configurableparameters like resource limits.
Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird).
The kernel provides a number of macros internally to allow code to generatewarnings when something goes wrong. It does not, however, provide a lot ofguidance regarding what should happen when a warning is issued. AlexanderPopov recently posted apatch series adding an option for the system's response to warnings;that series seems unlikely to be applied in anything close to its currentform, but it did succeed in provoking a discussion on how warnings shouldbe handled.
Greg Kroah-Hartman has released two more stable kernels. 5.14.20 reverts three patches from the5.14.19 release, while 5.10.80 is one of themassive updates mentioned yesterday. Theother massive release mentioned, 5.15.3, is still underreview and can be expected in the next day or two. As usual, thekernels released contain important fixes and users should upgrade.Update: 5.15.3 was also released.
Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils).
Even encrypted data sent on the internet leaves some footprints—metadataabout where packets originate, where they are bound, and when they are sent. Mix networks aremeant to hide that metadata by routing packets through various intermediatenodes to try to thwart the traffic analysis used by nation-state-leveladversaries to identify "opponents" of various kinds. Tor is perhaps thebest-known mix network, but there are others that make differenttradeoffs to increase the security of their users. Rollercoasteris a recently announced mechanism that extends the functionality of mixnetworks in order to more efficiently communicate among groups.
Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr).
The 5.14.19 and 5.4.160 stable kernels have been released;these updates contain a huge number of important fixes. The equallymassive 5.15.3and 5.10.80updates were also intended for release but, as the result of some problemsthat turned up in testing, they will be going through onemore round of review first.
The Trojan Source vulnerabilities have beenrippling through various developmentcommunities since their disclosure on November 1. The oddities that can arise when handling Unicode, andbidirectional Unicode in particular, in a programming language have led Rust, forexample, to check forthe problematic code points in strings and comments and, by default,refuse to compile if they are present. Python has chosen a different path,but work is underway to help inform programmers of the kinds of pitfalls thatTrojan Source has highlighted.
Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim).
Version 2.34.0 of the Git source-code management system is out."It is comprised of 834 non-merge commits sincev2.33.0, contributed by 109 people, 29 of which are new faces". SeethisGitHub blog post for a look at some of the more significant changes inthis release:
Linus Torvalds released5.16-rc1 and ended the 5.16 merge window on November 14, asexpected. At that point, 12,321 non-merge changesets had been pulled intothe mainline; about 5,500 since our summary ofthe first half of the merge window was written. As is usually the case,the patch mix in the latter part of the merge window tended more towardfixes, but there were a number other changes as well.
Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp).
Over on the Google Security blog, Jonathan Metzman announced the release of ClusterFuzzLite, which is "a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before". ClusterFuzzLite is a descendant of OSS-Fuzz, which we looked at in 2017.
The memory-management subsystem remains one of the most complex parts ofthe kernel, with an ongoing reliance on various heuristics forperformance. It is thus not surprising that developers continue to try toimprove its functionality. A number of memory-management patches arecurrently in circulation; read on for a look at the freeing of page-tablepages, kvmalloc() flags, memory clearing, and NUMA "home nodes".
Greg Kroah-Hartman has announced the release of eight stable kernels: 5.15.2, 5.14.18, 5.10.79, 5.4.159, 4.19.217, 4.14.255, 4.9.290, and 4.4.292. They contain a relatively small setof important fixes, but, as usual, users should upgrade.
Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), and Ubuntu (openexr, postgresql-10, postgresql-12, postgresql-13, and samba).
While the "Trojan Source" vulnerabilitieshave, thus far, generated far more publicity than examples of actualexploits, addressing the problem still seems like a good thing to do.There are several places where defenses could be put into place; texteditors, being the place where developers look at a lot of code, are oneobvious example. The discussion of how to enhance Emacs in this regard hasmade it clear, though, that there are multiple opinions about how an editorshould flag potential attacks.
On November 10, the Go programming language community celebrated the 12th anniversary of its release as open-source software. The post covers a number of different topics, including the consolidation of web sites at go.dev, releases and their features over the last year, as well as a look to the future:
Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py).
Python supports default values for arguments to functions, but thosedefaults are evaluated at function-definition time. A proposal to adddefaults that are evaluated when the function is called has been discussedat some length on the python-ideas mailing list. The idea came about, in part,due to yet another resurrection of the proposalfor None-aware operators in Python. Late-bound defaults would helpwith one use case for those operators, but there are other, strongerreasons to consider their addition to the language.
There is a set of new Samba releases out there. They fix a long andintimidating list of security issues and seem worth upgrading to for anybut the most protected of Samba servers.
The Julia programming language hasits roots in high-performance scientific computing, so it is no surprisethat it has facilities for concurrent processing. Those features are notwell-known outside of the Julia community, though, so it is interesting tosee the different types of parallel and concurrent computation that thelanguage supports. In addition, the upcoming release of Juliaversion 1.7 brings an improvement to the language'sconcurrent-computation palette, in the form of "task migration".
The x86 instruction set is large, but that doesn't mean it can't get biggeryet. Upcoming Intel processors will feature a new set of instructionsunder the name of "Advanced Matrix Extensions" (AMX) that can be used tooperate on matrix data. After a somewhat bumpy developmentprocess, support for AMX has found its way into the upcoming 5.16 kernel.Using it will, naturally, require some changes by application developers.
Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu).
Back in September, LWN reported on a seriesof block-layer optimizations that enabled a suitably equipped system tosustain 3.5 million I/O operations per second (IOPS). Thatoptimization work has continued since then, and those 3.5 million IOPSwould be a deeply disappointing result now. A recent disagreement over theaddition of a new feature has highlighted the potential cost of a heavilyoptimized block layer, though; when is a feature deemed important enough tooutweigh the drive for maximum performance?
Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd).
LWN.net