Security updates have been issued by Debian (hyperkitty, libxml2, nginx, openjdk-11-jre-dcevm, rxvt-unicode, samba, and webkit2gtk), Fedora (exiv2, java-1.8.0-openjdk-aarch32, mingw-python-pillow, opendmarc, php-symfony3, php-symfony4, python-pillow, runc, rust-cranelift-codegen-shared, rust-cranelift-entity, and rxvt-unicode), openSUSE (curl, hivex, libu2f-host, libX11, libxls, singularity, and upx), Oracle (dotnet3.1 and dotnet5.0), Red Hat (docker, glib2, and runc), and Ubuntu (lz4).
AlmaLinux 8.4, a clone of RHEL filling the role that CentOS used toplay, has been released. Changes include full support for secure boot, adeveloper repository with packages not found in RHEL, and more; see the releasenotes for details.
Modern computing systems can feature multiple types of memory that differ intheir performance characteristics. The most common example is NUMAarchitectures, where memory attached to the local node is faster to accessthan memory on other nodes. Recently, persistent memory hasstarted appearing in deployed systems as well; this type of memory isbyte-addressable like DRAM, but it is available in larger sizes and is slower toaccess, especially for writes. This new memory type makes memory allocation even more complicatedfor the kernel, driving the need for a method to better manage multiple types ofmemory in one system.
The 5.12.8, 5.10.41, and 5.4.123 stable kernels have been released.These contain only a small handful of changes, including fixes to the BPFverifier to address a privilegeescalation vulnerability. Users of those series should upgrade.
Over on the Python Software Foundation blog, the reports from day 1 of the Python Language Summit are available. At the time of this writing, a few from day 2 are ready as well. There are lots of interesting topics discussed at the summit, including a talk on making CPython faster from Python creator Guido van Rossum. "Seven months ago, Guido van Rossum left a brief retirement to work at Microsoft. He was given the freedom to pick a project and decided to work on making CPython faster. Microsoft will be funding a small team consisting of Guido van Rossum, Mark Shannon, Eric Snow, and possibly others. [...] The team is optimistic about doubling CPython's speed for 3.11. They plan to try an adaptive, specializing byte code interpreter, which is a bit like the existing inline cache and a bit like the shadow byte code covered in Dino Viehland's talk." Some of the ideas go back to Shannon's thoughts on speeding up the interpreter that we looked at back in December.
When kernel developers want to communicate something about the state of arunning kernel, they tend to use printk(); that results in a logentry that is intended — with varying success — to be human-readable. As ithappens, though, theconsumers of that information are often not human; the kernel's log outputis also read by automated monitoring systems that are looking forproblems. The result is an impedance mismatch that often ends with themonitoring system missing important messages. The printk()format indexing patch set is the latest of many attempts to improvethis situation.
Security updates have been issued by Debian (djvulibre), Fedora (slapi-nis and upx), Gentoo (ceph and nginx), openSUSE (python-httplib2 and rubygem-actionpack-5_1), Slackware (curl), SUSE (curl, libX11, and python-httplib2), and Ubuntu (isc-dhcp, lz4, and nginx).
Internet RelayChat (IRC) is a longstanding protocol—or series of protocols—forcreating online,text-based chat rooms.While many of the "channels" (as chat rooms are usually called) are highly useful toa wide variety of projects and organizations, including much of thefree-software world,IRC seems to have a community that suffers frommore than its fair share of disagreements, hostile forks, vitriol, and other types ofdivisiveness. It is perhaps no huge surprise, then, that the IRCworld is currently undergoing another of its periodic upheavals. Thelargest IRC network, freenode, isembroiled in a messy dispute that has ledto the mass resignationof many of its volunteer staff, the founding of a competitor network (run by the former staff),and its abandonment by multiple high-profile projects.
Stable kernels 5.12.7, 5.10.40, 5.4.122, 4.19.192, 4.14.234, 4.9.270, and 4.4.270 have been released. As usual, theycontain important fixes and users should upgrade.
Version 3.0 ofMagit, a Git interface that runs inside emacs, has been released. "The big change are the completely reworked menus used to selectarguments and invoke suffix commands. Magit now uses the Transient package toimplement these menus." See the releasenotes for more details.
On March 24, version 1.6.0 of the Juliaprogramming language was released. This is thefirst feature release since 1.0 came out in 2018. The new releasesignificantly reduces the "time to first plot", which is a common source ofdissatisfaction for newcomers to the language, by parallelizingpre-compilation, downloading packages more efficiently, and reducing thefrequency of just-in-time re-compilations at run time.
Version1.1 of the Inkscape vector image editor has been released."Among the highlights in Inkscape 1.1 are a Welcome dialog, a CommandPalette, a revamped Dialog Docking System, and searchable preferenceoptions, along with new formats for exporting your work."
The multi-generational LRU patch set is a significant reworking of thekernel's memory-management subsystem that promises better performance for anumber of workloads; it was covered here inApril. Since then, two new versions of that work have been released bydeveloper Yu Zhao, withversion 3being posted on May 20. Some significant changes have been made sincethe original post, so another look is in order.
The third 5.13 kernel prepatch is out fortesting. "It's been a very calm rc3 week, and at least in purenumber of commits this is the smallest rc3 we've had in the 5.xseries.Considering that the merge window was not in any way small, this is abit surprising, but I suspect it's one of those 'not everybody sent infixes this week' things that will rectify itself next week."This prepatch does include reverts and fixes for a long series of brokenpatches identified in the TAB report on the UMNmess.
In 2018, LWN covered a talk by GernotHeiser about the seL4 project, which has developed an open-sourceoperating system for safety-critical applications and gone to the troubleof proving its correctness. Much of that work has been done at CSIRO inAustralia. Heiser has announcedvia Twitter that CSIRO's support for this project is being shut down, withthe staff being redirected to artificial-intelligence projects. Hopefully the seL4 Foundation, established in2020, will be able to carry on this interesting work.
Version 5.34.0 of the Perl language has been released."Perl 5.34.0 represents approximately 11 months of development sincePerl 5.32.0 and contains approximately 280,000 lines of changes across2,100 files from 78 authors." See thispage for a list of changes; they include a new try/catch syntax, a newoctal syntax, and many improvements to various modules.
Among the many changes merged for the 5.13 kernel is support for the LLVMcontrol-flow integrity (CFI) mechanism. CFI defends against exploits byensuring that indirect function calls have not been redirected by anattacker. Quite a bit of work was needed to make this feature work wellfor the kernel, but the result appears to be production-ready and able todefend Linux systems from a range of attacks.
Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine).
The RISC-V CPU architecture has beengaining prominence for some years; its relatively open nature makes it anattractive platform on which a number of companies have built products.Linux supportsRISC-V well, but there is one gaping hole: there is no support forvirtualization with KVM,despite the fact that a high-quality implementation exists. A recent attempt to add that support is shiningsome light on a part of the ecosystem that, it seems, does not work quiteas wellas one would like.
Security updates have been issued by Fedora (cacti, cacti-spine, exif, firefox, kernel, mariadb, and thunderbird), Mageia (kernel, kernel-linus, and libxml2), openSUSE (exim and jhead), Oracle (slapi-nis and xorg-x11-server), Scientific Linux (slapi-nis and xorg-x11-server), Slackware (libX11), SUSE (djvulibre, fribidi, graphviz, grub2, libass, libxml2, lz4, python-httplib2, redis, rubygem-actionpack-4_2, and xen), and Ubuntu (pillow and python-babel).
May 11 marked a new major release for the Python-based Flask webmicroframework project, but Flask 2.0was only part of the story. While the framework may be the most visiblepiece, it is one of a small handful of cooperating libraries that providesolutions for various web-development tasks; all are incorporated into the Pallets projects organization. Forthe first time, allsix libraries that make up Pallets were released at the same time andeach had a new major version number. In part, that new major versionindicated that Python 2 support was being left behind, but there isplenty more that went into the coordinated release.
Several readers have alerted us to some serious problems at freenode, which runs an IRC network thatis popular in the free-software world. Evidently there has been a changeof control within the volunteer-run organization that has led to theresignations of multiple different volunteers, at least in part dueto a concern about the personal information of freenode users under the newmanagement. "Thefreenode resignation FAQ" has collected a bunch of information (andlinks to even more resignation letters) that may help shed some light on this mess.From the FAQ: "Freenode staff have stepped down. The network thatruns at freenode.org/net/com should now be assumed to be under control of amalicious party."In the meantime, many of the volunteers who resigned have formed Libera.Chat to continue the legacy offreenode. LWN will be keeping an eye on the situation, stay tuned ...
Control groups (cgroups) are meant to limit access to a shared resource amongprocesses in the system. One such resource is the values used to specifyan encrypted-memory region for a virtual machine, such as the address-spaceidentifiers (ASIDs) used by the AMD SecureEncrypted Virtualization (SEV) feature. Vipin Sharma setout to add a control group for these ASIDs back in September; based on the feedback,though, he expanded the idea into a controller to track and limit any countable resource.The patch set became the controllerfor the misc control group and has been merged for Linux 5.13.
The Mozilla Security Blog announcesthat there is a new site-isolation mechanism available for testing in theFirefox browser. It's a defense against Meltdown and Spectre exploits.
Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre).
There have been many disagreements over the years in the kernel communityconcerning the exporting of internal kernel symbols to loadable modules.Exporting a symbol often exposes implementation decisions to outside code,makes it possible to use (or abuse) kernel functionality in unintendedways, and makes future changes harder. That said, there is no authorityoverseeing the exporting of symbols and no process for approving exports;discussions only tend to arise when somebody notices a change that they don't like. But it is notparticularly hard to detect changes in symbol exports from one kernelversion to the next, and doing so can give some insights into the kinds ofchanges that are happening under the hood.
The T2 System Development Environment Linux 21.5 was released with 18 pre-and cross-compiled architectures. "The 21.5 release received updatesacross the board, while a major point of work was the GCC 11 update as wellas re-basing and fixing upstream regressions for the Sony PS3 support aswell as various small improvements, including an up to 15 seconds fastersystem shutdown when using sysvinit."
The 5.13-rc2 kernel prepatch is out fortesting. "The fixes here are all over the place - drivers, arch updates,documentation, tooling.. Nothing particularly stands out".
Group membership is normally used to grant access to some resource;examples might include using groups to control access to a shareddirectory, a printer, or the ability to use tools like sudo. Itis possible, though, to use group membership to deny access to aresource instead, and some administrators make use of that feature. Butgroups only work as a negative credential if the user cannot shed them atwill. Occasionally, some way to escape a group has turned up, resulting invulnerabilities on systems where they are used to block access; despitefixes in the past, it turns out that there is still a potential problemwith groups and user namespaces; thispatch set from Giuseppe Scrivano seeks to mitigate it through thecreation of "shadow" groups.
Greg Kroah-Hartman has announced the release of the 5.12.4, 5.11.21, 5.10.37, and 5.4.119 stable kernels. These are enormousupdates, with changes throughout the kernel tree; users should upgrade.
Security updates have been issued by Debian (jetty9, libgetdata, and postgresql-11), openSUSE (java-11-openjdk), SUSE (dtc, ibsim, ibutils, ipvsadm, and kernel), and Ubuntu (awstats and glibc).
The kernel's BPF virtual machine allowsprograms loaded from user space to be safely run in the kernel's context.That functionality would be of limited use, however, without the abilityfor those programs to interact with the rest of the kernel. The interfacebetween BPF and the kernel has been kept narrow for a number of goodreasons, including safety and keeping the kernel in control of the system.The 5.13 kernel, though, contains a feature that could, over time, widen that interface considerably: the ability to directly callkernel functions from BPF programs.
Security updates have been issued by Debian (graphviz and redmine), Fedora (dom4j, kernel, kernel-headers, kernel-tools, mariadb, php, php-phpmailer6, and redis), openSUSE (kernel and nagios), and Ubuntu (mysql-5.7, mysql-8.0 and python-django).
The discoverer of the KRACK attacksagainst WPA2 encryption in WiFi is back with a new set of flaws in thewireless-networking protocols. FragAttacks is a sizable group ofWiFi vulnerabilities that (ab)use the fragmentation and aggregation (thus"Frag") features of the standard. The fixes have been coordinated over anine-month period, which has allowed security researcher Mathy Vanhoef timeto create multiple papers, some slide decks, a demo video, patches, and, of course, a website and logo for the vulnerabilities.
GNU Guix, the transactional package manager and distribution, has releasedversion 1.3.0. This released adds new features, refines the userexperience, and improves performance. Support for the POWER9 platform isnow offered as technological preview.
Python in the browser has long been an item on the wish list of many in thePython community. At this point, though, JavaScript has well-cemented its role as thelanguage embedded into the web and its browsers. The Pyodide project provides away to run Python in the browser by compiling the existing CPythoninterpreter to WebAssembly andrunning that binary within the browser's JavaScript environment. Pyodidecame about as part of Mozilla's Iodideproject, which has fallen by the wayside, but Pyodide is now beingspunout as a community-driven project.
LWN.net