Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird).
The kernel provides a number of macros internally to allow code to generatewarnings when something goes wrong. It does not, however, provide a lot ofguidance regarding what should happen when a warning is issued. AlexanderPopov recently posted apatch series adding an option for the system's response to warnings;that series seems unlikely to be applied in anything close to its currentform, but it did succeed in provoking a discussion on how warnings shouldbe handled.
Greg Kroah-Hartman has released two more stable kernels. 5.14.20 reverts three patches from the5.14.19 release, while 5.10.80 is one of themassive updates mentioned yesterday. Theother massive release mentioned, 5.15.3, is still underreview and can be expected in the next day or two. As usual, thekernels released contain important fixes and users should upgrade.Update: 5.15.3 was also released.
Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils).
Even encrypted data sent on the internet leaves some footprints—metadataabout where packets originate, where they are bound, and when they are sent. Mix networks aremeant to hide that metadata by routing packets through various intermediatenodes to try to thwart the traffic analysis used by nation-state-leveladversaries to identify "opponents" of various kinds. Tor is perhaps thebest-known mix network, but there are others that make differenttradeoffs to increase the security of their users. Rollercoasteris a recently announced mechanism that extends the functionality of mixnetworks in order to more efficiently communicate among groups.
Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr).
The 5.14.19 and 5.4.160 stable kernels have been released;these updates contain a huge number of important fixes. The equallymassive 5.15.3and 5.10.80updates were also intended for release but, as the result of some problemsthat turned up in testing, they will be going through onemore round of review first.
The Trojan Source vulnerabilities have beenrippling through various developmentcommunities since their disclosure on November 1. The oddities that can arise when handling Unicode, andbidirectional Unicode in particular, in a programming language have led Rust, forexample, to check forthe problematic code points in strings and comments and, by default,refuse to compile if they are present. Python has chosen a different path,but work is underway to help inform programmers of the kinds of pitfalls thatTrojan Source has highlighted.
Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim).
Version 2.34.0 of the Git source-code management system is out."It is comprised of 834 non-merge commits sincev2.33.0, contributed by 109 people, 29 of which are new faces". SeethisGitHub blog post for a look at some of the more significant changes inthis release:
Linus Torvalds released5.16-rc1 and ended the 5.16 merge window on November 14, asexpected. At that point, 12,321 non-merge changesets had been pulled intothe mainline; about 5,500 since our summary ofthe first half of the merge window was written. As is usually the case,the patch mix in the latter part of the merge window tended more towardfixes, but there were a number other changes as well.
Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp).
Over on the Google Security blog, Jonathan Metzman announced the release of ClusterFuzzLite, which is "a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before". ClusterFuzzLite is a descendant of OSS-Fuzz, which we looked at in 2017.
The memory-management subsystem remains one of the most complex parts ofthe kernel, with an ongoing reliance on various heuristics forperformance. It is thus not surprising that developers continue to try toimprove its functionality. A number of memory-management patches arecurrently in circulation; read on for a look at the freeing of page-tablepages, kvmalloc() flags, memory clearing, and NUMA "home nodes".
Greg Kroah-Hartman has announced the release of eight stable kernels: 5.15.2, 5.14.18, 5.10.79, 5.4.159, 4.19.217, 4.14.255, 4.9.290, and 4.4.292. They contain a relatively small setof important fixes, but, as usual, users should upgrade.
Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), and Ubuntu (openexr, postgresql-10, postgresql-12, postgresql-13, and samba).
While the "Trojan Source" vulnerabilitieshave, thus far, generated far more publicity than examples of actualexploits, addressing the problem still seems like a good thing to do.There are several places where defenses could be put into place; texteditors, being the place where developers look at a lot of code, are oneobvious example. The discussion of how to enhance Emacs in this regard hasmade it clear, though, that there are multiple opinions about how an editorshould flag potential attacks.
On November 10, the Go programming language community celebrated the 12th anniversary of its release as open-source software. The post covers a number of different topics, including the consolidation of web sites at go.dev, releases and their features over the last year, as well as a look to the future:
Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py).
Python supports default values for arguments to functions, but thosedefaults are evaluated at function-definition time. A proposal to adddefaults that are evaluated when the function is called has been discussedat some length on the python-ideas mailing list. The idea came about, in part,due to yet another resurrection of the proposalfor None-aware operators in Python. Late-bound defaults would helpwith one use case for those operators, but there are other, strongerreasons to consider their addition to the language.
There is a set of new Samba releases out there. They fix a long andintimidating list of security issues and seem worth upgrading to for anybut the most protected of Samba servers.
The Julia programming language hasits roots in high-performance scientific computing, so it is no surprisethat it has facilities for concurrent processing. Those features are notwell-known outside of the Julia community, though, so it is interesting tosee the different types of parallel and concurrent computation that thelanguage supports. In addition, the upcoming release of Juliaversion 1.7 brings an improvement to the language'sconcurrent-computation palette, in the form of "task migration".
The x86 instruction set is large, but that doesn't mean it can't get biggeryet. Upcoming Intel processors will feature a new set of instructionsunder the name of "Advanced Matrix Extensions" (AMX) that can be used tooperate on matrix data. After a somewhat bumpy developmentprocess, support for AMX has found its way into the upcoming 5.16 kernel.Using it will, naturally, require some changes by application developers.
Security updates have been issued by Debian (containerd, redis, and sqlalchemy), Fedora (kernel, radeontop, rpki-client, and webkit2gtk3), openSUSE (java-1_8_0-openj9, libvirt, mailman, transfig, and webkit2gtk3), Oracle (thunderbird), SUSE (libvirt), and Ubuntu (icu).
Back in September, LWN reported on a seriesof block-layer optimizations that enabled a suitably equipped system tosustain 3.5 million I/O operations per second (IOPS). Thatoptimization work has continued since then, and those 3.5 million IOPSwould be a deeply disappointing result now. A recent disagreement over theaddition of a new feature has highlighted the potential cost of a heavilyoptimized block layer, though; when is a feature deemed important enough tooutweigh the drive for maximum performance?
Security updates have been issued by Debian (python3.5, redis, and udisks2), Fedora (rust), openSUSE (binutils, java-1_8_0-openj9, and qemu), Oracle (firefox and httpd), Red Hat (thunderbird), Scientific Linux (thunderbird), and SUSE (binutils, qemu, and systemd).
As of this writing, Linus Torvalds has pulled exactly 6,800 non-mergechangesets into the mainline repository for the 5.16 kernel release. Thatis probably a little over half of what will arrive during this mergewindow, so this is a good time to catch up on what has been pulled so far.There are many significant changes and some large-scale restructuring ofinternal kernel code, but relatively few ground-breaking newfeatures.
Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird).
A new security vulnerability that was disclosedon November 1 has some interesting properties. "Trojan Source", as it has beendubbed, is effectively an attack on human perceptions, especially as theyare filtered through the tools used for source-code review. While thespecifics of the flaw are new, this kind of trickery is not completelynovel, but Trojan Source finds another way to confuse the humans who arein the loop.
Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).
While it is often relatively straightforward to determine what packageprovided a binary that is misbehaving—crashing for instance—on Fedora andother Linux distributions, there are situations where it may be harder todo so. A feature recently proposed for Fedora 36—currentlyscheduled for the end of April 2022—would embed information into thebinaries themselves to show where they came from. It is part of amulti-distribution effort to standardize how this information is stored inthe binaries (and the libraries they use) to assist crash-reporting and other tools.
Stable kernels 5.14.16, 5.10.77, 5.4.157, 4.19.215, 4.14.254, 4.9.289, and 4.4.291 have been released. They containimportant fixes and users should upgrade.
Firefox 94.0 has beenreleased. Linux users should see improvedWebGL performance and reduced power consumption for many workloads. Theabout:unloadspage shows the user information about open tabs and allows them to releasesystem resources by unloading tabs without closing them. SiteIsolation provides better protection against side-channel attacks. Seethe announcement for more new features in this release.Firefox ESR91.3 is also available, with various stability, functionality, and securityfixes.
Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman).
The long-running and sometimes acrimonious discussion on the memory folio patch set has come to an end:the folio patches were the first thing pulled into the mainline repositoryfor the 5.16 development cycle. Now the developers involved just have todo all of the other work identified as necessary to clean up thememory-management subsystem and isolate it from other parts of the kernel.
LWN.net