LWN.net

Security updates have been issued by Debian (minidlna and x11vnc), Fedora (pam), openSUSE (chromium, minidlna, nsd, openssl-1_1, and pngcheck), SUSE (gcc7 and kernel), and Ubuntu (lxml and squirrelmail).

For years, the CentOS distribution hasbeen a reliable resource for anybody wanting to deploy systems with astable, maintained Linux base that "just works". At one point, it was reportedto be the platform on which 30% of all web servers were run. CentOS hashad its ups and downs over the years; for many, the December 8 announcementthat CentOS will be "shifting focus" will qualify as the final"down". Regardless of whether this change turns out to be a good thing, itcertainly marks the end of an era that began in 2004.

The OpenWrt project has released two updates:18.06.9 and19.07.5.Both contain a number of important fixes, including a few with CVE numbersattached. Also notable is that 18.06.9 is the last update for 18.06; userswill need up upgrade to 19.07 for continued support.

Security updates have been issued by Arch Linux (ant, cimg, containerd, libproxy, libproxy-mozjs, libproxy-webkit, libslirp, python-lxml, tomcat8, tomcat9, and xorg-server), CentOS (firefox and thunderbird), Debian (apt, linux-4.19, python-apt, and sqlite3), Fedora (ceph, chromium, containerd, matrix-synapse, mingw-openjpeg2, openjpeg2, python-authlib, python-canonicaljson, and spice-gtk), Mageia (chromium-browser-stable), openSUSE (chromium and pngcheck), Slackware (curl), SUSE (clamav, curl, openssh, openssl-1_0_0, openssl-1_1, openssl1, python-pip, python-scripttest, python-urllib3, and xen), and Ubuntu (apt, curl, and python-apt).

The LWN.net Weekly Edition for December 10, 2020 is available.

There can be no doubt that general-purpose computing has been a boon to theworld. The ability to run different kinds of programs, from varioussources, including bought from companies, written from scratch, and, well,built from source, is something that we take for granted on many—most—ofthe computing devices that we own.But that model seems to be increasingly disappearing in many kinds of devices,including personal computers, as a recent kerfluffle in the Apple worldhelps to demonstrate.

Security updates have been issued by Debian (golang-golang-x-net-dev, python-certbot, and xorg-server), Fedora (resteasy, scap-security-guide, and vips), openSUSE (chromium, python, and rpmlint), SUSE (kernel), and Ubuntu (aptdaemon, curl, gdk-pixbuf, lxml, and openssl, openssl1.0).

GNU Autoconf 2.70 is out. "Noteworthy changes include support for the2011 revisions of the C and C++ standards, support for reproduciblebuilds, improved support for cross-compilation, improved compatibilitywith current compilers and shell utilities, more efficient generatedshell code, and many bug fixes." See this article for more information on what hasbeen happening with Autoconf.

Fedora has long had Workstation and Server editions and, back inAugust, added an edition for Internet of Things (IoT) devices. Those editions target different use cases forthe distribution, as does the CoreOS "spin" (or "emergingedition"), which targets cloud and Kubernetes deployments. A proposal toelevate Fedora CoreOS to a full edition as part of Fedora 34 wasrecently discussed on the Fedora devel mailing list. As part of that, whatit means for a distribution to be part of Fedora was discussed as well.

Stable kernels 5.9.13, 5.4.82, 4.19.162, and 4.14.211 have been released. They containimportant fixes and users should upgrade.

Security updates have been issued by Debian (minidlna, openssl, and trafficserver), Mageia (oniguruma, php-pear, python, python3, and x11vnc), openSUSE (minidlna), Oracle (kernel and net-snmp), Red Hat (kernel, mariadb-galera, microcode_ctl, and net-snmp), Slackware (seamonkey), SUSE (thunderbird and xen), and Ubuntu (xorg-server).

Red Hat has announcedan end to the CentOS distribution as we know it. CentOS will be replacedby "CentOS Stream", which looks like a sort of beta test for changes goinginto Red Hat Enterprise Linux. Support for CentOS 7 will continue asscheduled, but support for CentOS 8 will go away at the end of 2021."When CentOS Linux 8 (the rebuild of RHEL8) ends, your best optionwill be to migrate to CentOS Stream 8, which is a small delta from CentOSLinux 8, and has regular updates like traditional CentOS Linux releases. Ifyou are using CentOS Linux 8 in a production environment, and are concernedthat CentOS Stream will not meet your needs, we encourage you to contactRed Hat about options."More information can be found in this FAQ. "CentOS Streamwill be getting fixes and features ahead of RHEL. Generally speaking, weexpect CentOS Stream to have fewer bugs and more runtime features than RHELuntil those packages make it into the RHEL release."Update: see also thisblog post from Chris Wright.

Version 6.0 of the Qtinterface framework is available. "Qt 6.0 is a starting point forthe next generation of Qt. It is not yet as feature-complete as 5.15, butwe will fill the gaps within the months to come. We've done a lot ofimportant work in laying out the foundations of the next version ofQt. Many of those changes might not be immediately visible, but I firmlybelieve they will help keep Qt competitive in the years to come."Changes include moving to C++17, the completion of the Unicode transition,a move away from OpenGL to a new internal rendering interface, additional3D capabilities, and more.

One of the kernel's primary jobs is to manage the memory installed in thesystem. Over the years, though, there have been various reasons forremoving a portion of the system's memory from the kernel's view. One ofthe latest can be seen in a mechanism called DMEMFS,which is being proposed as a way to get around some inefficiency in how thekernel keeps track of RAM.

Mozilla has released its annual report: "Every year in the spirit of openness upon which Mozilla was founded, we share publicly the ways we have protected, fought for and helped advance the internet in service of the people who rely on it every day. We outline how our organization is meeting the challenges of online life through an annual report: the State of Mozilla.This year we’ve changed the format of our report to focus on how we are using our organization’s strength and resources on two fronts: Fighting for People and Building for the Future. This report highlights the impact of our work in 2020 and is accompanied by our most recently filed financials which cover 2019.As the State of Mozilla outlines, Mozilla works to make the promise of a better internet a reality. We can’t and we don’t do it alone. There are myriad ways anyone can join this effort through actions big and small, starting with getting better educated on what’s at stake; pushing companies to operate more transparently and in the interest of communities and people, not just profits; testing new products; and choosing technology made by companies who share your vision for a healthier internet."

Bash 5.1 is out. "This release fixes several outstanding bugs in bash-5.0 and introducesseveral new features. The most significant change is a return to thebash-4.4 behavior of not performing pathname expansion on a word thatcontains backslashes but does not contain any unquoted globbing specialcharacters. This comes after a long POSIX discussion that resulted in achange to the standard. There are several changes regarding trap handlingwhile reading from the terminal (e.g, for `read' and `select'.) There are anumber of bug fixes, including several bugs that caused the shell tocrash."The readline library used in bash 5.1 has also been updated to version 8.1. "There are moreimprovements in the programming interface and new user-visible variablesand bindable commands. There are a several new public API functions, butthere should be no incompatible changes to existing APIs."

Security updates have been issued by Arch Linux (ceph, gitea, matrix-synapse, musl, mutt, neomutt, opensc, and webkit2gtk), Debian (debian-security-support, openldap, salt, xen, and xorg-server), Fedora (fossil, pdfresurrect, tcpdump, thunderbird, and xorg-x11-server), Gentoo (chromium, firefox, mariadb, pam, postgresql, seamonkey, thunderbird, and xorg-server), Mageia (mutt, pdfresurrect, privoxy, and thunderbird), openSUSE (chromium, java-1_8_0-openjdk, kernel, minidlna, neomutt, opera, pngcheck, python, python-cryptography, python-pip, python-setuptools, python3, rclone, thunderbird, xen, and xorg-x11-server), Red Hat (ksh and net-snmp), and SUSE (crowbar-openstack, grafana, influxdb, python-urllib3, fontforge, mariadb, mutt, postgresql12, python-cryptography, and xen).

Linus has released 5.10-rc7 for testing; heseems happy with how it is coming together."So unless something odd and bad happens next week, we'll have a final5.10 release next weekend, and then we'll get the bulk of the mergewindow for 5.11 over and done with before the holiday season starts."

The 20.10 release of the t2 Linux distribution is available. "Aftera decade of development we are proud to announce the availability of thenew T2 Linux Source and Embedded Linux distribution build kit stablerelease 20.10." More information about this distribution can befound at t2sde.org: "T2 SDE is notjust a regular Linux distribution - it is a flexible Open Source SystemDevelopment Environment or Distribution Build Kit (others might even nameit Meta Distribution). T2 allows the creation of custom distributions withstate of the art technology, up-to-date packages and integrated support forcross compilation. Currently the Linux kernel is normally used - but the T2SDE is being expanded to Minix, Hurd, OpenDarwin, Haiku and OpenBSD - moreto come."

The news for processors and system-on-chip (SoC) products thesedays is all about 64-bit cores powering the latest computers andsmartphones, so it's easy to be misled into thinking that all 32-bittechnology is obsolete. That quickly leads to the idea of removing supportfor 32-bit hardware, which would clearly make life easier for kerneldevelopers in a number of ways.At the same time, a majority of embedded systems shipped today do use 32-bitprocessors, so a valid question is if this will ever change, or if 32-bitwill continue to be the best choice for devices that do not requiresignificant resources.

GitHub has released its "2020 Stateof the Octoverse" report; one piece of that is areport on security [PDF]. There are a number of interestingconclusions there, including that a surprising number of securityvulnerabilities are planted deliberately. "Analysis on a randomsample of 521 advisories from across our six ecosystems finds that 17% ofthe advisories are related to explicitly malicious behavior such asbackdoor attempts. Of those 17%, the vast majority come from the npmecosystem. While 17% of malicious attacks will steal the spotlight insecurity circles, vulnerabilities introduced by mistake can be just asdisruptive and are much more likely to impact popular projects. Out of allthe alerts GitHub sent developers notifying them of vulnerabilities intheir dependencies, only 0.2% were related to explicitly maliciousactivity. That is, most vulnerabilities were simply those caused bymistakes."

Security updates have been issued by Debian (thunderbird), Fedora (c-ares, pdfresurrect, webkit2gtk3, and xen), openSUSE (python3), SUSE (gdm, python-pip, rpmlint, and xen), and Ubuntu (snapcraft).

Ever since the stable-update process was created, there have been questionsabout which patches are suitable for inclusion in those updates; usually,these discussions are driven by people who think that the criteria shouldbe more restrictive. A regression in the XFS filesystem that found its wayinto the 5.9.9stable update briefly rekindled this discussion. In one sense, there waslittle new ground covered in this iteration, but there was an interestingpoint raised about the relationship between stable updates and the mainlinekernel -rc releases.

The Linux Foundation has published aglossy report of its activities for 2020. "2020 has been a yearof challenges for the Linux Foundation ('LF') and our hostedcommunities. During this pandemic, we’ve all seen our daily lives and thoseof many of our colleagues, friends, and family around the world completelychanged. Too many in our community also grieved over the loss of family andfriends.It was uplifting to see LF members join the fight against COVID-19. Ourmembers worldwide contributed technical resources for scientificresearchers, offered assistance to struggling families and individuals,contributed to national and international efforts, and some even cametogether to create open source projects under LF Public Health to helpcountries deal with the pandemic."

Security updates have been issued by Mageia (cimg, pngcheck, poppler, tor, and xdg-utils), openSUSE (mariadb), Red Hat (go-toolset-1.14-golang), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon).

The LWN.net Weekly Edition for December 3, 2020 is available.

A way to specify multiply branched conditionals in the Python language—akinto the C switch statement—has beena longtime feature request. Over the years, various proposals have beenmooted, but none has ever crossed the finish line and made it into thelanguage. A highly ambitious proposal thatwould solve the multi-branch-conditional problem (and quite a bit more) hasbeen discussed—dissected, perhaps—in the Python community over the last sixmonths or so. We have coveredsome of the discussion in August and September, but the ground has shifted onceagain so it is time to see where things stand.

Let's Encrypt has announced that, as of today, the TLS certificates issuedby the Let's Encrypt certificate authority are using a new intermediatecertificate. "While LE will start using their new _roots_ next year, the change todayis using a _variant_ of their "R3" certificate which is cross-signedfrom IdenTrust, rather than chaining back to their "ISRG Root X1".This will affect you if you're using DANE, TLSA records in DNS, signedby DNSSEC, to advertise properties of the certificate chain which remotesystems should expect to see."

Stable kernels 5.9.12, 5.4.81, 4.19.161, 4.14.210, 4.9.247, and 4.4.247 have been released with importantfixes. Users should upgrade.

Security updates have been issued by Debian (brotli, jupyter-notebook, and postgresql-9.6), Fedora (perl-Convert-ASN1 and php-pear), openSUSE (go1.15, libqt5-qtbase, mutt, python-setuptools, and xorg-x11-server), Oracle (firefox, kernel, libvirt, and thunderbird), Red Hat (rh-postgresql10-postgresql and rh-postgresql12-postgresql), SUSE (java-1_8_0-openjdk, python, python-cryptography, python-setuptools, python3, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-kvm, linux-lts-trusty, linux-raspi2, linux-snapdragon, python-werkzeug, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

Alexander Popov describeshis kernel heap-quarantine patches designed to protect the systemagainst use-after-free vulnerabilities. "In July 2020, I got an idea of how to break this heap spraying technique for UAF exploitation. In August I found some time to try it out. I extracted the slab freelist quarantine from KASAN functionality and called it SLAB_QUARANTINE.If this feature is enabled, freed allocations are stored in the quarantine queue, where they wait to be actually freed. So there should be no way for them to be instantly reallocated and overwritten by UAF exploits."

Xorg-server 1.20.10 has been released. This version fixes security issues that could lead to privilegeescalation, or other problems.

As an ever-growing number of workloads are being moved to the cloud, CPUvendors have begun to roll out purpose-built hardware features to isolatevirtual machines (VMs) from potentially hostile parties. These processorfeatures, and their extensions, enable the notion of "secure VMs" (or"confidential VMs") — where a VM's "sensitive state" needs to be protectedfrom untrusted entities. Drawing from his experience contributing to the secure VM implementation for the s390 architecture, Janosch Frank describedthe challenges involved in a talk at the 2020 (virtual) KVMForum. Though the implementations across CPU vendors may vary, there aremany shared problems, which opens up possibilities for collaboration.

Security updates have been issued by Debian (libxstream-java, musl, mutt, pdfresurrect, vips, and zsh), Fedora (libuv, nodejs, thunderbird, and xen), openSUSE (libssh2_org, mutt, neomutt, and thunderbird), Oracle (firefox and thunderbird), Red Hat (firefox, rh-nodejs12-nodejs, rh-php73-php, and thunderbird), Scientific Linux (thunderbird), SUSE (libX11, mariadb, mutt, python-pip, python-setuptools, and python36), and Ubuntu (containerd, php-pear, and sniffit).

The Arm processor architecture has pushed the boundaries in a number ofways, some of which have required significant kernel changes in response.For example, the big.LITTLE architectureplaced fast (but power-hungry) and slower (but more power-efficient) CPUsin the same system-on-chip (SoC); significant scheduler changes were neededfor Linux to be able to properly distribute tasks on such systems. For alltheir quirkiness, big.LITTLE systems still feature CPUs that are in somesense identical: they can all run any task in the system. What is thescheduler to do, though, if confronted with a system where that is nolonger true?

The Python Packaging Authority has announced the release of pip 20.3. Thereis some potential for disruption with this release. "The new resolver is now *on by default*. It is significantly stricterand more consistent when it receives incompatible instructions, andreduces support for certain kinds of constraints files, so someworkarounds and workflows may break."

Security updates have been issued by Arch Linux (c-ares, libass, raptor, rclone, and swtpm), Debian (libproxy, qemu, tcpflow, and x11vnc), Fedora (asterisk, c-ares, microcode_ctl, moodle, pam, tcpdump, and webkit2gtk3), Mageia (jruby and webkit2), openSUSE (buildah, c-ares, ceph, fontforge, java-1_8_0-openjdk, kernel, LibVNCServer, mariadb, thunderbird, ucode-intel, and wireshark), Red Hat (firefox, rh-mariadb103-mariadb and rh-mariadb103-galera, and thunderbird), SUSE (binutils, libssh2_org, LibVNCServer, libX11, and nodejs12), and Ubuntu (mysql-8.0 and qemu).

Version 8.0.0 of the PHP language has been released. New features includeunion types, named arguments, match expressions, a just-in-time compiler,and more; see this article for moreinformation.

The 5.10-rc6 kernel prepatch is out."So I'm feeling pretty good about 5.10, and I hope I won't be provenwrong about that. But please do test."

Security updates have been issued by Arch Linux (go, libxml2, postgresql, and wireshark-cli), Debian (drupal7 and lxml), Fedora (drupal7, java-1.8.0-openjdk-aarch32, libxml2, pacemaker, slurm, and swtpm), openSUSE (c-ares, ceph, chromium, dash, firefox, go1.14, java-1_8_0-openjdk, kernel, krb5, perl-DBI, podman, postgresql10, postgresql12, rclone, slurm, ucode-intel, wireshark, wpa_supplicant, and xen), SUSE (ceph, firefox, kernel, LibVNCServer, and python), and Ubuntu (freerdp, poppler, and xdg-utils).

Security updates have been issued by openSUSE (blueman, chromium, firefox, LibVNCServer, postgresql10, postgresql12, thunderbird, and xen), Slackware (bind), SUSE (bluez, kernel, LibVNCServer, thunderbird, and ucode-intel), and Ubuntu (mutt, poppler, thunderbird, and webkit2gtk).

The process of adopting a new governance model for the Perl project appearsto be reaching an end; the new model is designed to look a lot like theone adopted by the Python project. "So, now Perl has twowell-defined bodies involved in its governance: a core team of a few dozenand a steering council of three people. The core team sets the rules ofPerl governance, votes on membership of the two groups, and delegatessubstantial decision making power to the steering council. The steeringcouncil has broad authority to make decisions about the development of thePerl language, the interpreter, and all other components, systems andprocesses that result in new releases of the language interpreter."The fulldescription is available for those looking for the details.

Security updates have been issued by Debian (spip and webkit2gtk), Fedora (kernel and libexif), openSUSE (chromium and rclone), Slackware (mutt), SUSE (kernel, mariadb, and slurm), and Ubuntu (igraph).

The venerable email client Mutthas just reached version 2.0. Mutt is different fromthe type of client that has come to dominate the email landscape—for onething, it has no graphical interface. It has a long history that is worth a bit of a look,as are its feature set and extensive customizability. Version 2.0 bringsseveral enhancements to Mutt's interface, configurability, and convenience,as well. In this article, readers who areunfamiliar with Mutt will learn about a different way to deal with thedaily chore of wrangling their inboxes, while Mutt experts may discoversome new sides to an old friend.

Greg Kroah-Hartman has released stable kernels 5.9.11, 5.4.80, 4.19.160, 4.14.209, 4.9.246, and 4.4.246 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Fedora (chromium, microcode_ctl, and seamonkey), Mageia (f2fs-tools, italc, python-cryptography, python-pillow, tcpreplay, and vino), Oracle (thunderbird), Red Hat (bind, kernel, microcode_ctl, net-snmp, and Red Hat Virtualization), Scientific Linux (net-snmp and thunderbird), SUSE (kernel and mariadb), and Ubuntu (atftp, libextractor, pdfresurrect, and pulseaudio).

GNU Guix, a functional package manager and associated free softwaredistribution, was introducedeight years ago. The 1.2.0release celebrates the anniversary. "A major highlight in this release is the ability to authenticate channels, which probably makes Guix one of the safest ways to deliver complete operating systems today. This was the missing link in our “software supply chain” and we’re glad it’s now fixed. The end result is that guix pull and related commands now cryptographically authenticate channel code that they fetch; you cannot, for instance, retrieve unauthorized commits to the official Guix repository."

For those who are interested in security at the hardware level, this blog post fromAndrew 'bunnie' Huang is well worth a read. "Despite any claimsyou may have heard otherwise, tamper resistance is a largely unsolvedproblem. Any secrets committed to a non-volatile format are vulnerable torecovery by a sufficiently advanced adversary. The availability ofnear-atomic level microscopy, along with sophisticated photon and phononbased probing techniques, means that a lab equipped with a few milliondollars worth of top-notch gear and well-trained technicians has a goodchance of recovering secret key material out of virtually any non-volatilestorage media. The hard part is figuring out where the secrets are locatedon the chip."

Security updates have been issued by Debian (cimg, golang-1.7, golang-1.8, krb5, mediawiki, mupdf, php-pear, samba, thunderbird, and zabbix), Fedora (chromium, krb5, microcode_ctl, pngcheck, and rpki-client), Mageia (librepo, postgresql, python-twisted, raptor2, tcpdump, and thunderbird), openSUSE (blueman, java-11-openjdk, moinmoin-wiki, python, rmt-server, SDL, and tcpdump), Red Hat (chromium-browser and thunderbird), SUSE (c-ares, ceph, dash, firefox, java-1_8_0-openjdk, postgresql10, postgresql12, postgresql96, u-boot, and ucode-intel), and Ubuntu (openldap).

The 5.10-rc5 kernel prepatch is out."The 5.10 release candidates stubbornly keeps staying fairly big,even though by rc5 we really should be seeing things starting to calmdown and shrink.There's nothing in here that makes me particularly nervous, but inpure numbers of commits, this is the largest rc5 we've had in the 5.xseries."