One of the key characteristics of a random-number generator (RNG) is itsunpredictability; by definition, it should not be possible to know what thenext number to be produced will be. System security depends on this unpredictabilityat many levels. An attacker who knows an RNG's future output may be ableto eavesdrop on (or interfere with) network conversations, compromisecryptographic keys, and more. So it is a bit disconcerting to know thatthere is a common event that can cause RNG predictability: the forking orduplication of avirtual machine. Linux RNG maintainer Jason Donenfeld is working on asolution to this problem.
Greg Kroah-Hartman has announced the release of seven stable kernels—thesecontain mitigations for the Spectre branch history injectionvariant: 5.16.14, 5.15.28, 5.10.105, 5.4.184, 4.19.234, 4.14.271, and 4.9.306. Users should upgrade.
Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion).
Linked lists are conceptually straightforward; they tend to be taughttoward the beginning of entry-level data-structures classes. It might thusbe surprising that the kernel community is concerned about its longstandinglinked-list implementation and is not only looking for ways to solve someproblems, but has been struggling to find that solution. It now appearsthat some improvements might be at hand: after more than 30 years, the kerneldevelopers may have found a better way to safely iterate through a linked list.
Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat).
The curl utility is a command-lineprogram (and associated library) for interacting with various network protocols; it is commonly usedto do things like transferring data from a remote server over HTTP or HTTPSusing a URL. But curl also supports a lot more protocols, some of whichare probably rarely used, obsolete, deprecated, or all three. As a recentdiscussion on the Fedora devel mailing list shows, though, it is hard tofind agreement that support for only some of those protocols should be installed by default,while others might be left in an optional package for those who need them.
Version 3.1 ofthe Blender artistic suite is out. The list of changes is long and can beseen in the video-heavy announcement page; it includes Apple Metal support,a new "point cloud" object, and much more.
A few days prior to the expected 5.17 release, the mainline kernel has justreceived a series of Spectre mitigations for the x86 and ARM architectures.The vulnerability this time is called "branch history injection"; it hasbeen deemed CVE-2022-0001 and CVE-2022-0002. Some information can be foundin thisIntel disclosure, thisARM advisory, and this VUSec page:
Users of the elementary OSdistribution may want to be aware of the turmoil in its parent company, asreportedby Brian Lunduke. "The Short Version: The company behind elementaryOS has been losing money for quite some time. Two co-founders are notpleased with each other and are attempting to part ways… and it is gettingmessy".
As part of the recent discussion on switchingto secret voting for Debian general resolutions (GRs), which hasresulted in a ongoing GR of its own, thesubject of voting systems that embody various attributes some would like tosee for voting in Debian has been brought up. One of the systems mentioned, Belenios, provides anopen-source "verifiable online voting system". Whether or notDebian chooses to switch to secret voting, Belenios would seem to provide whatother projects or organizations may be looking for as a mechanism to handletheir voting needs.
DENT is a special-purpose Linuxdistribution aimed at router deployments; "DENT utilizes the LinuxKernel, Switchdev, and other Linux based projects as the basis for buildinga new standardized network operating system without abstractions oroverhead". Version2.0 has been released:
Version98.0 of the Firefox browser is out. The big change this time is a new"optimized download flow" that is alleged to make the process of downloadingfiles go much more smoothly. There are also somesignificant security fixes in this release.
Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis).
It is a good bet that a significant amount of code in the kernel isentirely unused. Even so, that code must still be maintained and shipped,posing an ongoing cost to the development community. What should be donewith code that is unmaintained and, possibly, unused? Answering thatquestion requires understanding which users still exist, if any, and takinga hard look at what the future support requirements for that code will be.The kernel community has recently discussed this problem in the context offilesystems, and the Reiserfs filesystem in particular, with a focus on the approaching 2038 deadline.
Linus has released 5.17-rc7, which ishopefully the final prepatch in this development series: "as thingsstand, I expect that final 5.17 will be next weekend unless somethingsurprising comes up".
Google's Chrome browserseemingly dominates the Internet at this point, but that does not mean that everybody wants to run it. Chrome, of course, isbuilt on an open-source project called Chromium but is notan open-source product itself; it includes a number of proprietary add-ons.But the Chromium source is out there and can, with some effort, be used tobuild a working, open-source browser; a number of distributors do so.But Chromium is famously hard to package, and distributors have, at times,struggled to keep up with it; a recent discussion in the Fedora communityhas brought new attention to this problem.
The disclosure of the Meltdown and Spectre vulnerabilities put a spotlighton the risks that come with sharing address spaces too widely. Even if theprotection mechanisms provided by the hardware should prevent access tosensitive data, those vulnerabilities can often be used to leak that data anyway. So, fromthe beginning, mitigation strategies have included reducing the sharing ofaddress spaces, but there is more that could be done and ongoing interest in doing so. Now, thispatch set posted by Junaid Shahid (containing work from Ofir Weisse andinspired by earlierpatches from Alexandre Chartre) shows what would be required to createa general address-space isolation (ASI) mechanism for the kernel.
Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4).
Perhaps February was "compiler modernization" month. The Linux kernelrecently decided to move to the C11 standardfor its code; Python has just undergone a similar process fordetermining which flavor of C to use for building itsCPython reference implementation. A calculation in the CPython interpreterwent awry when built with a pre-release version of the upcoming GCC 12; thatregression led down a path that ended up with the adoption of C11 for CPython as well.
The5.16.12,5.15.26,5.10.103,5.4.182,4.19.232,4.14.269, and4.9.304stable kernel updates have all been released; each contains another set ofimportant fixes.
Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc).
Debian has been working on some "constitutional maintenance" of late; ageneral resolution (GR) on tweaks to the project's decision-making processes passed at the end of January. As part of thediscussion surrounding those changes, the question of secret voting cameup; currently, Debian publicly lists every voter for a GR and their ranking of theoptions. Another GR has been proposed to change that, but the discussionhas shown that the definition of "secret" is not exactly the same foreveryone. In addition, secret voting is not the only change being proposed.
Versions 21.02.2and 19.07.9of the OpenWrt router distribution are available. Both releases include anumber of security fixes. Additionally, 21.02.2 adds support for a set ofnew devices, adds a new rpcapd package, and includes various otherenhancements.
Security updates have been issued by Debian (thunderbird), Oracle (kernel, kernel-container, and ruby:2.5), Red Hat (rh-ruby26-ruby), Slackware (libxml2 and libxslt), SUSE (htmldoc and SUSE Manager Server 4.2), and Ubuntu (mariadb-10.3, mariadb-10.5, policykit-1, qemu, virglrenderer, and webkit2gtk).
The Armbian project, which is a Debian-based distribution for Arm-based single-board computers (SBCs) and development boards, has a lengthy release announcement for Armbian 22.02. Beyond lots of updates and bug fixes (of course), Armbian has added support for Debian unstable ("sid"), Raspberry Pi images, a new Extensions build framework, build automation (continuous integration and continuous deployment) improvements, and more. There is also upcoming support for Ubuntu 22.04 images.
Restartable sequences, a Linux kernel feature that facilitates the writingof lockless, per-CPU code in user space, has been around for some years,but it only just received support in the GNU CLibrary this month. Now that this barrier has been crossed, it wouldseem that the time has come to start adding features. Mathieu Desnoyershas responded to this challenge with apatch set adding an extension mechanism and a new "virtual CPU ID"feature.
Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0).
Dropped packets are a fact of life in networking; there can be any numberof reasons why a packet may not survive the journey to its destination.Indeed, there are so many ways that a packet can meet its demise that itcan be hard for an administrator to tell why packets are being dropped.That, in turn, can make life difficult in times when users are complainingabout high packet-loss rates. Starting with 5.17, the kernel is gettingsome improved instrumentation that should shed some light on why the kerneldecides to route packets into the bit bucket.
Back in July, the Free Software Foundation (FSF) put out a call for white papers to explore the issues around GitHub's Copilot AI-assisted programming tool, especially with regard to copyleft licensing; each selected white paper was awarded $500. The FSF has now published five of the submissions that the organization thought "advanced discussion of important questions, and did so clearly".
Security updates have been issued by Fedora (dotnet6.0, kernel, libarchive, libxml2, and wireshark), openSUSE (opera), Oracle (cyrus-sasl), Red Hat (cyrus-sasl, python-pillow, and ruby:2.5), Scientific Linux (cyrus-sasl), and Ubuntu (snapd).
Version1.59.0 of the Rust language has been released. There are a number ofnew features, including support for inline assembly (in unsafe blocks,naturally), the ability to use tuples and slices on the left-hand side ofan assignment, const generic defaults, and more. Incremental compilationis also disabled by default in this release to work around a known bug.
Despite its generally fast-moving nature, the kernel project relies on anumber of old tools. While critics like to focus on the community'sextensive use of email, a possibly more significant anachronism is the useof the 1989 version of the C language standard for kernel code — a standardthat was codified before the kernel project even began over 30 years ago.It is looking like that longstanding practice could be coming to an end assoon as the 5.18 kernel, which can be expected in May of this year.
Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird).
Over the past seven years or so, Python has slowly been moving itsdevelopment infrastructure to GitHub; we covered some of the early discussions at theend of 2014. One piece of that infrastructure, bug tracking, has not beenmoved from bugs.python.org, but plansare underway to make that happen soon. It is not a simple orstraightforward process to do so, however, so the transition will take upto a week to complete; there are a number of interesting facets to theswitch, as it entails clearing some technical, and even legal, hurdles.
Ard Biesheuvel writesabout 32-bit Arm systems on the Google Security Blog, with a focus onwhy these processors are still in use and what is being done to increasetheir security at the kernel level.
LWN.net