A few days prior to the expected 5.17 release, the mainline kernel has justreceived a series of Spectre mitigations for the x86 and ARM architectures.The vulnerability this time is called "branch history injection"; it hasbeen deemed CVE-2022-0001 and CVE-2022-0002. Some information can be foundin thisIntel disclosure, thisARM advisory, and this VUSec page:
Users of the elementary OSdistribution may want to be aware of the turmoil in its parent company, asreportedby Brian Lunduke. "The Short Version: The company behind elementaryOS has been losing money for quite some time. Two co-founders are notpleased with each other and are attempting to part ways… and it is gettingmessy".
As part of the recent discussion on switchingto secret voting for Debian general resolutions (GRs), which hasresulted in a ongoing GR of its own, thesubject of voting systems that embody various attributes some would like tosee for voting in Debian has been brought up. One of the systems mentioned, Belenios, provides anopen-source "verifiable online voting system". Whether or notDebian chooses to switch to secret voting, Belenios would seem to provide whatother projects or organizations may be looking for as a mechanism to handletheir voting needs.
DENT is a special-purpose Linuxdistribution aimed at router deployments; "DENT utilizes the LinuxKernel, Switchdev, and other Linux based projects as the basis for buildinga new standardized network operating system without abstractions oroverhead". Version2.0 has been released:
Version98.0 of the Firefox browser is out. The big change this time is a new"optimized download flow" that is alleged to make the process of downloadingfiles go much more smoothly. There are also somesignificant security fixes in this release.
Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis).
It is a good bet that a significant amount of code in the kernel isentirely unused. Even so, that code must still be maintained and shipped,posing an ongoing cost to the development community. What should be donewith code that is unmaintained and, possibly, unused? Answering thatquestion requires understanding which users still exist, if any, and takinga hard look at what the future support requirements for that code will be.The kernel community has recently discussed this problem in the context offilesystems, and the Reiserfs filesystem in particular, with a focus on the approaching 2038 deadline.
Linus has released 5.17-rc7, which ishopefully the final prepatch in this development series: "as thingsstand, I expect that final 5.17 will be next weekend unless somethingsurprising comes up".
Google's Chrome browserseemingly dominates the Internet at this point, but that does not mean that everybody wants to run it. Chrome, of course, isbuilt on an open-source project called Chromium but is notan open-source product itself; it includes a number of proprietary add-ons.But the Chromium source is out there and can, with some effort, be used tobuild a working, open-source browser; a number of distributors do so.But Chromium is famously hard to package, and distributors have, at times,struggled to keep up with it; a recent discussion in the Fedora communityhas brought new attention to this problem.
The disclosure of the Meltdown and Spectre vulnerabilities put a spotlighton the risks that come with sharing address spaces too widely. Even if theprotection mechanisms provided by the hardware should prevent access tosensitive data, those vulnerabilities can often be used to leak that data anyway. So, fromthe beginning, mitigation strategies have included reducing the sharing ofaddress spaces, but there is more that could be done and ongoing interest in doing so. Now, thispatch set posted by Junaid Shahid (containing work from Ofir Weisse andinspired by earlierpatches from Alexandre Chartre) shows what would be required to createa general address-space isolation (ASI) mechanism for the kernel.
Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4).
Perhaps February was "compiler modernization" month. The Linux kernelrecently decided to move to the C11 standardfor its code; Python has just undergone a similar process fordetermining which flavor of C to use for building itsCPython reference implementation. A calculation in the CPython interpreterwent awry when built with a pre-release version of the upcoming GCC 12; thatregression led down a path that ended up with the adoption of C11 for CPython as well.
The5.16.12,5.15.26,5.10.103,5.4.182,4.19.232,4.14.269, and4.9.304stable kernel updates have all been released; each contains another set ofimportant fixes.
Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc).
Debian has been working on some "constitutional maintenance" of late; ageneral resolution (GR) on tweaks to the project's decision-making processes passed at the end of January. As part of thediscussion surrounding those changes, the question of secret voting cameup; currently, Debian publicly lists every voter for a GR and their ranking of theoptions. Another GR has been proposed to change that, but the discussionhas shown that the definition of "secret" is not exactly the same foreveryone. In addition, secret voting is not the only change being proposed.
Versions 21.02.2and 19.07.9of the OpenWrt router distribution are available. Both releases include anumber of security fixes. Additionally, 21.02.2 adds support for a set ofnew devices, adds a new rpcapd package, and includes various otherenhancements.
Security updates have been issued by Debian (thunderbird), Oracle (kernel, kernel-container, and ruby:2.5), Red Hat (rh-ruby26-ruby), Slackware (libxml2 and libxslt), SUSE (htmldoc and SUSE Manager Server 4.2), and Ubuntu (mariadb-10.3, mariadb-10.5, policykit-1, qemu, virglrenderer, and webkit2gtk).
The Armbian project, which is a Debian-based distribution for Arm-based single-board computers (SBCs) and development boards, has a lengthy release announcement for Armbian 22.02. Beyond lots of updates and bug fixes (of course), Armbian has added support for Debian unstable ("sid"), Raspberry Pi images, a new Extensions build framework, build automation (continuous integration and continuous deployment) improvements, and more. There is also upcoming support for Ubuntu 22.04 images.
Restartable sequences, a Linux kernel feature that facilitates the writingof lockless, per-CPU code in user space, has been around for some years,but it only just received support in the GNU CLibrary this month. Now that this barrier has been crossed, it wouldseem that the time has come to start adding features. Mathieu Desnoyershas responded to this challenge with apatch set adding an extension mechanism and a new "virtual CPU ID"feature.
Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0).
Dropped packets are a fact of life in networking; there can be any numberof reasons why a packet may not survive the journey to its destination.Indeed, there are so many ways that a packet can meet its demise that itcan be hard for an administrator to tell why packets are being dropped.That, in turn, can make life difficult in times when users are complainingabout high packet-loss rates. Starting with 5.17, the kernel is gettingsome improved instrumentation that should shed some light on why the kerneldecides to route packets into the bit bucket.
Back in July, the Free Software Foundation (FSF) put out a call for white papers to explore the issues around GitHub's Copilot AI-assisted programming tool, especially with regard to copyleft licensing; each selected white paper was awarded $500. The FSF has now published five of the submissions that the organization thought "advanced discussion of important questions, and did so clearly".
Security updates have been issued by Fedora (dotnet6.0, kernel, libarchive, libxml2, and wireshark), openSUSE (opera), Oracle (cyrus-sasl), Red Hat (cyrus-sasl, python-pillow, and ruby:2.5), Scientific Linux (cyrus-sasl), and Ubuntu (snapd).
Version1.59.0 of the Rust language has been released. There are a number ofnew features, including support for inline assembly (in unsafe blocks,naturally), the ability to use tuples and slices on the left-hand side ofan assignment, const generic defaults, and more. Incremental compilationis also disabled by default in this release to work around a known bug.
Despite its generally fast-moving nature, the kernel project relies on anumber of old tools. While critics like to focus on the community'sextensive use of email, a possibly more significant anachronism is the useof the 1989 version of the C language standard for kernel code — a standardthat was codified before the kernel project even began over 30 years ago.It is looking like that longstanding practice could be coming to an end assoon as the 5.18 kernel, which can be expected in May of this year.
Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird).
Over the past seven years or so, Python has slowly been moving itsdevelopment infrastructure to GitHub; we covered some of the early discussions at theend of 2014. One piece of that infrastructure, bug tracking, has not beenmoved from bugs.python.org, but plansare underway to make that happen soon. It is not a simple orstraightforward process to do so, however, so the transition will take upto a week to complete; there are a number of interesting facets to theswitch, as it entails clearing some technical, and even legal, hurdles.
Ard Biesheuvel writesabout 32-bit Arm systems on the Google Security Blog, with a focus onwhy these processors are still in use and what is being done to increasetheir security at the kernel level.
The5.16.11,5.15.25,5.10.102,5.4.181,4.19.231,4.14.268, and4.9.303stable kernel updates have all been released; each contains another set ofimportant fixes.
OpenSSH 8.9 has been released. This version includes a fix for a"security near miss" and removes support for MD5-hashedpasswords. It also includes a new mechanism torestrict the forwarding of keys in ssh-agent, various FIDO improvements, a new"post-quantum" key-exchange algorithm, and more.
Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0).
Regularexpressions are a common feature of computer languages, especially higher-level languages like Ruby, Perl, Python, and others, for doingfairly sophisticated text-pattern matching. Some languages, includingPerl, incorporate regular expressions into the language itself,while others have classes or libraries that come with the languageinstallation. Python's standard library has the re module,which provides facilities for working with regular expressions; as a recentdiscussion on the python-ideas mailing shows, though, that module hassomewhat fallen by the wayside in recent times.
The call stack is a favorite target for attackers attempting to compromisea running process; if an attacker finds a way to overwrite a return addresson the stack, they can redirect control to code of their choosing, leadingto a situation best described as "game over". As a result, a great deal ofeffort has gone into protecting the stack. One technique that offerspromise is a shadow stack; support for shadow stacks is thus duly showing up invarious processors. Support for protecting user-space applications withshadow stacks is taking a bit longer; it is currently under discussionwithin the kernel community, but adding this feature is trickier than onemight think. Among other things, these patches have been around for longenough that they have developed some backward-compatibility problems oftheir own.
Longtime FOSS contributor and advocate Sven Guckes has died at 55. A Twitter posting and news article (both in German) describe the Berlin-based Guckes as someone who was always ready to help users get the most out of their systems on Usenet and IRC. His home page and a Hacker News posting have more information as well. RIP.(Thanks to Martin Michlmayr.)
Security updates have been issued by Debian (php7.4, redis, snapd, twisted, webkit2gtk, and wpewebkit), Fedora (cyrus-imapd, nodejs, phpMyAdmin, polkit, snapd, webkit2gtk3, and xen), Gentoo (chromium), openSUSE (jaw, kubevirt, virt-api-container,, opera, polkit, and sphinx), Red Hat (ruby:2.6), Slackware (expat), and SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and polkit).
LWN.net