Among the many changes merged for the 5.13 kernel is support for the LLVMcontrol-flow integrity (CFI) mechanism. CFI defends against exploits byensuring that indirect function calls have not been redirected by anattacker. Quite a bit of work was needed to make this feature work wellfor the kernel, but the result appears to be production-ready and able todefend Linux systems from a range of attacks.
Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine).
The RISC-V CPU architecture has beengaining prominence for some years; its relatively open nature makes it anattractive platform on which a number of companies have built products.Linux supportsRISC-V well, but there is one gaping hole: there is no support forvirtualization with KVM,despite the fact that a high-quality implementation exists. A recent attempt to add that support is shiningsome light on a part of the ecosystem that, it seems, does not work quiteas wellas one would like.
Security updates have been issued by Fedora (cacti, cacti-spine, exif, firefox, kernel, mariadb, and thunderbird), Mageia (kernel, kernel-linus, and libxml2), openSUSE (exim and jhead), Oracle (slapi-nis and xorg-x11-server), Scientific Linux (slapi-nis and xorg-x11-server), Slackware (libX11), SUSE (djvulibre, fribidi, graphviz, grub2, libass, libxml2, lz4, python-httplib2, redis, rubygem-actionpack-4_2, and xen), and Ubuntu (pillow and python-babel).
May 11 marked a new major release for the Python-based Flask webmicroframework project, but Flask 2.0was only part of the story. While the framework may be the most visiblepiece, it is one of a small handful of cooperating libraries that providesolutions for various web-development tasks; all are incorporated into the Pallets projects organization. Forthe first time, allsix libraries that make up Pallets were released at the same time andeach had a new major version number. In part, that new major versionindicated that Python 2 support was being left behind, but there isplenty more that went into the coordinated release.
Several readers have alerted us to some serious problems at freenode, which runs an IRC network thatis popular in the free-software world. Evidently there has been a changeof control within the volunteer-run organization that has led to theresignations of multiple different volunteers, at least in part dueto a concern about the personal information of freenode users under the newmanagement. "Thefreenode resignation FAQ" has collected a bunch of information (andlinks to even more resignation letters) that may help shed some light on this mess.From the FAQ: "Freenode staff have stepped down. The network thatruns at freenode.org/net/com should now be assumed to be under control of amalicious party."In the meantime, many of the volunteers who resigned have formed Libera.Chat to continue the legacy offreenode. LWN will be keeping an eye on the situation, stay tuned ...
Control groups (cgroups) are meant to limit access to a shared resource amongprocesses in the system. One such resource is the values used to specifyan encrypted-memory region for a virtual machine, such as the address-spaceidentifiers (ASIDs) used by the AMD SecureEncrypted Virtualization (SEV) feature. Vipin Sharma setout to add a control group for these ASIDs back in September; based on the feedback,though, he expanded the idea into a controller to track and limit any countable resource.The patch set became the controllerfor the misc control group and has been merged for Linux 5.13.
The Mozilla Security Blog announcesthat there is a new site-isolation mechanism available for testing in theFirefox browser. It's a defense against Meltdown and Spectre exploits.
Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre).
There have been many disagreements over the years in the kernel communityconcerning the exporting of internal kernel symbols to loadable modules.Exporting a symbol often exposes implementation decisions to outside code,makes it possible to use (or abuse) kernel functionality in unintendedways, and makes future changes harder. That said, there is no authorityoverseeing the exporting of symbols and no process for approving exports;discussions only tend to arise when somebody notices a change that they don't like. But it is notparticularly hard to detect changes in symbol exports from one kernelversion to the next, and doing so can give some insights into the kinds ofchanges that are happening under the hood.
The T2 System Development Environment Linux 21.5 was released with 18 pre-and cross-compiled architectures. "The 21.5 release received updatesacross the board, while a major point of work was the GCC 11 update as wellas re-basing and fixing upstream regressions for the Sony PS3 support aswell as various small improvements, including an up to 15 seconds fastersystem shutdown when using sysvinit."
The 5.13-rc2 kernel prepatch is out fortesting. "The fixes here are all over the place - drivers, arch updates,documentation, tooling.. Nothing particularly stands out".
Group membership is normally used to grant access to some resource;examples might include using groups to control access to a shareddirectory, a printer, or the ability to use tools like sudo. Itis possible, though, to use group membership to deny access to aresource instead, and some administrators make use of that feature. Butgroups only work as a negative credential if the user cannot shed them atwill. Occasionally, some way to escape a group has turned up, resulting invulnerabilities on systems where they are used to block access; despitefixes in the past, it turns out that there is still a potential problemwith groups and user namespaces; thispatch set from Giuseppe Scrivano seeks to mitigate it through thecreation of "shadow" groups.
Greg Kroah-Hartman has announced the release of the 5.12.4, 5.11.21, 5.10.37, and 5.4.119 stable kernels. These are enormousupdates, with changes throughout the kernel tree; users should upgrade.
Security updates have been issued by Debian (jetty9, libgetdata, and postgresql-11), openSUSE (java-11-openjdk), SUSE (dtc, ibsim, ibutils, ipvsadm, and kernel), and Ubuntu (awstats and glibc).
The kernel's BPF virtual machine allowsprograms loaded from user space to be safely run in the kernel's context.That functionality would be of limited use, however, without the abilityfor those programs to interact with the rest of the kernel. The interfacebetween BPF and the kernel has been kept narrow for a number of goodreasons, including safety and keeping the kernel in control of the system.The 5.13 kernel, though, contains a feature that could, over time, widen that interface considerably: the ability to directly callkernel functions from BPF programs.
Security updates have been issued by Debian (graphviz and redmine), Fedora (dom4j, kernel, kernel-headers, kernel-tools, mariadb, php, php-phpmailer6, and redis), openSUSE (kernel and nagios), and Ubuntu (mysql-5.7, mysql-8.0 and python-django).
The discoverer of the KRACK attacksagainst WPA2 encryption in WiFi is back with a new set of flaws in thewireless-networking protocols. FragAttacks is a sizable group ofWiFi vulnerabilities that (ab)use the fragmentation and aggregation (thus"Frag") features of the standard. The fixes have been coordinated over anine-month period, which has allowed security researcher Mathy Vanhoef timeto create multiple papers, some slide decks, a demo video, patches, and, of course, a website and logo for the vulnerabilities.
GNU Guix, the transactional package manager and distribution, has releasedversion 1.3.0. This released adds new features, refines the userexperience, and improves performance. Support for the POWER9 platform isnow offered as technological preview.
Python in the browser has long been an item on the wish list of many in thePython community. At this point, though, JavaScript has well-cemented its role as thelanguage embedded into the web and its browsers. The Pyodide project provides away to run Python in the browser by compiling the existing CPythoninterpreter to WebAssembly andrunning that binary within the browser's JavaScript environment. Pyodidecame about as part of Mozilla's Iodideproject, which has fallen by the wayside, but Pyodide is now beingspunout as a community-driven project.
The Microsoft Open Source Blog takesa look at implementing eBPF support in Windows. "Although support for eBPF was first implemented in the Linux kernel, there has been increasing interest in allowing eBPF to be used on other operating systems and also to extend user-mode services and daemons in addition to just the kernel.Today we are excited to announce a new Microsoft open source project tomake eBPF work on Windows 10 and Windows Server 2016 and later. The ebpf-for-windows project aims to allow developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. Building on the work of others, this project takes several existing eBPF open source projects and adds the “glue” to make them run on Windows."
The coreboot firmware project has releasedversion 4.14. "These changes have been all over the place, so that there's noparticular area to focus on when describing this release: We hadimprovements to mainboards, to chipsets (including much welcomedwork to open source implementations of what has been blobs before),to the overall architecture."
Security updates have been issued by Debian (hivex), Fedora (djvulibre and thunderbird), openSUSE (monitoring-plugins-smart and perl-Image-ExifTool), Oracle (kernel and kernel-container), Red Hat (kernel and kpatch-patch), SUSE (drbd-utils, java-11-openjdk, and python3), and Ubuntu (exiv2, firefox, libxstream-java, and pyyaml).
DragonFly BSD 6.0 has been released. "This version has a revamped VFS caching system, various filesystem updates including HAMMER2, and a long list of userland updates."
By the time the last pull request was acted on and 5.13-rc1was released, a total of 14,231 non-merge commits had found their way intothe mainline. That makes the 5.13 merge window larger than the entire 5.12development cycle (13,015 commits) and just short of all of 5.11 (14,340).In other words, 5.13 looks like one of the busier development cycles wehave seen for a little while.About 6,400 of these commits came in after thefirst-half summary was written, and they include a number ofsignificant new features.
The first 5.13 kernel prepatch is out fortesting, and the merge window is closed for this development cycle."This was - as expected - a fairly big merge window, but things seemto have proceeded fairly smoothly. Famous last words." In the end,14,231 non-merge changesets were pulled into the mainline during the mergewindow — more than were seen during the entire 5.12 cycle.
The IEEE, whose Symposium on Security and Privacy conference had acceptedthe "hypocrite commits" paper for publication, has posteda statement [PDF] on the episode.
While it is sometimes possible to perform I/O by moving data through theCPU, the only way to get the required level of performance is usually for devicesto move data directly to and from memory. Direct memory access (DMA) I/Ohas been well supported in the Linux kernel since the early days, but thereare always ways in which that support can be improved, especially whenhardware adds some challenges of its own. The somewhat confusingly named"non-contiguous" DMA API that was added for 5.13 shows the kinds of things that have to be done to getthe best performance on current systems.
New stable kernels 5.12.2, 5.11.19, 5.10.35, 5.4.117, and 4.19.190 have been released. They contain arelatively short list of updates throughout the tree; users of those seriesshould upgrade.
Security updates have been issued by Debian (mediawiki and unbound1.9), Fedora (djvulibre and samba), Mageia (ceph, messagelib, and pagure), openSUSE (alpine and exim), Oracle (kernel and postgresql), Scientific Linux (postgresql), and Ubuntu (thunderbird and unbound).
Among the many changes merged for 5.13 can be found performanceimprovements throughout the kernel. This work does not always stand outthe way that new features do, but it is vitally important for the future ofthe kernel overall. In the memory-management area, a couple oflong-running patch sets have finally made it into the mainline; theseprovide a bulk page-allocation interface andhuge-page mappings in the vmalloc() area.Both of these changes should make things faster, at least for someworkloads.
Security updates have been issued by Debian (python-django), Fedora (java-latest-openjdk, libopenmpt, python-yara, skopeo, thunderbird, and yara), openSUSE (ceph and openexr), Red Hat (postgresql), SUSE (libxml2), and Ubuntu (exim4 and gnome-autoar).
The era of tracking users all across the web using third-partycookies is coming to a close; that type of cookie issomething of a zombie at this point. All of the major browsers, saveone, are blocking third-party cookies by default and the holdout, GoogleChrome, plans to make that change next year. But Google, which has abusiness model built around advertising that benefits greatly from thestatus quo, has offered up an alternative scheme to "replace" third-partycookies. The Federated Learning ofCohorts (FLoC) is an in-browser mechanism to pigeonhole users in a waythat will be useful to advertisers, but the only reason the idea has anytraction at all is because it is being implemented in Chrome—the dominantbrowser today.
The Linux Foundation Technical Advisory Board has issued itsreport on the submission of (intentionally and unintentionally) buggy patches from theUniversity of Minnesota.
The movement toward using memory-safelanguages, and Rust in particular, has picked up a lot of steam over the past year or two. Removing thepossibility of buffer overflows, use-after-free bugs, and other woes associatedwith unmanaged pointers is an attractive feature, especially given thatthe majority of today's vulnerabilities stem from memory-safetyissues. On April 20, the Internet Security ResearchGroup (ISRG) announceda funding initiative targeting the Rustls TLS library in order toprepare it for more widespread adoption—including by ISRG's Let's Encrypt project.
Security updates have been issued by Debian (bind9, chromium, exim4, and subversion), Fedora (exiv2 and skopeo), openSUSE (gsoap), Oracle (bind, kernel, and sudo), SUSE (bind, ceph, ceph, deepsea, permissions, and stunnel), and Ubuntu (clamav, exim4, openvpn, python-django, and samba).
There are, it seems, 21 vulnerabilities in theExim email server that have been fixed in the 4.94.2 release; at least someof these are remotely exploitable for root access."The current Exim versions (and likely older versions too) suffer fromseveral exploitable vulnerabilities. These vulnerabilities were reportedby Qualys via security@exim.org back in October 2020.Due to several internal reasons it took more time than usual for the Eximdevelopment team to work on these reported issues in a timelymanner." See this advisoryfrom Qualys for the details.
LWN.net