LWN.net

Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro).

The copy_file_range()system call looks like a relatively straightforward feature; it allowsuser space to ask the kernel to copy a range of data from one file toanother, hopefully applying some optimizations along the way. In truth,this call has never been as generic as it seems, though some changes madeduring 5.3 helped in that regard. When the developers of the Go languageran into problems with copy_file_range(), there ensued a lengthydiscussion on how this system call should work and whether the kernel needsto do more to make it useful.

Security updates have been issued by Debian (mumble, openssl, php7.3, and webkit2gtk), openSUSE (jasper, php7, and screen), SUSE (bind, php7, and php72), and Ubuntu (bind9, openssl, openssl1.0, and webkit2gtk).

The Google Security Blog carries anannouncement of a heightened effort to reimplement security-criticalsoftware in memory-safe languages. "The new Rust-based HTTP and TLSbackends for curl and now this new TLS library for Apache httpd are animportant starting point in this overall effort. These codebases sit at thegateway to the internet and their security is critical in the protection ofdata for millions of users worldwide."

The LWN.net Weekly Edition for February 18, 2021 is available.

The venerable locatefile-finding utility has long been available for Linux systems, though itsorigins are in the BSD world. It is a generally useful tool, but does havea cost beyond just the disk space it occupies in the filesystem; there is aperiodic daemon program (updatedb)that runs to keep the file-name database up to date. As a recentdebian-devel discussion shows, though, people have differing ideas ofjust how important the tool is—and whether it should be part of the default installation of Debian.

The5.10.17 and5.4.99stable kernel updates have been released; they both contain another set ofimportant fixes.

Security updates have been issued by Debian (openssl and ruby-mechanize), Fedora (chromium, jasper, roundcubemail, spice-vdagent, and webkit2gtk3), openSUSE (python-bottle), Oracle (dotnet, kernel, and kernel-container), Red Hat (redhat-ds:11, RHDM, and RHPAM), SUSE (jasper, kernel, and screen), and Ubuntu (thunderbird and wpa).

Version 1.16 of the Golanguage is available. New features include an "embed" package, Apple Arm64support, use of modules by default, and build-performance improvements; seethe release notes for details.

On February 4, millions of browser tabs weresuddenly terminated. Not everyone was surprised; the dozen people who spent the lastfour months waiting for this tragedy to occur watched in relief as thefirst in a rapid stream of GitHubcomments began pouring in. The Great Suspender, a Chrome extension that suspended inactive tabs,with around two-million users, had been forcibly uninstalled because it containedmalware. This was a serious problem for users, in part due to the difficulty inrecovering the lost tabs, but the extension's malevolence had beenpainfully obvious to anyone who cared to investigate it.

Those of us who are watching the mainline kernel repository may have beenwondering why it appears that no pull requests for the 5.12 merge windowhave yet been acted upon. The problem, it seems, is power outages causedby the severe winter weather in the US Pacific northwest. Until that getsresolved, which could take a few days, the 5.12 merge window is likely toremain on hold.

Security updates have been issued by Debian (spip), Mageia (chromium-browser, kernel, kernel-linus, and trojita), openSUSE (mumble and opera), Red Hat (container-tools:rhel8, java-1.8.0-ibm, kernel, kernel-rt, net-snmp, nodejs:10, nodejs:12, nodejs:14, nss, perl, python, and rh-nodejs10-nodejs), and SUSE (jasper, python-bottle, and python-urllib3).

The 5.11 kernel was released on February 14 — the most romanticsort of Valentine's day gift one could hope for. This kernel saw themerging of 14,340 changesets from 1,912 developers; it is certainlynot the busiest development cycle we have seen recently, but it still saw alot of activity. Read on for our traditional look at where the code mergedfor 5.11 came from.

Security updates have been issued by Debian (busybox, linux-4.19, openvswitch, subversion, unbound1.9, and xterm), Fedora (audacity, community-mysql, kernel, libzypp, mysql-connector-odbc, python-django, python3.10, and zypper), openSUSE (librepo, openvswitch, subversion, and wpa_supplicant), Red Hat (subversion:1.10), SUSE (kernel, openvswitch, perl-File-Path, and wpa_supplicant), and Ubuntu (postgresql-12).

Linus has released the 5.11 kernel, asexpected. "I know it's Valentine's Day here in theUS - maybe give this release a good testing before you go back andplay with development kernels. All right? Because I'm sure your SOwill understand."Headline features in 5.11 includeIntel SGX support,a new system-call interception mechanism,the seccomp() constant-actionbitmap optimization,the internal kmap_local() API,the epoll_pwait2() system call,and much more.See the LWN merge-window articles(part 1,part 2) and the (under development) KernelNewbies 5.11 page formore information.

The5.10.16,5.4.98,and 4.19.176stable kernel updates have been released; each contains another set ofimportant fixes.

A briefpost on the Gentoo site is in memory of Kent "kent\n" Frederic."Kent was an active member of the Gentoo community for many years. He tirelessly managed Gentoo’s Perl support, and was active in the Rust project as well as in many other corners. We all remember him as an enthusiastic, bright person, with lots of eye for detail and constant willingness to help out and improve things. On behalf of the world-wide Gentoo community, our heartfelt condolences go out to his family and friends."

Seen from outside, the internals of the Linux kernel appear to be stable,especially in subsystems like the memory-management subsystem. However,from time to time, developers need to replace an internalinterface to solve a longstanding problem. One suchissue is contention on the lock used to protect essentialmemory-management structures, including the page tables and virtual memory areas(VMAs). Liam Howlett and Matthew Wilcox have been developing a newdata structure, called a "maple tree", to replace the data structurescurrently used for VMAs. This potentially big change in internal kernelstructures has been recently postedfor a review in a massive patch set.

Security updates have been issued by Arch Linux (ansible, chromium, cups, docker, firefox, gitlab, glibc, helm, lib32-glibc, minio, nextcloud, opendoas, opera, php, php7, privoxy, python-django, python-jinja, python2-jinja, thunderbird, vivaldi, and wireshark-cli), Fedora (jasper, linux-firmware, php, python-cryptography, spice-vdagent, subversion, and thunderbird), Mageia (gssproxy and phpldapadmin), openSUSE (chromium, containerd, docker, docker-runc,, librepo, nextcloud, and privoxy), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, kernel, openvswitch, and wpa_supplicant), and Ubuntu (wpa).

Given the large set of system calls implemented by the Linux kernel, itwould not be surprising for most people to be unfamiliar with a few ofthem. Not everybody needs to know the details ofsetresgid(),modify_ldt(),orlookup_dcookie(),after all. But even developers who have a wide understanding of the Linuxsystem-call set may be surprised by kcmp(),which is not enabled by default in the kernel build. It would seem,though, that the word has gotten out, leading to an effort to makekcmp() more widely available.

Security updates have been issued by Debian (firejail and netty), Fedora (java-1.8.0-openjdk, java-11-openjdk, rubygem-mechanize, and xpdf), Mageia (gstreamer1.0-plugins-bad, nethack, and perl-Email-MIME and perl-Email-MIME-ContentType), openSUSE (firejail, java-11-openjdk, python, and rclone), Red Hat (dotnet, dotnet3.1, dotnet5.0, and rh-nodejs12-nodejs), SUSE (firefox, kernel, python, python36, and subversion), and Ubuntu (gnome-autoar, junit4, openvswitch, postsrsd, and sqlite3).

Version1.50.0 of the Rust language has been released. "For thisrelease, we have improved array indexing, expanded safe access to unionfields, and added to the standard library."

The LWN.net Weekly Edition for February 11, 2021 is available.

There is always a certain amount of tension between the goals of thoseusing older, less-popular architectures and the goals of projects targetingmore mainstream users and systems. In many ways, our community has beenspoiled by the number of architectures supported by GCC, but a lot of newsoftware is not being written in C—and existing software is migrating awayfrom it. The Rust language isoften the choice these days for both new and existing code bases, but it isbuilt with LLVM, which supports fewer architectures than GCCsupports—and Linux runs on. So the question that arises is how much these older, non-Rustyarchitectures should be able to hold back future development; the answer,in several places now, has been "not much".

The world wide web is truly a wondrous invention, but it is not withoutflaws. There are massive privacy woes that stem from its standards andimplementation; it is also so fiendishly complex that few can truly grokall of its expanse. That complexity affords enormous flexibility, for goodor ill.Those who are looking for a simpler way to exchangeinformation—or hearken back to web prehistory—may find the Gemini project worth a look.

Security updates have been issued by Debian (connman, firejail, libzstd, slirp, and xcftools), Fedora (chromium, jackson-databind, and privoxy), openSUSE (chromium), Oracle (kernel and kernel-container), Slackware (dnsmasq), SUSE (java-11-openjdk, kernel, and python), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oem-5.6, linux-oracle, linux-raspi, linux, linux-gke-5.0, linux-gke-5.3, linux-hwe, linux-raspi2-5.3, openjdk-8, openjdk-lts, and snapd).

The latest set of stable kernel updates is5.10.15,5.4.97,4.19.175,4.14.221,4.9.257, and4.4.257.Each contains another set of important fixes.

Google Open Source has announcedthe 2021 edition of Season ofDocs. "In 2021, the Season of Docs program will continue tosupport better documentation in open source and provide opportunities forskilled technical writers to gain open source experience. In addition,building on what we’ve learned from the successful 2019 and 2020 projects,we’re expanding our focus to include learning about effective metrics forevaluating open source documentation." Open source organizations mayapply to take part in Season of Docs until March 26.

Daniel Jordan looks atktest on the Oracle Linux blog. "Where ktest is especiallyuseful, though, is in its ability to do these things for each patch in aseries, thereby freeing you from a significant amount of tedium. For yourchosen configs, the series will be cleanly bisectable and won't triggerupstream build bots with easily avoided errors and warningsmid-series. (Those bots are nice for less common configs though.) Codereviewers' moods improve too because each patch will stand alone with allthe necessary code."

The Python steering council has, after some discussion, accepted thecontroversial proposal to add apattern-matching primitive to the language."We acknowledge thatPattern Matching is an extensive change to Python and that reachingconsensus across the entire community is close to impossible. Differentpeople have reservations or concerns around different aspects of thesemantics and the syntax (as does the Steering Council). In spite of this,after much deliberation, reviewing all conversations around these PEPs, aswell as competing proposals and existing poll results, and after severalin-person discussions with the PEP authors, we are confident that PatternMatching as specified in PEP 634, et al, will be a great addition to thePython language."

Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python-urllib3, and python3), and Ubuntu (firefox).

Kees Cook catchesup with the security-related changes in the 5.8 kernel release."With this in place, Jump-Oriented Programming (JOP, where codegadgets are chained together with jumps and calls) is no longer availableto the attacker. An attacker’s code must make direct function calls. Thisbasically reduces the 'usable' code available to an attacker from everyword in the kernel text to only function entries (or jump targets). This isa 'low granularity' forward-edge Control Flow Integrity (CFI) feature,which is important (since it greatly reduces the potential targets that canbe used in an attack) and cheap (implemented in hardware). It’s a goodfirst step to strong CFI, but (as we’ve seen with things like CFG) it isn’tusually strong enough to stop a motivated attacker."

The newly formed Rust Foundation has announcedits existence. "Today, on behalf of the Rust Core team, I’mexcited to announce the Rust Foundation, a new independent non-profitorganization to steward the Rust programming language and ecosystem, with aunique focus on supporting the set of maintainers that govern and developthe project. The Rust Foundation will hold its first board meetingtomorrow, February 9th, at 4pm CT. The board of directors is composed of 5directors from our Founding member companies, AWS, Huawei, Google,Microsoft, and Mozilla, as well as 5 directors from project leadership, 2representing the Core Team, as well as 3 project areas: Reliability,Quality, and Collaboration." Mozilla has transferred its trademarksand domains for Rust over to the foundation.

The kernel's CFS bandwidth controller is an effective way of controllingjust how much CPU time is available to each control group. It can keepprocesses from consuming too much CPU time and ensure that adequate time isavailable for all processes that need it. That said, it's not entirelysurprising that the bandwidth controller is not perfect for every workload out there. Thispatch set from Huaixin Chang aims to make it work better for bursty,latency-sensitive workloads.

Stable kernels 5.10.14, 5.4.96, 4.19.174, and 4.14.220 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu).

The 5.11-rc7 kernel prepatch is out fortesting. "Anyway, this is hopefully the last rc for this release, unless somesurprise comes along and makes a travesty of our carefully laid plans.It happens.Nothing hugely scary stands out, with the biggest single part of thepatch being some new self-tests. In fact, about a quarter of the patchis documentation and selftests."

Greg Kroah-Hartman has released the 4.9.256and 4.4.256 in order to try to figure outif there are any user-space problems caused by the overflow of the minor version number for thosestable-kernel series. "With this release, KERNEL_VERSION(4, 9, 256) is the same as KERNEL_VERSION(4, 10, 0).Nothing in the kernel build itself breaks with this change, but given that thisis a userspace visible change, and some crazy tools (like glibc and gcc) havelogic that checks the kernel version for different reasons, I wanted to do thisrelease as an 'empty' release to ensure that everything still worksproperly." Those who could be affected would be well-advised totest this change immediately as he plans another 4.9 release in aweek's time.

As has often been pointed out, the stable-kernel releases are meant to bestable; that means they should be even more averse to ABI breaks thanmainline releases, if that is possible. This may be a hard promise to keepfor the next set of stable kernels, though, for the most mundane ofreasons: nobody thought that there would be more than 255 minor updates toany given kernel release.

Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna).

Of all the system calls in the Unix tradition, few are as maligned as ioctl().But ioctl() exists for a reason — for many reasons, in truth — andcannot be expected to go away anytime soon. It is thus unsurprising thatthere is interest in providing ioctl()-like functionality in theio_uring subsystem. A recent RFC patch setfrom Jens Axboe shows the form that this feature might take in theio_uring context.

Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3).

The LWN.net Weekly Edition for February 4, 2021 is available.

Greg Kroah-Hartman has released stable kernels 5.10.13, 5.4.95, 4.19.173, 4.14.219, 4.9.255, and 4.4.255. They all contain important fixes andusers should upgrade.

The release of Firefox 85at the end of January brought a new technique for thwarting yet-anotherweb-tracking scheme. The use of browser cookies for tracking iswell-established and the browser makers have taken steps to block theworst abuses there, but users can also take steps to manage and clear thosecookies. The arms race continues, however, as tracking companies are usingbrowser caches to store what Mozilla calls "supercookies", which allowusers to be tracked across the web sites that they visit. That has led thebrowser makers to partition these caches by web site in order to preventthis tracking technique.

Greg Kroah-Hartman hasa suggestion for anybody who would like to help him maintainlong-term-stable kernel releases. "All I request is that people testthe -rc releases when I announce them, and let me know if they work or notfor their systems/workloads/tests/whatever. [...] But, if you want to do more,I always really appreciate when people email me, or stable@vger.kernel.org,git commit ids that are needed to be backported to specific stable kerneltrees because they found them in their testing/development efforts."

Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates).

Version 4.2of the desktop-oriented Solus distribution is available. "Werecognized that Desktop Icons was an important part of the workflow of manyusers, so we spent considerable time during this development cycle ensuringthere was a solution for them as well as our downstream users ofBudgie. Expanding on this, Solus 4.2 defaults to having desktop iconsenabled to make Solus more approachable to new users." Some moreinformation on the desktop changes can be found in this blogentry from December.

The LibreOffice 7.1 "Community" release is out. "LibreOffice 7.1Community adds several interoperability improvements with DOCX/XLSX/PPTXfiles: improvements to Writer tables (better import/export and managementof table functions, and better support for change tracking in floatingtables); a better management of cached field results in Writer; support ofspacing below the header's last paragraph in DOC/DOCX files; and additionalSmartArt improvements when importing PPTX files." The announcementalso goes on at length about the new "community" label and how this release"is not targeted at enterprises".

A longstanding hole in the Sudoprivilege-delegation tool that was discoveredin late January is a potent local vulnerability. Exploiting it allows local usersto run code of their choosing as root by way of a bog-standard heap-bufferoverflow. It seems like the kind of bug that might have been found earlier viacode inspection or fuzzing, but it has remained in this security-sensitiveutility since it was introduced in 2011.