LWN.net

OpenSSH 8.5 has been released. It includes fixes for a couple of potentialsecurity problems (one of which only applies to Solaris hosts); it alsoenables UpdateHostKeys by default, allowing hosts with insecurekeys to upgrade them without creating scary warnings for users. There area lot of other small changes; see the announcement for details.

Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa).

For more than a decade, PulseAudiohas been serving the Linux desktop as its predominant audiomixing and routing daemon — and its audio API. Unfortunately,PulseAudio's internal architecture does not fit the growingsandboxed-applications use case, even though there have been attempts to amend that. PipeWire, a new daemon created (in part)out of these attempts, will replacePulseAudio in the upcoming Fedora 34 release. It is a comingtransition that deserves a look.

Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9).

The 5.12 merge window closed with the release of 5.12-rc1on February 28; this released followed the normal schedule despite thefact that Linus Torvalds had been without power for the first six daysafter 5.11 came out. At that point, 10,886 non-merge changesets had foundtheir way into the mainline repository; about 2,000 of those showed upafter the first-half merge-window summarywas written. The pace of merging obviously slowed down, but there werestill a number of interesting features to be found in those patches.

Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint).

William Woodruff has posted arant of sorts on the adoption of Rust by the Python Cryptographyproject, which was covered here inFebruary.

Version3.2.0 of the fish shell has been released. New features include undoand redo support (for command-line editing, not commands!) and a long listof incremental improvements; see the announcement for details. LWN last looked at the fish shell in September.

Linus Torvalds has released 5.12-rc1(codename now "Frozen wasteland") andclosed the merge window despite getting a late start due to bad weather:

The Mageia distribution has announcedthe release of Mageia 8. It comes with the usual array of newpackages, including a 5.10.16 kernel, Plasma 5.20.4,GNOME 3.38, Firefox 78, Chromium 88, LibreOffice 7.0.4.2, and more."ARM support has continued to develop, with both AArch64 and ARMv7now having all packages built and being close to primary architecturesnow. Support for Wi-Fi installation in the classical installer using WPA2encryption has been added, as well as improved support for newerfilesystems allowing installations on F2FS. Support for NILFS, XFS, exFATand Windows 10 NTFS has been improved to allow for better partitionmanagement. The Live installer has also had significant development. Boottimes have been greatly reduced with the use of Zstd compression andimproved hardware detection and the support for installing updates as afinal step of the installation has been added. Zstd compression has alsobeen applied to the rescue mode, allowing for faster startup, support forencrypted LVM/LUKS has also been added."

Mike West has posted a detailed explorationof what is really required to protect sensitive information in webapplications from speculative-execution exploits. "Spectre-likeside-channel attacks inexorably lead to a model in which active web content(JavaScript, WASM, probably CSS if we tried hard enough, and so on) canread any and all data which has entered the address space of the processwhich hosts it. While this has deep implications for user agentimplementations' internal hardening strategies (stack canaries, ASLR, etc),here we’ll remain focused on the core implication at the web platformlevel, which is both simple and profound: any data which flows into aprocess hosting a given origin is legible to that origin. We must designaccordingly."

The first article in this series providedan introduction to lockless algorithms and the happens beforerelationship that allows us to reason about them. The next step is to lookat the concept of a "data race" and the primitives that exist to preventdata races. We continue in that direction with a look at relaxed accesses, memorybarriers, and how they can be used to implement the kernel's seqcountmechanism.

Greg Kroah-Hartman has released the 5.11.2,5.10.19, and5.4.101 stable kernels. These all containa relatively small pile of important fixes; as usual, users should upgrade.

Version 1.0 of GNU poke is out."GNU poke (http://www.jemarch.net/poke) is an interactive, extensible editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them."

Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).

One of the under-the-hood changes in the Fedora 33 release was a switch tosystemd-resolved for the handling of DNS queries. This change shouldbe invisible to most users unless they start using one of the new featuresprovided by systemd-resolved. Recently, though, the Fedora project changedits default configuration for that service to eliminate fallback DNSservers — a change which is indeed visible to some users who have foundthemselves without domain-name resolution as a result.

Security updates have been issued by Arch Linux (ansible-base, keycloak, mumble, and postgresql), Debian (firefox-esr and nodejs), Fedora (dotnet3.1, dotnet5.0, keylime, php-horde-Horde-Text-Filter, radare2, scap-security-guide, and wireshark), openSUSE (postgresql, postgresql13 and python-djangorestframework), Red Hat (Ansible, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (php7, postgresql-jdbc, python-cryptography, rpmlint, and webkit2gtk3), and Ubuntu (dnsmasq, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux-oem-5.10, linux-oem-5.6, screen, and xterm).

The LWN.net Weekly Edition for February 25, 2021 is available.

Two separate vulnerabilities led to the fast-tracked releaseof Python 3.9.2 and 3.8.8 on February 19, though source-onlyreleases of 3.7.10 and 3.6.13 came a few days earlier. Thevulnerabilities may be problematic for some Python users andworkloads; one could potentially lead to remote code execution. The otheris, arguably, not exactly a flaw in the Python standard library—it simplyalso follows an older standard—but it can lead to web cachepoisoning attacks.

Sergio Durigan Junior has announced the availability of a debuginfod server for Debiansystems. "In a nutshell, by using a debuginfod service you will not need toinstall debuginfo (a.k.a. dbgsym) files anymore; the symbols will beserved to GDB (or any other debuginfo consumer that supports debuginfod)over the network. Ultimately, this makes the debugging experience muchsmoother (I myself never remember the full URL of our debuginforepository when I need it)."

Security updates have been issued by openSUSE (firefox and tor), Oracle (stunnel and xterm), Red Hat (virt:8.2 and virt-devel:8.2 and xterm), SUSE (avahi, gnuplot, java-1_7_0-ibm, and pcp), and Ubuntu (openssl).

NumPy is a Python library that addsan array data type to the language, along with providing operatorsappropriate to working on arrays and matrices. By wrapping fast Fortran andC numerical routines, NumPy allows Python programmers to write performant code in what is normally a relatively slowlanguage. NumPy 1.20.0 wasannounced on January 30, in what its developers describe as the largestrelease in the history of the project. That makes for a good opportunity toshow a little bit about what NumPy is, how to use it, and to describe what's new in therelease.

The5.11.1,5.10.18,5.4.100,4.19.177,4.14.222,4.9.258, and4.4.258stable kernels have all been released; each contains another set ofimportant fixes.

The Firefox86.0 release is out. New features this time include picture-in-picturevideo and "totalcookie protection", which appears to be a way to allow third-partycookies while preserving some privacy.

Security updates have been issued by Arch Linux (connman, firejail, kernel, python-django, roundcubemail, and wpa_supplicant), Fedora (gdk-pixbuf2 and gdk-pixbuf2-xlib), openSUSE (python3 and tomcat), Scientific Linux (xterm), SUSE (postgresql12 and postgresql13), and Ubuntu (gdk-pixbuf, openldap, python-django, and qemu).

The beginning of the 5.12 merge window was delayed as the result of severeweather in the US Pacific Northwest. Once Linus Torvalds got going, though, hewasted little time; as of this writing, just over 8,600 non-mergechangesets have been pulled into the mainline repository for the 5.12release — over a period of about two days. As one might imagine, that workcontains a long list of significant changes.

Matthew Garrett recently posted apatch set enabling hibernation on systems that are running in the UEFIsecure-boot lockdown mode. This blog entry getsinto the details of how it all works. "When we encrypt material withthe TPM, we can ask it to record the PCR state. This is given back to us asmetadata accompanying the encrypted secret. Along with the metadata is anadditional signature created by the TPM, which can be used to prove thatthe metadata is both legitimate and associated with this specific encrypteddata. In our case, that means we know what the value of PCR 23 was when weencrypted the key. That means that if we simply extend PCR 23 with a knownvalue in-kernel before encrypting our key, we can look at the value of PCR23 in the metadata. If it matches, the key was encrypted by the kernel -userland can create its own key, but it has no way to extend PCR 23 to theappropriate value first. We now know that the key was generated by thekernel."

Version 19 ofthe Kodi "entertainment center" application is out with a long list of newfeatures.For audio and music lovers, there are significant improvements across theboard to metadata handling: library improvements, new tags, new displays,improvements to how Kodi handles release dates, album durations, multi-discsets, and more. There's a new, Matrix-inspired visualisation, there areimprovements to display when fetching files from a web server, and severalchanges to how audio decoder addons can pass information through to theKodi player.For video, most of the changes are more technical, and may depend on yourhardware: AV1 software decoding, HLG HDR and static HDR10 playback onWindows 10, static HDR10 and dynamic Dolby Vision HDR support on Android,and more OpenGL bicubic scalers.

Security updates have been issued by Debian (chromium, libzstd, openldap, openvswitch, screen, and wpa), Fedora (dotnet5.0, subversion, and wpa_supplicant), openSUSE (mumble, python-djangorestframework, and tor), Oracle (container-tools:ol8, kernel, nodejs:10, nodejs:12, nodejs:14, subversion:1.10, and xterm), Red Hat (stunnel and xterm), and SUSE (ImageMagick, java-1_8_0-openjdk, kernel, krb5-appl, python3, tomcat, and webkit2gtk3).

Lockless algorithms are of interest for the Linux kernel when traditionallocking primitives either cannot be used or are not performant enough.For this reason they come up every now and then on LWN; one of the lastmentions, which prompted me to write this article series, was last July.Topics that arise even more frequently are read-copy-update (RCU — thesearticles from 2007 are still highly relevant), reference counting, andways of wrapping lockless primitives into higher-level,more easily understood APIs. These articles will delve into the conceptsbehind lockless algorithms and how they are used in the kernel.

Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro).

The copy_file_range()system call looks like a relatively straightforward feature; it allowsuser space to ask the kernel to copy a range of data from one file toanother, hopefully applying some optimizations along the way. In truth,this call has never been as generic as it seems, though some changes madeduring 5.3 helped in that regard. When the developers of the Go languageran into problems with copy_file_range(), there ensued a lengthydiscussion on how this system call should work and whether the kernel needsto do more to make it useful.

Security updates have been issued by Debian (mumble, openssl, php7.3, and webkit2gtk), openSUSE (jasper, php7, and screen), SUSE (bind, php7, and php72), and Ubuntu (bind9, openssl, openssl1.0, and webkit2gtk).

The Google Security Blog carries anannouncement of a heightened effort to reimplement security-criticalsoftware in memory-safe languages. "The new Rust-based HTTP and TLSbackends for curl and now this new TLS library for Apache httpd are animportant starting point in this overall effort. These codebases sit at thegateway to the internet and their security is critical in the protection ofdata for millions of users worldwide."

The LWN.net Weekly Edition for February 18, 2021 is available.

The venerable locatefile-finding utility has long been available for Linux systems, though itsorigins are in the BSD world. It is a generally useful tool, but does havea cost beyond just the disk space it occupies in the filesystem; there is aperiodic daemon program (updatedb)that runs to keep the file-name database up to date. As a recentdebian-devel discussion shows, though, people have differing ideas ofjust how important the tool is—and whether it should be part of the default installation of Debian.

The5.10.17 and5.4.99stable kernel updates have been released; they both contain another set ofimportant fixes.

Security updates have been issued by Debian (openssl and ruby-mechanize), Fedora (chromium, jasper, roundcubemail, spice-vdagent, and webkit2gtk3), openSUSE (python-bottle), Oracle (dotnet, kernel, and kernel-container), Red Hat (redhat-ds:11, RHDM, and RHPAM), SUSE (jasper, kernel, and screen), and Ubuntu (thunderbird and wpa).

Version 1.16 of the Golanguage is available. New features include an "embed" package, Apple Arm64support, use of modules by default, and build-performance improvements; seethe release notes for details.

On February 4, millions of browser tabs weresuddenly terminated. Not everyone was surprised; the dozen people who spent the lastfour months waiting for this tragedy to occur watched in relief as thefirst in a rapid stream of GitHubcomments began pouring in. The Great Suspender, a Chrome extension that suspended inactive tabs,with around two-million users, had been forcibly uninstalled because it containedmalware. This was a serious problem for users, in part due to the difficulty inrecovering the lost tabs, but the extension's malevolence had beenpainfully obvious to anyone who cared to investigate it.

Those of us who are watching the mainline kernel repository may have beenwondering why it appears that no pull requests for the 5.12 merge windowhave yet been acted upon. The problem, it seems, is power outages causedby the severe winter weather in the US Pacific northwest. Until that getsresolved, which could take a few days, the 5.12 merge window is likely toremain on hold.

Security updates have been issued by Debian (spip), Mageia (chromium-browser, kernel, kernel-linus, and trojita), openSUSE (mumble and opera), Red Hat (container-tools:rhel8, java-1.8.0-ibm, kernel, kernel-rt, net-snmp, nodejs:10, nodejs:12, nodejs:14, nss, perl, python, and rh-nodejs10-nodejs), and SUSE (jasper, python-bottle, and python-urllib3).

The 5.11 kernel was released on February 14 — the most romanticsort of Valentine's day gift one could hope for. This kernel saw themerging of 14,340 changesets from 1,912 developers; it is certainlynot the busiest development cycle we have seen recently, but it still saw alot of activity. Read on for our traditional look at where the code mergedfor 5.11 came from.

Security updates have been issued by Debian (busybox, linux-4.19, openvswitch, subversion, unbound1.9, and xterm), Fedora (audacity, community-mysql, kernel, libzypp, mysql-connector-odbc, python-django, python3.10, and zypper), openSUSE (librepo, openvswitch, subversion, and wpa_supplicant), Red Hat (subversion:1.10), SUSE (kernel, openvswitch, perl-File-Path, and wpa_supplicant), and Ubuntu (postgresql-12).

Linus has released the 5.11 kernel, asexpected. "I know it's Valentine's Day here in theUS - maybe give this release a good testing before you go back andplay with development kernels. All right? Because I'm sure your SOwill understand."Headline features in 5.11 includeIntel SGX support,a new system-call interception mechanism,the seccomp() constant-actionbitmap optimization,the internal kmap_local() API,the epoll_pwait2() system call,and much more.See the LWN merge-window articles(part 1,part 2) and the (under development) KernelNewbies 5.11 page formore information.

The5.10.16,5.4.98,and 4.19.176stable kernel updates have been released; each contains another set ofimportant fixes.

A briefpost on the Gentoo site is in memory of Kent "kent\n" Frederic."Kent was an active member of the Gentoo community for many years. He tirelessly managed Gentoo’s Perl support, and was active in the Rust project as well as in many other corners. We all remember him as an enthusiastic, bright person, with lots of eye for detail and constant willingness to help out and improve things. On behalf of the world-wide Gentoo community, our heartfelt condolences go out to his family and friends."

Seen from outside, the internals of the Linux kernel appear to be stable,especially in subsystems like the memory-management subsystem. However,from time to time, developers need to replace an internalinterface to solve a longstanding problem. One suchissue is contention on the lock used to protect essentialmemory-management structures, including the page tables and virtual memory areas(VMAs). Liam Howlett and Matthew Wilcox have been developing a newdata structure, called a "maple tree", to replace the data structurescurrently used for VMAs. This potentially big change in internal kernelstructures has been recently postedfor a review in a massive patch set.

Security updates have been issued by Arch Linux (ansible, chromium, cups, docker, firefox, gitlab, glibc, helm, lib32-glibc, minio, nextcloud, opendoas, opera, php, php7, privoxy, python-django, python-jinja, python2-jinja, thunderbird, vivaldi, and wireshark-cli), Fedora (jasper, linux-firmware, php, python-cryptography, spice-vdagent, subversion, and thunderbird), Mageia (gssproxy and phpldapadmin), openSUSE (chromium, containerd, docker, docker-runc,, librepo, nextcloud, and privoxy), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, kernel, openvswitch, and wpa_supplicant), and Ubuntu (wpa).

Given the large set of system calls implemented by the Linux kernel, itwould not be surprising for most people to be unfamiliar with a few ofthem. Not everybody needs to know the details ofsetresgid(),modify_ldt(),orlookup_dcookie(),after all. But even developers who have a wide understanding of the Linuxsystem-call set may be surprised by kcmp(),which is not enabled by default in the kernel build. It would seem,though, that the word has gotten out, leading to an effort to makekcmp() more widely available.