LWN.net

Greg Kroah-Hartman has released stable kernels 5.10.13, 5.4.95, 4.19.173, 4.14.219, 4.9.255, and 4.4.255. They all contain important fixes andusers should upgrade.

The release of Firefox 85at the end of January brought a new technique for thwarting yet-anotherweb-tracking scheme. The use of browser cookies for tracking iswell-established and the browser makers have taken steps to block theworst abuses there, but users can also take steps to manage and clear thosecookies. The arms race continues, however, as tracking companies are usingbrowser caches to store what Mozilla calls "supercookies", which allowusers to be tracked across the web sites that they visit. That has led thebrowser makers to partition these caches by web site in order to preventthis tracking technique.

Greg Kroah-Hartman hasa suggestion for anybody who would like to help him maintainlong-term-stable kernel releases. "All I request is that people testthe -rc releases when I announce them, and let me know if they work or notfor their systems/workloads/tests/whatever. [...] But, if you want to do more,I always really appreciate when people email me, or stable@vger.kernel.org,git commit ids that are needed to be backported to specific stable kerneltrees because they found them in their testing/development efforts."

Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates).

Version 4.2of the desktop-oriented Solus distribution is available. "Werecognized that Desktop Icons was an important part of the workflow of manyusers, so we spent considerable time during this development cycle ensuringthere was a solution for them as well as our downstream users ofBudgie. Expanding on this, Solus 4.2 defaults to having desktop iconsenabled to make Solus more approachable to new users." Some moreinformation on the desktop changes can be found in this blogentry from December.

The LibreOffice 7.1 "Community" release is out. "LibreOffice 7.1Community adds several interoperability improvements with DOCX/XLSX/PPTXfiles: improvements to Writer tables (better import/export and managementof table functions, and better support for change tracking in floatingtables); a better management of cached field results in Writer; support ofspacing below the header's last paragraph in DOC/DOCX files; and additionalSmartArt improvements when importing PPTX files." The announcementalso goes on at length about the new "community" label and how this release"is not targeted at enterprises".

A longstanding hole in the Sudoprivilege-delegation tool that was discoveredin late January is a potent local vulnerability. Exploiting it allows local usersto run code of their choosing as root by way of a bog-standard heap-bufferoverflow. It seems like the kind of bug that might have been found earlier viacode inspection or fuzzing, but it has remained in this security-sensitiveutility since it was introduced in 2011.

Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu).

Version 2.33 of the GNU C library is out. Changes this time include anumber of dynamic linker improvements, 32-bit RISC-V support, and a numberof security fixes.

The kernel development community talks often about subsystems and subsystemmaintainers, but it is less than entirely clear about what a "subsystem" is inthe first place. People wanting to understand how kernel development workscould benefit from a clearer idea of what actually comprises a subsystemwithin the kernel. In an attempt to better understand how kerneldevelopment works, Pia Eichinger and her colleagues spent a lot of time lookingfor the actual boundaries; Eichinger presented that work at the 2021linux.conf.au online gathering.

Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox and rubygem-nokogiri), and Ubuntu (mysql-5.7, mysql-8.0 and python-django).

The 5.11-rc6 kernel prepatch is out fortesting. "Things look a little calmer than last week, and over-all very averagefor rc6. So - like always this late in the release schedule - I'dcertainly have liked things to be even calmer, but nothing here reallystands out."

The stable-kernel machine has produced another set of updates:5.10.12,5.4.94,4.19.172,4.14.218,4.9.254, and4.4.254.Each contains a relatively small set of important fixes.

There was a time when people who were exploring computational technologysaw it as the path toward decentralization and freedom worldwide. What wehave ended up with, instead, is a world that is increasingly centralized,subject to surveillance, and unfree. How did that come to be? In a keynote at theonline 2021 linux.conf.au event, Cory Doctorow gave his view of this problem andnamed its source: monopoly.

The GNU Privacy Guard (GnuPG or GPG) project has announced a critical security bug in Libgcrypt version 1.9.0 released January 19. "Libgcrypt is a general purpose library of cryptographic building blocks.It is originally based on code used by GnuPG. It does not provide anyimplementation of OpenPGP or other protocols. Thorough understanding ofapplied cryptography is required to use Libgcrypt." Version 1.9.1 has been released to address the problem and all users of 1.9.0 should update immediately. It is a heap buffer overflow, but no version of GnuPG uses the 1.9 series yet. "Exploiting this bug is simple and thus immediate action for 1.9.0 usersis required. A CVE-id has not yet been assigned. We track this bug athttps://dev.gnupg.org/T5275. The 1.9.0 tarballs on our FTP server havebeen renamed so that scripts won't be able to get this version anymore."

David Malcolm describesthe progress in the GCC static analyzer for the upcoming GCC 11release. "In GCC 10, I added the new -fanalyzer option, a staticanalysis pass for identifying various problems at compile-time, rather thanat runtime. The initial implementation was aimed at early adopters, whofound a few bugs, including a security vulnerability: CVE-2020-1967. BerndEdlinger, who discovered the issue, had to wade through many falsepositives accompanying the real issue. Other users also managed to get theanalyzer to crash on their code.I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust."

Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java).

Jeffrey Walsh started off his 2021linux.conf.au presentation with a statement that, while 2020 was not the greatest year ever, there were stillsomegood things that happened; one of those was the Emacs 27.1 release.This major update brought a number of welcome new features, but alsoled to yet another discussion on the future ofEmacs. With that starting point, Walsh launched into a fast-movinglook at the history of Emacs, why users still care about it, what changesare coming, and (especially) what was involved in moving Emacs away fromthe X window system and making it work with the Wayland compositor.

Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and tcmu).

The LWN.net Weekly Edition for January 28, 2021 is available.

It would appear that "sudo" has a buffer-overflow vulnerability that allowsany local user to gain root privileges, whether or not they are in thesudoers file. It has been there since 2011. See thisadvisory for details, but perhaps run an update first.

Distribution developers do a lot of work to keep a language ecosystemworking well within the distribution. It is relatively thankless work thatnormally only becomes visible when there is a problem or complaint. ButMiro Hrončok recently put together a lookback at what the Fedora Python team did during 2020. While it is,obviously, Fedora-specific, it provides something of a look inside at thekinds of things that distribution teams work on.

Open-source software is famously able to be used by anyone for any purpose;those are some of the keystones of the opensource definition.But some companies that run open-source projects are increasingly unhappythat others are reaping some of the profits from those projects. That has led to variousefforts of "license reform" meant to try to capture those profits. Sofar, those efforts have just led to non-open-source licenses, thus projectsthat are no longer open source. We are seeingthat play out yet again with Elastic's mid-January announcement thatit was changing the license on some of its projects.

Stable kernels 5.10.11, 5.4.93, and 4.19.171 have been released. They containimportant fixes and users should upgrade.

Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo).

Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt).

Version 85 ofthe Firefox browser has been released. The headline change appears tobe the isolation of internal caches to defeat the use of "supercookies" totrack users; see thisblog entry for details. "In fact, there are many differentcaches trackers can abuse to build supercookies. Firefox 85 partitions allof the following caches by the top-level site being visited: HTTP cache,image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, fontcache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLScertificate cache."

The Python Packaging Authority (PyPA) has announced the release of pip21.0. This version removes Python 2.7 and 3.5 support, and drops supportfor legacy cache entries from pip < 20.0.

The term "browser wars" typically refers to Microsoft's attempts todominate the World Wide Web with its Internet Explorer browser in the1990s. That effort was thwarted by antitrust efforts and the rise of thefree browser now known as Firefox;ever since, the web has been defined by free software. Or so some may havethought. In the 2020s, the browser wars continue with the growingdominance of Chrome and, it would seem, the imminent removal of Chromiumfrom many Linux distributions.

Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, and xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (hawk2, ImageMagick, mutt, permissions, and stunnel), and Ubuntu (pound).

The 5.11-rc5 kernel prepatch is out fortesting. "Nothing particularly stands out. We had a couple of splice()regressions that came in during the previous release as part of the'get rid of set_fs()' development, but they were for odd cases thatmost people would never notice. I think it's just that 5.10 is nowgetting more widely deployed so people see the fallout from thatrather fundamental change in the last release."

The next round of stable kernel updates is out:5.10.10,5.4.92,4.19.170,4.14.217,4.9.253, and4.4.253.Each contains another set of important fixes.

Memory fragmentation has long been a problem for Linux systems, to thepoint that, for years, finding even two physically contiguous pages was anuncertain affair. That said, the situation has improved considerably inthe last decade or so thanks to a number of changes implemented by thememory-management developers. One of those changes is the creation of"movable"memory zones where pages can be relocated if need be. All that work is fornothing, though, if somebody comes along and pins down a page in one ofthese movable zones. Thispatch set from Pavel Tatashin seeks to prevent that from happening, butmay risk creating problems elsewhere.

Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack).

Libre Arts (formerly Libre Graphics World) has posted a comprehensivesurvey of what 2021 might hold for a wide range of freecontent-creation software.The topic of fullscreen color management implementation in Wayland is back,and it’s a kinda frustrating story. In a nutshell:

The Corellium blog is carrying a description of how the Linuxport to the Apple M1 processor was done. "Many components of theM1 are shared with Apple mobile SoCs, which gave us a good runningstart. But when writing Linux drivers, it became very apparent hownon-standard Apple SoCs really are. Our virtual environment is extremelyflexible in terms of models it can accommodate; but on the Linux side, the64-bit ARM world has largely settled on a well-defined set of buildingblocks and firmware interfaces - nearly none of which were used on theM1."

As a general rule, when one attempts to open a file with a system call likeopenat2(),the expectation is that the call will not return until the job is done.But there are times where the desire to open the file is conditional onbeing able to open it immediately, without blocking. Linux has neversupported that mode well, but that may be about to change with thispatch set from Jens Axboe.

Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle).

The LWN.net Weekly Edition for January 21, 2021 is available.

It is an unfortunate fact of life that non-free firmware blobs are requiredto use some hardware, such as network devices (WiFi in particular), audioperipherals, and video cards. Beyond that, those blobs may even berequired in order to install a Linux distribution, so an installation overthe network may need to get non-free firmware directly from the installationmedia. That, as might be guessed, is a bit of a problem for distributionsthat are not willing to officially ship said firmware because of itsnon-free status, as a recent discussion in the Debian community shows.

Back in October, LWN looked at a conversationwithin the Debian project regarding whether it was permissible to shipKubernetes bundled with some 200 dependencies. The Debian technicalcommittee has finally cometo a conclusion on this matter: this bundling is acceptable and themaintainer will not be required to make changes:Our consensus is that Kubernetes ought to be considered special inthe same way that Firefox is considered special -- we treat thepackage differently from most other source packages because (i) itis very large and complex, and (ii) upstream has significantly moreresources to keep all those moving parts up-to-date than Debiandoes.In the end, allowing this vendoring seemed like the only feasible way topackage Kubernetes for Debian.

Shay Banon first announced thatElastic would move its Apache 2.0-licensed source code in Elasticsearch andKibana to be dual licensed under Server Side Public License (SSPL) and theElastic License. "To be clear, our distributions starting with 7.11will be provided only under the Elastic License, which does not have anycopyleft aspects. If you are building Elasticsearch and/or Kibana fromsource, you may choose between SSPL and the Elastic License to govern youruse of the source code."In anotherpost Banon added some clarification. "SSPL, a copyleft licensebased on GPL, aims to provide many of the freedoms of open source, thoughit is not an OSI approved license and is not considered opensource."There is also this articleon why the change was made. "So why the change? AWS and AmazonElasticsearch Service. They have been doing things that we think are just NOT OK since 2015 and it has only gotten worse. If we don’t stand upto them now, as a successful company and leader in the market, whowill?"The FAQ hasadditional information. "While we have chosen to avoid confusion by not using the term open source to refer to these products, we will continue to use the word “Open” and “Free and Open.” These are simple ways to describe the fact that the product is free to use, the source code is available, and also applies to our open and collaborative engagement model in GitHub. We remain committed to the principles of open source - transparency, collaboration, and community."

Security updates have been issued by Fedora (coturn, dovecot, glibc, and sudo), Mageia (openldap and resource-agents), openSUSE (dnsmasq, python-jupyter_notebook, viewvc, and vlc), Oracle (dnsmasq and xstream), SUSE (perl-Convert-ASN1, postgresql, postgresql13, and xstream), and Ubuntu (nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, pillow, pyxdg, and thunderbird).

Red Hat has announceda new set of options meant to attract current CentOS users who are unhappywith the shift to CentOS Stream."While CentOS Linux provided a no-cost Linux distribution, no-cost RHEL also exists today through the Red Hat Developer program. The program’s terms formerly limited its use to single-machine developers. We recognized this was a challenging limitation.We’re addressing this by expanding the terms of the Red Hat Developer program so that the Individual Developer subscription for RHEL can be used in production for up to 16 systems. That’s exactly what it sounds like: for small production use cases, this is no-cost, self-supported RHEL."

Stable kernels 5.10.9, 5.4.91, and 4.19.169 have been released with importantfixes. Users of those series should upgrade.

SciPy is a collection of Pythonlibraries for scientific and numerical computing. Nearly every serious userof Python for scientific research uses SciPy. Since Python is popular acrossall fields of science, and continues to be a prominent language in someareas of research, such as data science, SciPy has a large userbase. On New Year's Eve, SciPyannouncedversion 1.6 of the scipy library, which is the centralcomponent in the SciPy stack. That release gives us a good opportunity to delveinto this software and givesome examples of its use.

Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow).

User namespaces provide a number ofinteresting challenges for the kernel. They give a user the illusion ofowning the system, but must still operate within the restrictions thatapply outside of the namespace. Resourcelimits represent one type of restriction that, it seems, is proving too restrictive for some users. Thispatch set from Alexey Gladkov attempts to address the problem by way ofa not-entirely-obvious approach.

Version3.9.0.0 of the GNU Radio software-defined radio system has beenreleased. "All in all, the main breaking change for pure GRC userswill consist in a few changed blocks – an incredible feat, considering theamount of shift under the hood."

Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit, policycoreutils, python-lxml, resteasy, sudo, synergy, and unzip), openSUSE (ceph, crmsh, dovecot23, hawk2, kernel, nodejs10, open-iscsi, openldap2, php7, python-jupyter_notebook, slurm_18_08, tcmu-runner, thunderbird, tomcat, viewvc, and vlc), Oracle (dotnet3.1 and thunderbird), Red Hat (postgresql:10, postgresql:12, postgresql:9.6, and xstream), SUSE (ImageMagick, openldap2, slurm, and tcmu-runner), and Ubuntu (icoutils).