Odprtokodni pogled

Opensource view

LWN.net

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Posodobljeno: 28 min 12 sec nazaj

[$] Identifying dependencies used via dlopen()

Tor, 04/16/2024 - 20:54

The recent XZ backdoor has sparked a lot of discussion about how the open-source community links and packages software. One possible security improvement being discussed is changing how projects like systemd link to dynamic libraries that are only used for optional functionality: using dlopen() to load those libraries only when required. This could shrink the attack surface exposed by dependencies, but the approach is not without downsides — most prominently, it makes discovering which dynamic libraries a program depends on harder. On April 11, Lennart Poettering proposed one way to eliminate that problem in a systemd RFC on GitHub.

[$] Fedora 40 firms up for release

Tor, 04/16/2024 - 17:00

Fedora 40 Beta was released on March 26, and the final release is nearing completion. So far, the release is coming together nicely with major updates for GNOME, KDE Plasma, and the usual cavalcade of smaller updates and enhancements. As part of the release, the project also scuttled Delta RPMs and OpenSSL 1.1.

PuTTY 0.81 security release

Tor, 04/16/2024 - 16:33
Version 0.81 of the PuTTY SSH client is out with a fix for CVE-2024-31497; some users will want to update and generate new keys:

PuTTY 0.81, released today, fixes a critical vulnerability CVE-2024-31497 in the use of 521-bit ECDSA keys (ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private key with any previous version of PuTTY, consider the private key compromised: remove the public key from authorized_keys files, and generate a new key pair.

However, this only affects that one algorithm and key size. No other size of ECDSA key is affected, and no other key type is affected.

(Thanks to Joe Nahmias).

Security updates for Tuesday

Tor, 04/16/2024 - 15:00
Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).

OpenSSF and OpenJS warn about social-engineering attacks

Pon, 04/15/2024 - 17:48
The Open Source Security Foundation and the OpenJS Foundation have jointly posted a warning about XZ-like social-engineering attacks after OpenJS was seemingly targeted.

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to "address any critical vulnerabilities," yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement.

[$] Cleaning up after BPF exceptions

Pon, 04/15/2024 - 15:56

Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPF since mid-2023. In July, Dwivedi posted the first patch set in this effort, which adds support for basic stack unwinding. In February 2024, he posted the second patch set aimed at letting the kernel release resources held by the BPF program when an exception occurs. This makes exceptions usable in many more contexts.

Security updates for Monday

Pon, 04/15/2024 - 14:42
Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard).

Kernel prepatch 6.9-rc4

Ned, 04/14/2024 - 22:18
The 6.9-rc4 kernel prepatch is out for testing. "Nothing particularly unusual going on this week - some new hw mitigations may stand out, but after a decade of this I can't really call it 'unusual' any more, can I?"

Saturday's stable kernel updates

Sob, 04/13/2024 - 22:30
The 6.8.6, 6.6.27, 6.1.86, 5.15.155, 5.10.215, 5.4.274, and 4.19.312 stable kernel updates have all been released; each contains a relatively large number of important fixes.

[$] A tale of two troublesome drivers

Pet, 04/12/2024 - 15:29
The kernel project merges dozens of drivers with every development cycle, and almost every one of those drivers is entirely uncontroversial. Occasionally, though, a driver submission raises wider questions, leading to lengthy discussion and, perhaps, opposition. That is currently the case with two separate drivers, both with ties to the networking subsystem. One of them is hung up on questions of whether (and how) all device functionality should be made available to user space, while the other has run into turbulence because it drives a device that is unobtainable outside of a single company.

What we need to take away from the XZ Backdoor (openSUSE News)

Pet, 04/12/2024 - 14:55
Dirk Mueller has posted a lengthy analysis of the XZ backdoor on the openSUSE News site, with a focus on openSUSE's response.

Debian, as well as the other affected distributions like openSUSE are carrying a significant amount of downstream-only patches to essential open-source projects, like in this case OpenSSH. With hindsight, that should be another Heartbleed-level learning for the work of the distributions. These patches built the essential steps to embed the backdoor, and do not have the scrutiny that they likely would have received by the respective upstream maintainers. Whether you trust Linus Law or not, it was not even given a chance to chime in here. Upstream did not fail on the users, distributions failed on upstream and their users here.

Security updates for Friday

Pet, 04/12/2024 - 14:25
Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).

[$] Completing the EEVDF scheduler

Čet, 04/11/2024 - 15:26
The Earliest Virtual Deadline First (EEVDF) scheduler was merged as an option for the 6.6 kernel. It represents a major change to how CPU scheduling is done on Linux systems, but the EEVDF front has been relatively quiet since then. Now, though, scheduler developer Peter Zijlstra has returned from a long absence to post a patch series intended to finish the EEVDF work. Beyond some fixes, this work includes a significant behavioral change and a new feature intended to help latency-sensitive tasks.

Security updates for Thursday

Čet, 04/11/2024 - 14:49
Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).

Security updates for Thursday

Čet, 04/11/2024 - 14:49
Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).

[$] LWN.net Weekly Edition for April 11, 2024

Čet, 04/11/2024 - 01:47
The LWN.net Weekly Edition for April 11, 2024 is available.

Gentoo Linux becomes an SPI Associated Project

Sre, 04/10/2024 - 20:10

The Gentoo Linux project has announced that it is now an Associated Project of Software in the Public Interest (SPI), which will allow it to accept tax deductible donations in the US and reduce its "non-technical workload":

The current Gentoo Foundation has bylaws restricting its behavior to that of a non-profit, is a recognized non-profit only in New Mexico, but a for-profit entity at the US federal level. A direct conversion to a federally recognized non-profit would be unlikely to succeed without significant effort and cost.

[...] SPI is already now recognized at US federal level as a full-[fledged] non-profit 501(c)(3). It also handles several projects of similar type and size (e.g., Arch and Debian) and as such has exactly the experience and background that Gentoo needs.

According to the announcement, the goal is to "eventually transfer the existing assets to SPI and dissolve the Gentoo Foundation". How to do that is still under discussion. This will not affect Förderverein Gentoo e.V., which has public-benefit status in Germany and can accept tax deductible donations in Europe.

Gentoo Linux becomes an SPI Associated Project

Sre, 04/10/2024 - 20:10

The Gentoo Linux project has announced that it is now an Associated Project of Software in the Public Interest (SPI), which will allow it to accept tax deductible donations in the US and reduce its "non-technical workload":

The current Gentoo Foundation has bylaws restricting its behavior to that of a non-profit, is a recognized non-profit only in New Mexico, but a for-profit entity at the US federal level. A direct conversion to a federally recognized non-profit would be unlikely to succeed without significant effort and cost.

[...] SPI is already now recognized at US federal level as a full-[fledged] non-profit 501(c)(3). It also handles several projects of similar type and size (e.g., Arch and Debian) and as such has exactly the experience and background that Gentoo needs.

According to the announcement, the goal is to "eventually transfer the existing assets to SPI and dissolve the Gentoo Foundation". How to do that is still under discussion. This will not affect Förderverein Gentoo e.V., which has public-benefit status in Germany and can accept tax deductible donations in Europe.

Four stable kernel updates

Sre, 04/10/2024 - 16:25

Greg Kroah-Hartman has announced another round of stable kernel updates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; each contains another set of important fixes, including the mitigations for the recently disclosed branch history injection hardware vulnerability.

[$] Book review: Practical Julia

Sre, 04/10/2024 - 15:31
A recent book by LWN guest author Lee Phillips provides a nice introduction to the Julia programming language. Practical Julia does more than that, however. As its subtitle ("A Hands-On Introduction for Scientific Minds") implies, the book focuses on bringing Julia to scientists, rather than programmers, which gives it something of a different feel from most other books of this sort.
sfy39587f05