Odprtokodni pogled

Opensource view


Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Posodobljeno: 17 min 13 sec nazaj

Two stable kernels

Pon, 12/11/2023 - 15:13
Greg Kroah-Hartman has announced the release of the 6.6.6 and 6.1.67 stable kernels. Both contain a single reversion of the "wifi: cfg80211: fix CQM for non-range use" patch.

Security updates for Monday

Pon, 12/11/2023 - 15:02
Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, and curl), Red Hat (apr), Slackware (libxml2), and Ubuntu (squid3 and tar).

Ext4 data corruption in stable kernels

Sob, 12/09/2023 - 23:55
There is a problem in multiple stable kernel releases that is causing data corruption in ext4 filesystems. It is caused by a problematic commit that is in multiple stable kernels: The commit got merged in 6.5-rc1 so all stable kernels that have 91562895f803 ("ext4: properly sync file size update after O_SYNC direct IO") before 6.5 are corrupting data - I've noticed at least 6.1 is still carrying the problematic commit.

More information can be found in a Debian bug report. It has also delayed the release of Debian 12.3 images. "Please do not upgrade any systems at this time, we urge caution for users with UnattendeUpgrades configured."

(Thanks to Alex Ridevski for giving us a heads up on this.)

[$] Modern C for Fedora (and the world)

Pet, 12/08/2023 - 17:02
It can be instructive to pull down the dog-eared copy of the first edition of The C Programming Language that many of us still have on our bookshelves; the language has changed considerably since that book was published. Many "features" of early C have been left behind, usually for good reasons, but there is still a lot of code in the wild that is still using those features. A concerted effort is being made in both the Fedora and GCC communities to fix that old code and enable some new errors in the GCC 14 release (which is in stage 3 of its development cycle and likely to be released by mid-2024), but a fair amount of work remains to be done.

A bunch of new stable kernels

Pet, 12/08/2023 - 16:42
The 6.6.5, 6.1.66, 5.15.142, 5.10.203, 5.4.263, 4.19.301, and 4.14.332 stable kernels have been released. As usual, they contain important fixes throughout the kernel tree.

Security updates for Friday

Pet, 12/08/2023 - 15:53
Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml).

[$] Controlling shadow-stack allocation in clone3()

Čet, 12/07/2023 - 17:28
User-space shadow stacks are a relatively new feature in Linux; support was only added for 6.6, and is limited to the x86 architecture. As support for other architectures (including arm64 and RISC-V) approaches readiness, though, more thought is going into the API for this feature. As a recent discussion on the integration of shadow stacks with the clone3() system call shows, there are still some details to be worked out.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack (ars technica)

Čet, 12/07/2023 - 16:10
This ars technica article describes how secure-boot firmware on a huge range of systems can be subverted with a malicious image file:

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs [independent BIOS vendors] are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process.

Security updates for Thursday

Čet, 12/07/2023 - 15:18
Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography).

[$] LWN.net Weekly Edition for December 7, 2023

Čet, 12/07/2023 - 01:58
The LWN.net Weekly Edition for December 7, 2023 is available.

[$] A schism in the OpenPGP world

Sre, 12/06/2023 - 23:16
The OpenPGP standard for email encryption has been around since 1997, when it was derived from the venerable Pretty Good Privacy (PGP) program that was released in 1991. Since it came about, OpenPGP has been the decentralized, interoperable way to exchange encrypted email, though its use never really took off as advocates hoped. Now, though, it would seem that a split in the OpenPGP community threatens to fragment the OpenPGP-encrypted-email landscape, potentially leading to interoperability woes.

SLAM: a new Spectre technique

Sre, 12/06/2023 - 17:03
Many processor vendors provide a mechanism to allow some bits of a pointer value to be used to store unrelated data; these include Intel's linear address masking (LAM), AMD's upper address ignore, and Arm's top-byte ignore. A set of researchers has now come up with a way (that they call "SLAM") to use those features to bypass many checks on pointer validity, opening up a new set of Spectre attacks.

In response to SLAM, Intel made plans to provide software guidance prior to the future release of Intel processors which support LAM (e.g., deploying LAM jointly with LASS). Linux engineers developed patches to disable LAM by default until further guidance is available. ARM published an advisory to provide guidance on future TBI-enabled CPUs. AMD did not implement guidance updates and pointed to existing Spectre v2 mitigations to address the SLAM exploit described in the paper.

See the full paper for the details.

Security updates for Wednesday

Sre, 12/06/2023 - 15:33
Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis).

[$] Supplementing CVEs with !CVEs

Tor, 12/05/2023 - 21:34
The Common Vulnerabilities and Exploits (CVE) system is the main mechanism for tracking various security flaws, using the omnipresent CVE number—even vulnerabilities with fancy names and web sites have CVE numbers. But the CVE system is not without its critics and, in truth, the incentives between the reporting side and those responsible for handling the bugs have always been misaligned, which leads to abuse of various kinds. There have been efforts to combat some of those abuses along the way; a newly announced "!CVE" project is meant to track vulnerabilities "that are not acknowledged by vendors but still are serious security issues".

Security updates for Tuesday

Tor, 12/05/2023 - 15:09
Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4).

Django 5.0 released

Pon, 12/04/2023 - 17:03
Version 5.0 of the Django web framework is out. Significant changes include database-computed default values, field groups in the templating system, and more; see the release notes for details.

[$] What remains to be done for proxy execution

Pon, 12/04/2023 - 17:00
The kernel's deadline scheduling class offers a solution to a number of realtime (or generally latency-sensitive) problems, but it is also resistant to the usual solutions for the priority-inversion problem. The development community has been pursuing proxy execution as a solution to a few scheduling challenges, including this one; the problem is difficult and progress has been slow. LWN last looked at proxy execution in June; at the 2023 Linux Plumbers Conference, John Stultz gave an overview of proxy execution, the current status of the work, and the remaining problems to solve.

GDB 14.1 released

Pon, 12/04/2023 - 16:54
Version 14.1 of the GDB debugger is out. Changes include initial support for the debugger adapter protocol, NO_COLOR support, the ability to work with integer types larger than 64 bits, a number of enhancements to the Python API, and more.

Bueso: LPC 2023: CXL Microconference

Pon, 12/04/2023 - 15:49
Davidlohr Bueso has posted a summary of the CXL microconference at the recently concluded Linux Plumbers Conference. "The goals for the track were to openly discuss current on-going development efforts around the core driver, as well as experimental memory management topics which lead to accommodating kernel infrastructure for new technology and use cases."

Security updates for Monday

Pon, 12/04/2023 - 15:22
Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox).