Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools).

The 6.2-rc5 kernel prepatch is out.

Ok, so I thought we were back to normal after the winter holidays at rc4. Now, a week later, I think I was mistaken - we have fairly sizable rc5, so I suspect there was still pent up testing and fixes from people being off.

Anyway, I am expecting to do an rc8 this release regardless, just because we effectively had a lost week or two in the early rc's, so a sizable rc5 doesn't really worry me. I do hope we're done with the release candidates growing, though.

The kernel project does not host much user-space code in its repository, but there are exceptions. One of those, currently found in the tools/include/nolibc directory, has only been present since the 5.1 release. The nolibc project aims to provide minimal C-library emulation for small, low-level workloads. Read on for an overview of nolibc, its history, and future direction written by its principal contributor.

Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield).

The Google Project Zero page shows how to compromise the kernel by using a NULL pointer to repeatedly force an oops and overflow a reference count.

Back when the kernel was able to access userland memory without restriction, and userland programs were still able to map the zero page, there were many easy techniques for exploiting null-deref bugs. However with the introduction of modern exploit mitigations such as SMEP and SMAP, as well as mmap_min_addr preventing unprivileged programs from mmap’ing low addresses, null-deref bugs are generally not considered a security issue in modern kernel versions. This blog post provides an exploit technique demonstrating that treating these bugs as universally innocuous often leads to faulty evaluations of their relevance to security.

This is the sort of vulnerability that the oops-limit patch is meant to block.

Code that is added to the kernel can stay there for a long time; there is code in current kernels that has been present for over 30 years. Nothing is forever, though. The kernel development community is currently discussing the removal of two architectures and one filesystem, all of which seem to have mostly fallen out of use. But, as we will see, removal of code from the kernel is not easy and is subject to reconsideration even after it happens.

Version 3.0 of the Pandoc document-conversion tool has been released; the list of new features is quite long, including "chunked" HTML output, support for complex figures, and much more.

Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).

The LWN.net Weekly Edition for January 19, 2023 is available.

On today's Fedora systems, a reboot cycle—for a kernel update, say—is normally a fairly quick affair, but that is not always true. The system will wait for services to shut down cleanly and will wait for up to two minutes before killing a service and moving on. A recent proposal to change the default timeout to 15 seconds, while still allowing some services to require more time, ran into more opposition than was perhaps anticipated. Not everyone was comfortable shortening the timeout period, though the decision has now been made to reduce it, but not as far as was proposed.

The 6.1.7, 5.15.89, 5.10.164, 5.4.229, 4.19.270, and 4.14.303 stable kernels have all been released; each contains another big set of important fixes.

Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3).

Over the past several months, there have been wide-ranging discussions in the Python community about difficulties users have with installing packages for the language. There is a bewildering array of options for package-installation tools and Python distributions focused on particular use cases (e.g. scientific computing); many of those options do not interoperate well—or at all—so they step on each others' toes. The discussions have focused on where solutions might be found to make it easier on users, but lots of history and entrenched use cases need to be overcome in order to get there—or even to make progress in that direction.

Git 2.39.1 has been released with a set of security fixes; there are also updated versions of many older Git releases available. A pair of integer overflow vulnerabilities can lead to code execution in some scenarios; see the announcement and this GitHub blog entry for more information.

Version 109.0 of the Firefox browser has been released. The headline feature this time is the enabling of Manifest Version 3 support — a new extension mechanism that, among other things, gives a higher degree of control over what extensions can do.

MV3 also ushers an exciting user interface change in the form of the new extensions button (already available on Firefox Nightly). This will give users direct control over which extensions can access specific web sites. Users are able to review, grant, or revoke MV3 extension access to any website.

Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).

It is rare to see an extensive and unhappy discussion over the selection of compiler options used to build a distribution, but it does happen. A case in point is the debate over whether Fedora should be built with frame pointers or not. It comes down to a tradeoff between a performance loss on current systems and hopes for gains that exceed that loss in the future — and some disagreements over how these decisions should be made within the Fedora community.

Dave Täht describes the Flent network-testing tool and its use in great detail.

With flent - in the 110 tests in it - in a matter of minutes you can replicate any network stress test “out there” and compare networking results across an extraordinary number of variables, over time, across many tests. Before Toke Høiland-Jørgensen developed flent, it would take days to set up a single test and single plot. Now you can be deluged in data, graph it quickly, and can investigate network behaviors in minutes that take other support staff, engineers and SREs months, plot accurately, over each change you make, with comparable results in a standardized file format, and a zillion useful plot types.

Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp).

The fourth 6.2 kernel prepatch is out for testing.

So here's another -rc release, this time with pretty much everybody back from winter holidays, and so things should be back to normal. And you can see that in the size, this is pretty much bang in the middle of a regular rc size for this time in the merge window.