Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 43 min ago

Two rounds of stable kernels released

12 hours 10 min ago
Greg Kroah-Hartman has released two batches of stable kernels. The first set has fixes in various parts of the tree, while the second batch has a single fix for a problem with the page-table entry inversion that is done as a mitigation for the L1TF speculative-execution vulnerability. The first batch includes: 4.18.2, 4.17.16, 4.14.64, 4.9.121, 4.4.149, and 3.18.119. The second batch is: 4.18.3, 4.17.17, 4.14.65, 4.9.122, and 4.4.150. Users should upgrade, presumably to something in the second batch unless they are running the 3.18 series.

Security updates for Friday

Friday 17th of August 2018 02:12:44 PM
Security updates have been issued by Debian (intel-microcode, keystone, php-horde-image, and xen), Fedora (rsyslog), openSUSE (apache2, clamav, kernel, php7, qemu, samba, and Security), Oracle (mariadb and qemu-kvm), Red Hat (docker, mariadb, and qemu-kvm), Scientific Linux (mariadb and qemu-kvm), SUSE (GraphicsMagick, kernel, kgraft, mutt, perl-Archive-Zip, python, and xen), and Ubuntu (postgresql-10, postgresql-9.3, postgresql-9.5, procps, and webkit2gtk).

[$] The first half of the 4.19 merge window

Friday 17th of August 2018 01:41:40 AM
As of this writing, Linus Torvalds has pulled just over 7,600 non-merge changesets into the mainline repository for the 4.19 development cycle. 4.19 thus seems to be off to a faster-than-usual start, perhaps because the one-week delay in the opening of the merge window gave subsystem maintainers a bit more time to get ready. There is, as usual, a lot of interesting new code finding its way into the kernel, along with the usual stream of fixes and cleanups.

The Problems and Promise of WebAssembly (Project Zero)

Thursday 16th of August 2018 10:36:40 PM
Over at Google's Project Zero blog, Natalie Silvanovich looks at some of the bugs the project has found in WebAssembly, which is a binary format to run code in the browser for web applications. She also looks to the future: "There are two emerging features of WebAssembly that are likely to have a security impact. One is threading. Currently, WebAssembly only supports concurrency via JavaScript workers, but this is likely to change. Since JavaScript is designed assuming that this is the only concurrency model, WebAssembly threading has the potential to require a lot of code to be thread safe that did not previously need to be, and this could lead to security problems. WebAssembly GC [garbage collection] is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly."

Debian: 25 years and counting

Thursday 16th of August 2018 10:27:04 PM
The Debian project is celebrating the 25th anniversary of its founding by Ian Murdock on August 16, 1993. The "Bits from Debian" blog had this to say: "Today, the Debian project is a large and thriving organization with countless self-organized teams comprised of volunteers. While it often looks chaotic from the outside, the project is sustained by its two main organizational documents: the Debian Social Contract, which provides a vision of improving society, and the Debian Free Software Guidelines, which provide an indication of what software is considered usable. They are supplemented by the project's Constitution which lays down the project structure, and the Code of Conduct, which sets the tone for interactions within the project. Every day over the last 25 years, people have sent bug reports and patches, uploaded packages, updated translations, created artwork, organized events about Debian, updated the website, taught others how to use Debian, and created hundreds of derivatives." Happy birthday to the project from all of us here at LWN.

New stable kernels

Thursday 16th of August 2018 01:52:17 PM
Greg Kroah-Hartman has released a new batch of stable kernels: 4.18.1, 4.17.15, 4.14.63, 4.9.120, and 4.4.148. These include the fixes for the L1 terminal fault vulnerability and a few other fixes here and there. Users should upgrade.

Security updates for Thursday

Thursday 16th of August 2018 01:27:35 PM
Security updates have been issued by Debian (fuse), Fedora (cri-o, gdm, kernel-headers, postgresql, units, and wpa_supplicant), Mageia (iceaepe, kernel-linus, kernel-tmb, and libtomcrypt), openSUSE (aubio, libheimdal, nemo-extensions, and python-Django1), Red Hat (flash-plugin), SUSE (apache2, kernel, php7, qemu, samba, and ucode-intel), and Ubuntu (gnupg).

[$] LWN.net Weekly Edition for August 16, 2018

Thursday 16th of August 2018 01:18:00 AM
The LWN.net Weekly Edition for August 16, 2018 is available.

[$] The Data Transfer Project

Wednesday 15th of August 2018 08:24:46 PM

Social networks are typically walled gardens; users of a service can interact with other users and their content, but cannot see or interact with data stored in competing services. Beyond that, though, these walled gardens have generally made it difficult or impossible to decide to switch to a competitor—all of the user's data is locked into a particular site. Over time, that has been changing to some extent, but a new project has the potential to make it straightforward to switch to a new service without losing everything. The Data Transfer Project (DTP) is a collaborative project between several internet heavyweights that wants to "create an open-source, service-to-service data portability platform".

Security updates for Wednesday

Wednesday 15th of August 2018 02:55:47 PM
Security updates have been issued by CentOS (kernel), Debian (kernel, linux-4.9, postgresql-9.4, and ruby-zip), Fedora (cgit, firefox, knot-resolver, mingw-LibRaw, php-symfony, php-symfony3, php-symfony4, php-zendframework-zend-diactoros, php-zendframework-zend-feed, php-zendframework-zend-http, python2-django1.11, quazip, sox, and thunderbird-enigmail), openSUSE (python-Django and seamonkey), Oracle (kernel), Red Hat (kernel, kernel-rt, and redhat-virtualization-host), Scientific Linux (kernel), Slackware (openssl), SUSE (clamav, firefox, kernel, and samba), and Ubuntu (kernel, libxml2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-raspi2, and samba).

[$] CVE-2018-5390 and "embargoes"

Tuesday 14th of August 2018 08:35:30 PM

A kernel bug that allows a remote denial of service via crafted packets was fixed recently and the resulting patch was merged on July 23. But an announcement of the flaw (which is CVE-2018-5390) was not released until August 6—a two-week window where users were left in the dark. It was not just the patch that might have alerted attackers; the flaw was publicized in other ways, as well, before the announcement, which has led to some discussion of embargo policies on the oss-security mailing list. Within free-software circles, embargoes are generally seen as a necessary evil, but delaying the disclosure of an already-public bug does not sit well.

[$] Meltdown strikes back: the L1 terminal fault vulnerability

Tuesday 14th of August 2018 05:59:13 PM
The Meltdown CPU vulnerability, first disclosed in early January, was frightening because it allowed unprivileged attackers to easily read arbitrary memory in the system. Spectre, disclosed at the same time, was harder to exploit but made it possible for guests running in virtual machines to attack the host system and other guests. Both vulnerabilities have been mitigated to some extent (though it will take a long time to even find all of the Spectre vulnerabilities, much less protect against them). But now the newly disclosed "L1 terminal fault" (L1TF) vulnerability (also going by the name Foreshadow) brings back both threats: relatively easy attacks against host memory from inside a guest. Mitigations are available (and have been merged into the mainline kernel), but they will be expensive for some users.

Security updates for Tuesday

Tuesday 14th of August 2018 02:56:39 PM
Security updates have been issued by Arch Linux (thunderbird), Debian (gdm3 and samba), openSUSE (cgit and lxc), SUSE (grafana, kafka, logstash, openstack-monasca-installer and samba), and Ubuntu (gdm3 and libarchive).

[$] The importance of being noisy

Monday 13th of August 2018 10:12:27 PM
Hundreds (at least) of kernel bugs are fixed every month. Given the kernel's privileged position within the system, a relatively large portion of those bugs have security implications. Many bugs are relatively easily noticed once they are triggered; that leads to them being fixed. Some bugs, though, can be hard to detect, a result that can be worsened by the design of in-kernel APIs. A proposed change to how user-space accessors work will, hopefully, help to shine a light on one class of stealthy bugs.

Security updates for Monday

Monday 13th of August 2018 02:49:44 PM
Security updates have been issued by Debian (blender, openjdk-8, postgresql-9.6, and sam2p), Fedora (libmspack, mingw-glib2, mingw-glibmm24, and rsyslog), Mageia (blender, glpi, godot, kernel, lftp, libjpeg, libsndfile, libsoup, mariadb, mp3gain, openvpn, and soundtouch), openSUSE (cgit, libvirt, mailman, NetworkManager-vpnc, and sddm), Slackware (bind), and SUSE (ffmpeg, glibc, and libvirt).

The 4.18 kernel is out

Sunday 12th of August 2018 09:11:05 PM
Linus has released the 4.18 kernel. "It was a very calm week, and arguably I could just have released on schedule last week, but we did have some minor updates." Some of the significant features in this release include unprivileged filesystem mounts, restartable sequences, a new zero-copy TCP receive API, support for active state management for power domains, the AF_XDP mechanism for high-performance networking, the core bpfilter packet filter implementation, and more. See the KernelNewbies 4.18 page for more details.

[$] The mismatched mount mess

Friday 10th of August 2018 11:26:54 PM
"Mounting" a filesystem is the act of making it available somewhere in the system's directory hierarchy. But a mount operation doesn't just glue a device full of files into a specific spot in the tree; there is a whole set of parameters controlling how that filesystem is accessed that can be specified at mount time. The handling of these mount parameters is the latest obstacle to getting the proposed new mounting API into the mainline; should the new API reproduce what is arguably one of the biggest misfeatures of the current mount() system call?

Security updates for Friday

Friday 10th of August 2018 02:41:58 PM
Security updates have been issued by CentOS (java-1.7.0-openjdk, openslp, and yum-utils), Fedora (exiv2, kernel-headers, kernel-tools, libgit2, and thunderbird-enigmail), openSUSE (blueman, cups, gdk-pixbuf, libcdio, libraw, libsoup, libtirpc, mysql-community-server, polkit, python-mitmproxy, sssd, virtualbox, and webkit2gtk3), Oracle (kernel), Red Hat (cobbler), SUSE (ceph, firefox, NetworkManager-vpnc, openssh, and wireshark), and Ubuntu (openjdk-7 and openjdk-8).

bzip.org changes hands

Thursday 9th of August 2018 09:15:16 PM
The bzip2 compression algorithm has been slowly falling out of favor, but is still used heavily across the net. A search for "bzip2 source" returns bzip.org as the first three results. But it would seem that the owner of this domain has let it go, and it is now parked and running ads. So we no longer have an official home for bzip2. If a new repository or tarball does turn up at that domain, it should be looked at closely before being trusted. (Thanks to Jason Kushmaul).

Five new stable kernels

Thursday 9th of August 2018 02:20:30 PM
Greg Kroah-Hartman has released the 4.17.14, 4.14.62, 4.9.119, 4.4.147, and 3.18.118 stable kernels. There are important fixes in each and users should upgrade.

More in Tux Machines

Canonical/Ubuntu: Quirky Xerus 8.6, Snapcraft and More

  • Quirky Xerus 8.6 features latest DEBs from Ubuntu 16.04.x
    The independent Linux-based operating system, Quirky 8.6, a side project of Puppy Linux made with Woof, has just hit the market. According to an announcement by its creator, Barry Kauler, who retired from the Puppy Linux project to work on the Quirky Distro, the woofQ operating system is live for users to download and enjoy. The latest release mainly features bug fixes and minor improvements from previous Quirky OS 8.x versions. The release notes of Quirky’s Xerus version 8.6 explain that the update comes with a package upgrade to version 2.49.4 SeaMonkey and Kernel 4.14.63 with aufs patch. The new release is built with the latest DEBs from the Ubuntu 16.04.x range and features improvements for its EasyShare with specific improvements for Android connections. A Gxlat language translator has been introduced in this update and there are 10 architectural improvements and fixes as well. Several minor security bugs have also been patched since its predecessor.
  • Snapcraft at Europython 2018
    In July, several members of our advocacy and design teams went to Europython 2018 in Edinburgh. It was a really well-organised event, mixing great speakers from a vibrant community at a great location. The main reason for us to get closer to the Python developer community was to promote Snapcraft as the best way to publish on Linux, for app developers in general, and for Python developers in particular. As well as increasing awareness of Snapcraft, we gained a deeper understanding of the needs of Python developers and made contact with interesting products and engineers.
  • Cloud Native, Docker, K8s Summit
  • Ubuntu 18.04.1 Bionic Beaver Has Been Released (Download Links)

Graphics: Wayland/Weston, Mesa and AMD

  • Wayland 1.16 / Weston 5.0 RC2 Released To Fix Vulnerabilities
    Two release candidates of Wayland 1.16 / Weston 5.0 were not originally scheduled, but it's been necessitated due to some pressing issues both with Wayland and its reference compositor. Samsung's Derek Foreman issued these "RC2" releases on Friday rather than going straight to the official Wayland 1.16 and Weston 5.0 releases. On the Wayland front, Michael Srb found and fixed issues that could cause pointer overflows within Wayland's connection code. These overflow fixes are the only changes in this Wayland 1.15.94 (RC2) version.
  • RAGE & Doom Get Radeon Workarounds In Mesa 18.3-dev
    If you are looking to enjoy id Software's RAGE or Doom VFR games this weekend on Linux via Wine, they should be playing nicer with the latest open-source Mesa graphics driver code. Timothy Arceri at Valve has added a workaround to get RAGE working under Wine with RadeonSI. The workaround is a DRIRC configuration addition for allowing GLSL built-in variable redeclarations. This is enough to get RAGE working with RadeonSI on Mesa Git. Though only RadeonSI is working out currently since the game relies upon the OpenGL compatibility profile mode that is only supported currently by RadeonSI when it comes to the Mesa drivers. Thanks to Valve's developers and others, the OpenGL compatibility profile mode for RadeonSI has matured into great shape these past few months.
  • Adreno 600 Series Support Lands In Mesa 18.3 Gallium3D
    With the Adreno 600 series support going into Linux 4.19 for the kernel bits, the user-space OpenGL driver support for the latest-generation Qualcomm graphics has now been merged into Mesa. Kristian Høgsberg Kristensen of Google's Chrome OS graphics team (yes, Kristian of Wayland and DRI2 fame) has been working on the Gallium3D support for the Adreno 600 series hardware along with Freedreno founder Rob Clark. This A6xx support is being tacked onto the existing Freedreno Gallium3D driver and amounts to just over six thousand lines of new code. Keep in mind this A6xx Freedreno back-end must also be used with the supported MSM DRM driver in the Linux 4.19+ kernel.
  • AMDGPU-PRO 18.30 Radeon Linux Driver Released with Support for Ubuntu 18.04 LTS
    Featuring official support for the AMD Radeon PRO WX 8200 graphics cards and initial Wattman-like functionality, the Radeon Software for Linux 18.30 finally adds support for some of the most recent Ubuntu, Red Hat Enterprise Linux, and CentOS Linux distributions. These include Ubuntu 18.04.1 LTS (Bionic Beaver), Ubuntu 16.04.5 LTS (Xenial Xerus), Red Hat Enterprise Linux 7.5, Red Hat Enterprise Linux 6.10, CentOS 7.5, and CentOS 6.10. SUSE Linux Enterprise Desktop and Server (SLED/SLES) 12 Service Pack (SP) 3 is supported as well, but not the latest SUSE Linux Enterprise 15.
  • AMDVLK Vulkan Driver Update Fixes Witcher 3 Issue, Bug Fixes
    In addition to AMD releasing AMDGPU-PRO 18.30 on Friday, they also did their usual weekly source push of their newest "AMDVLK" open-source Radeon Vulkan driver code.

Kernel: Linux 4.19 Staging and Greg Kroah-Hartman's Very Many Stable Releases

  • Linux 4.19 Staging Brings EROFS File-System & Gasket Driver Framework
    Following the USB subsystem updates, Greg Kroah-Hartman sent in the kernel's staging area work for the Linux 4.19 merge window. This experimental/testing area of the Linux kernel is adding a new file-system with 4.19: EROFS. EROFS is developed by Huawei for possible Android device use-cases. EROFS stands for the Extendable Read-Only File-System and is developed to address shortcomings in other Linux read-only file-systems. EROFS features compression support and other features, but the on-disk layout format isn't 100% firm yet -- hence going into the staging area.
  • USB Patches Posted For Linux 4.19 Kernel, Including The New USB-C DisplayPort Driver
    Having wrapped up his latest stable kernel wrangling and the fallout from L1TF/Foreshadow, Greg Kroah-Hartman got around today to sending out the feature pull requests for the kernel subsystems he oversees. His first new batch of changes for Linux 4.19 today is the USB subsystem work.
  • One Week Past Linux 4.18.0, The Linux 4.18.3 Kernel Is Already Out
    Greg Kroah-Hartman had a fun Friday night issuing new point releases to the Linux 3.18 / 4.4 / 4.9 / 4.14 / 4.17 / 4.18 kernels only to have to issue new point releases minutes later. It was just on Thursday that Linux 4.18.1 was released along with updates to older stable branches for bringing L1TF / Foreshadow mitigation. Friday night then brought Linux 4.18.2, Linux 4.17.16, Linux 4.14.64, Linux 4.9.121, Linux 4.4.149, and Linux 3.18.119 with more patches. Those kernels brought various fixes, including in the x86 PTI code for clearing the global bit more aggressively, crypto fixes, and other maintenance work.

Trinity Desktop Environment R14.0.5

  • 2018.08.18: Trinity Desktop Environment R14.0.5 Released!
    The Trinity Desktop Environment (TDE) development team is pleased to announce the immediate availability of the new TDE R14.0.5 release. TDE is a complete software desktop environment designed for Unix-like operating systems, intended for computer users preferring a traditional desktop model, and is free/libre software. R14.0.5 is the fifth maintenance release of the R14.0 series, and is built on and improves the previous R14.0.4 version. Maintenance releases are intended to promptly bring bug fixes to users, while preserving overall stability through the avoidance of both major new features and major codebase re-factoring.
  • Trinity Desktop R14.0.5 Lets You Keep Enjoying The KDE 3 Experience In 2018
    For those that have fond memories of the K Desktop Environment 3, you can still enjoy a KDE3-derived experience in 2018 with the just-released Trinity Desktop R14.0.5. Trinity Desktop continues to see occasional updates as the fork of the KDE 3.5 packages. Trinity Desktop R14.0.5 is the new release this weekend and their first since R14.0.4 was released last November.