Craig Kerstiens highlights some of the "little things" featured in the upcoming PostgreSQL 14 release.

And now in PostgreSQL 14 there is this seemingly small update, pipeline mode, which, according to the docs, allows applications to send a query without having to read the result of the previously sent query. Taking advantage of the pipeline mode, a client will wait less for the server, since multiple queries/results can be sent/received in a single network transaction.

The Google security blog provides an overview of what is being done to address memory-safety problems in the Chrome browser.

In parallel, we’ll be exploring whether we can use a memory safe language for parts of Chrome in the future. The leading contender is Rust, invented by our friends at Mozilla. This is (largely) compile-time safe; that is, the Rust compiler spots mistakes with pointers before the code even gets to your device, and thus there’s no performance penalty. Yet there are open questions about whether we can make C++ and Rust work well enough together. Even if we started writing new large components in Rust tomorrow, we’d be unlikely to eliminate a significant proportion of security vulnerabilities for many years.

Stable kernels 5.14.7, 5.10.68, 5.4.148, 4.19.207, 4.14.247, 4.9.283, and 4.4.284 have been released. They all contain important fixes and users should upgrade.

Security updates have been issued by Debian (grilo), Fedora (curl, firefox, mingw-python-pillow, python-pillow, python2-pillow, and webkit2gtk3), openSUSE (chromium, grafana-piechart-panel, kernel, libcroco, php-composer, and xen), Oracle (curl, kernel, and nss and nspr), Red Hat (nodejs:12), Slackware (alpine), SUSE (ghostscript, grafana-piechart-panel, kernel, and xen), and Ubuntu (linux, linux-hwe, linux-hwe-5.11, linux-hwe-5.4, linux-raspi, linux-raspi-5.4, and linux-raspi2).

Alyssa Rosenzweig reports that the open-source Panfrost driver for Mali GPUs has achieved official conformance on Mali-G52 for OpenGL ES 3.1. This important milestone is a step forward for the open source driver, as it now certifies Panfrost for use in commercial products containing Mali G52 and paves the way for further conformance submissions on other Mali GPUs.

Middleboxes are, unfortunately in many ways, a big part of today's internet. While middleboxes inhabit the same physical niche as routers, they are not aimed at packet forwarding; instead they are meant to monitor and manipulate the packets that they see. The effects of those devices on users of the networks they reign over may be unfortunate as well, but the rest of the internet is only affected when trying to communicate with those users—or so it was thought. Based on some recently reported research, it turns out that middleboxes can be abused to inflict denial-of-service (DoS) attacks elsewhere on the net.

Security updates have been issued by Debian (webkit2gtk, wpewebkit, and xen), Oracle (kernel), Red Hat (curl, go-toolset:rhel8, krb5, mysql:8.0, nodejs:12, and nss and nspr), and Ubuntu (curl and tiff).

Ben Hoyt has published a critical overview of the Python 3.10 pattern-matching feature.

As shown above, there are cases where match really shines. But they are few and far between, mostly when handling syntax trees and writing parsers. A lot of code does have if ... elif chains, but these are often either plain switch-on-value, where elif works almost as well, or the conditions they’re testing are a more complex combination of tests that don’t fit into case patterns (unless you use awkward case _ if cond clauses, but that’s strictly worse than elif).

(Pattern matching has been covered here as well).

The first day of the Kangrejos (Rust for Linux) conference introduced the project and what it was trying to accomplish; day 2 covered a number of core Rust concepts and their relevance to the kernel. On the third and final day of the conference, Wedson Almeida Filho delved deeper into how Rust can be made to work in the Linux kernel, covered some of the lessons that have been learned so far, and discussed next steps with a number of kernel developers.

Security updates have been issued by Debian (gnutls28, nettle, nextcloud-desktop, and openssl1.0), Fedora (dovecot-fts-xapian, drupal7, ghostscript, haproxy, libtpms, lynx, wordpress, and xen), openSUSE (xen), Red Hat (rh-ruby27-ruby), and SUSE (openssl, openssl1, and xen).

The 5.15-rc2 kernel prepatch is out for testing.

So I've spent a fair amount of this week trying to sort out all the odd warnings, and I want to particularly thank Guenter Roeck for his work on tracking where the build failures due to -Werror come from.

Is it done? No. But on the whole I'm feeling fairly good about this all, even if it has meant that I've been looking at some really odd and grotty code. Who knew I'd still worry about some odd EISA driver on alpha, after all these years? A slight change of pace ;)

The relatively large 5.14.6, 5.13.19, and 5.10.67 stable kernel updates have been released; each contains another set of important fixes. Note that this is the final update for the 5.13.x series.

Here's a post from Christian Schaller describing a number of the desktop-oriented improvements that can be expected in the Fedora 35 release.

And I know some people will wonder why we spent so much time working with NVidia around their binary driver, but the reality is that NVidia is the market leader, especially in the professional Linux workstation space, and there are lot of people who either would end up not using Linux or using Linux with X without it, including a lot of Red Hat customers and Fedora users. And that is what I and my team are here for at the end of the day, to make sure Red Hat customers are able to get their job done using their Linux systems.

Ariadne Conill looks at the difficulties caused by the OpenSSL 3 transition in the context of Alpine Linux.

For distributions, however, the story is different: cryptography moved to using Rust, because they wanted to leverage all of the static analysis capabilities built into the language. This, too, is a reasonable decision, from a development perspective. From the ecosystem perspective, however, it is problematic, as the Rust ecosystem is still rapidly evolving, and so we cannot support a single branch of the Rust compiler for an entire 2 year lifecycle, which means it exists in community. Our solution, historically, has been to hold cryptography at the latest version that did not require Rust to build. However, that version is not compatible with OpenSSL 3, and so it will eventually need to be upgraded to a new version which is. And so, since cryptography has to move to community, so does paramiko and Ansible.

The first day of the online Kangrejos conference was focused on introducing the effort to bring the Rust programming language into the Linux kernel. On the second day, conference organizer Miguel Ojeda shifted to presenting the Rust language itself with an emphasis on what Rust can provide for kernel development. The result was a useful resource for anybody who is curious about this project, but who has not yet had the time to become familiar with Rust.

Security updates have been issued by CentOS (firefox and thunderbird), Fedora (haproxy, wordpress, and xen), openSUSE (apache2-mod_auth_openidc, fail2ban, ghostscript, haserl, libcroco, nextcloud, and wireshark), Oracle (kernel and kernel-container), Slackware (httpd), SUSE (crmsh, gtk-vnc, libcroco, Mesa, postgresql12, postgresql13, and transfig), and Ubuntu (libgcrypt20, linux-gcp, linux-gcp-4.15, linux-hwe-5.4, linux-oem-5.13, python3.4, python3.5, and qtbase-opensource-src).

Four new stable kernels, 5.14.5, 5.13.18, 5.10.66, and 5.4.147, have been released. This, and the other stable kernels released today, consist of only some reverts to solve some reported problems with the last round of stable releases. Upgrading is not required, but highly recommended.

This ars technica article describes a problem with the Travis continuous-integration service:

A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

Any project storing secrets in this service would be well advised to replace them.

The first ever Rust for Linux conference, known as Kangrejos, got underway on September 13. Organizer Miguel Ojeda used the opening session to give an overview of why there is interest in using Rust in the kernel, where the challenges are, and what the current status is. The talk and following discussion provided a good overview of what is driving this initiative and where some of the sticking points might be.

Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).