LWN
LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
URL: https://lwn.net
Updated: 3 hours 43 min ago
Two rounds of stable kernels released
Greg Kroah-Hartman has released two batches of stable kernels. The first
set has fixes in various parts of the tree, while the second batch has a
single fix for a problem
with the page-table entry inversion that is done as a mitigation for the L1TF speculative-execution
vulnerability. The first batch includes: 4.18.2, 4.17.16, 4.14.64, 4.9.121, 4.4.149, and 3.18.119. The second batch is: 4.18.3, 4.17.17, 4.14.65, 4.9.122, and 4.4.150. Users should upgrade, presumably to
something in the second batch unless they are running the 3.18 series.
Security updates for Friday
Security updates have been issued by Debian (intel-microcode, keystone, php-horde-image, and xen), Fedora (rsyslog), openSUSE (apache2, clamav, kernel, php7, qemu, samba, and Security), Oracle (mariadb and qemu-kvm), Red Hat (docker, mariadb, and qemu-kvm), Scientific Linux (mariadb and qemu-kvm), SUSE (GraphicsMagick, kernel, kgraft, mutt, perl-Archive-Zip, python, and xen), and Ubuntu (postgresql-10, postgresql-9.3, postgresql-9.5, procps, and webkit2gtk).
[$] The first half of the 4.19 merge window
As of this writing, Linus Torvalds has pulled just over 7,600 non-merge
changesets into the mainline repository for the 4.19 development cycle.
4.19 thus seems to be off to a faster-than-usual start, perhaps because the
one-week delay in the opening of the merge window gave subsystem
maintainers a bit more time to get ready. There is, as usual, a lot of
interesting new code finding its way into the kernel, along with the usual
stream of fixes and cleanups.
The Problems and Promise of WebAssembly (Project Zero)
Over at Google's Project Zero blog, Natalie Silvanovich looks at some of the bugs the project has found in WebAssembly, which is a binary format to run code in the browser for web applications. She also looks to the future: "There are two emerging features of WebAssembly that are likely to have a security impact. One is threading. Currently, WebAssembly only supports concurrency via JavaScript workers, but this is likely to change. Since JavaScript is designed assuming that this is the only concurrency model, WebAssembly threading has the potential to require a lot of code to be thread safe that did not previously need to be, and this could lead to security problems.
WebAssembly GC [garbage collection] is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly."
Debian: 25 years and counting
The Debian project is celebrating the 25th anniversary of its founding by Ian Murdock on August 16, 1993. The "Bits from Debian" blog had this to say: "Today, the Debian project is a large and thriving organization with countless self-organized teams comprised of volunteers. While it often looks chaotic from the outside, the project is sustained by its two main organizational documents: the Debian Social Contract, which provides a vision of improving society, and the Debian Free Software Guidelines, which provide an indication of what software is considered usable. They are supplemented by the project's Constitution which lays down the project structure, and the Code of Conduct, which sets the tone for interactions within the project.
Every day over the last 25 years, people have sent bug reports and patches, uploaded packages, updated translations, created artwork, organized events about Debian, updated the website, taught others how to use Debian, and created hundreds of derivatives." Happy birthday to the project from all of us here at LWN.
Security updates for Thursday
Security updates have been issued by Debian (fuse), Fedora (cri-o, gdm, kernel-headers, postgresql, units, and wpa_supplicant), Mageia (iceaepe, kernel-linus, kernel-tmb, and libtomcrypt), openSUSE (aubio, libheimdal, nemo-extensions, and python-Django1), Red Hat (flash-plugin), SUSE (apache2, kernel, php7, qemu, samba, and ucode-intel), and Ubuntu (gnupg).
[$] LWN.net Weekly Edition for August 16, 2018
The LWN.net Weekly Edition for August 16, 2018 is available.
[$] The Data Transfer Project
Social networks are typically walled gardens; users of a service can interact with other users and their content, but cannot see or interact with data stored in competing services. Beyond that, though, these walled gardens have generally made it difficult or impossible to decide to switch to a competitor—all of the user's data is locked into a particular site. Over time, that has been changing to some extent, but a new project has the potential to make it straightforward to switch to a new service without losing everything. The Data Transfer Project (DTP) is a collaborative project between several internet heavyweights that wants to "create an open-source, service-to-service data portability platform".
Security updates for Wednesday
Security updates have been issued by CentOS (kernel), Debian (kernel, linux-4.9, postgresql-9.4, and ruby-zip), Fedora (cgit, firefox, knot-resolver, mingw-LibRaw, php-symfony, php-symfony3, php-symfony4, php-zendframework-zend-diactoros, php-zendframework-zend-feed, php-zendframework-zend-http, python2-django1.11, quazip, sox, and thunderbird-enigmail), openSUSE (python-Django and seamonkey), Oracle (kernel), Red Hat (kernel, kernel-rt, and redhat-virtualization-host), Scientific Linux (kernel), Slackware (openssl), SUSE (clamav, firefox, kernel, and samba), and Ubuntu (kernel, libxml2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-raspi2, and samba).
[$] CVE-2018-5390 and "embargoes"
A kernel bug that allows a remote denial of service via crafted packets was fixed recently and the resulting patch was merged on July 23. But an announcement of the flaw (which is CVE-2018-5390) was not released until August 6—a two-week window where users were left in the dark. It was not just the patch that might have alerted attackers; the flaw was publicized in other ways, as well, before the announcement, which has led to some discussion of embargo policies on the oss-security mailing list. Within free-software circles, embargoes are generally seen as a necessary evil, but delaying the disclosure of an already-public bug does not sit well.
[$] Meltdown strikes back: the L1 terminal fault vulnerability
The Meltdown CPU vulnerability, first disclosed in early January, was frightening
because it allowed unprivileged attackers to easily read arbitrary memory
in the system. Spectre, disclosed at the same time, was harder to exploit
but made it possible for guests running in virtual machines to attack the
host system and other guests. Both vulnerabilities have been mitigated to
some extent
(though it will take a long time to even find
all of the Spectre
vulnerabilities, much less protect against them). But now the newly
disclosed "L1 terminal fault" (L1TF) vulnerability
(also going by the name Foreshadow) brings back both
threats: relatively
easy attacks against host memory from inside a guest. Mitigations are
available (and have been merged
into the mainline kernel), but they will be expensive for some users.
Security updates for Tuesday
Security updates have been issued by Arch Linux (thunderbird), Debian (gdm3 and samba), openSUSE (cgit and lxc), SUSE (grafana, kafka, logstash, openstack-monasca-installer and samba), and Ubuntu (gdm3 and libarchive).
[$] The importance of being noisy
Hundreds (at least) of kernel bugs are fixed every month. Given the
kernel's privileged position within the system, a relatively large portion
of those bugs have security implications. Many bugs are relatively easily
noticed once they are triggered; that leads to them being fixed. Some
bugs, though, can be hard to detect, a result that can be worsened by the
design of in-kernel APIs. A proposed change to how user-space accessors
work will, hopefully, help to shine a light on one class of stealthy bugs.
Security updates for Monday
Security updates have been issued by Debian (blender, openjdk-8, postgresql-9.6, and sam2p), Fedora (libmspack, mingw-glib2, mingw-glibmm24, and rsyslog), Mageia (blender, glpi, godot, kernel, lftp, libjpeg, libsndfile, libsoup, mariadb, mp3gain, openvpn, and soundtouch), openSUSE (cgit, libvirt, mailman, NetworkManager-vpnc, and sddm), Slackware (bind), and SUSE (ffmpeg, glibc, and libvirt).
The 4.18 kernel is out
Linus has released the 4.18 kernel.
"It was a very calm week, and arguably I could just have released on
schedule last week, but we did have some minor updates."
Some of the significant features in this release include
unprivileged filesystem mounts,
restartable sequences,
a new zero-copy TCP receive API,
support for active state management for
power domains,
the AF_XDP mechanism for
high-performance networking,
the core bpfilter packet filter
implementation,
and more. See the KernelNewbies 4.18 page for
more details.
[$] The mismatched mount mess
"Mounting" a filesystem is the act of making it available somewhere in the
system's directory hierarchy. But a mount operation doesn't just glue a
device full of files into a specific spot in the tree; there is a whole set
of parameters controlling how that filesystem is accessed that can be
specified at mount time. The handling of these mount parameters is the
latest obstacle to getting the proposed new
mounting API into the mainline; should the new API reproduce what is
arguably one of the biggest misfeatures of the current mount()
system call?
Security updates for Friday
Security updates have been issued by CentOS (java-1.7.0-openjdk, openslp, and yum-utils), Fedora (exiv2, kernel-headers, kernel-tools, libgit2, and thunderbird-enigmail), openSUSE (blueman, cups, gdk-pixbuf, libcdio, libraw, libsoup, libtirpc, mysql-community-server, polkit, python-mitmproxy, sssd, virtualbox, and webkit2gtk3), Oracle (kernel), Red Hat (cobbler), SUSE (ceph, firefox, NetworkManager-vpnc, openssh, and wireshark), and Ubuntu (openjdk-7 and openjdk-8).
bzip.org changes hands
The bzip2 compression algorithm has been slowly falling out of
favor, but is still used heavily across the net. A search
for "bzip2 source" returns bzip.org as the first three results. But it
would seem that the owner of this domain has let it go, and it is now parked
and running ads. So we no longer have an official home for
bzip2. If a new repository or tarball does turn up at that
domain, it should be looked at closely before being trusted. (Thanks to
Jason Kushmaul).
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Canonical/Ubuntu: Quirky Xerus 8.6, Snapcraft and More
| Graphics: Wayland/Weston, Mesa and AMD
|
Kernel: Linux 4.19 Staging and Greg Kroah-Hartman's Very Many Stable Releases
| Trinity Desktop Environment R14.0.5
|
Content (where original) is available under CC-BY-SA, copyrighted by original author/s.
Recent comments
1 hour 9 min ago
1 hour 9 min ago
1 hour 10 min ago
4 hours 17 min ago
4 hours 18 min ago
6 hours 2 min ago
7 hours 4 min ago
15 hours 51 min ago
1 day 5 hours ago
1 day 5 hours ago