Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Diffoscope, Netfilter, and Intel Defects

Filed under
Security
  • Security updates for Friday [LWN.net]

    Security updates have been issued by Arch Linux (go, libxml2, postgresql, and wireshark-cli), Debian (drupal7 and lxml), Fedora (drupal7, java-1.8.0-openjdk-aarch32, libxml2, pacemaker, slurm, and swtpm), openSUSE (c-ares, ceph, chromium, dash, firefox, go1.14, java-1_8_0-openjdk, kernel, krb5, perl-DBI, podman, postgresql10, postgresql12, rclone, slurm, ucode-intel, wireshark, wpa_supplicant, and xen), SUSE (ceph, firefox, kernel, LibVNCServer, and python), and Ubuntu (freerdp, poppler, and xdg-utils).

  • diffoscope 162 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 162.

  • Netfilter virtual workshop 2020 summary

    Once a year folks interested in Netfilter technologies gather together to discuss past, ongoing and future works. The Netfilter Workshop is an opportunity to share and discuss new ideas, the state of the project, bring people together to work & hack and to put faces to people who otherwise are just email names. This is an event that has been happening since at least 2001, so we are talking about a genuine community thing here.

    It was decided there would be an online format, split in 3 short meetings, once per week on Fridays. I was unable to attend the first session on 2020-11-06 due to scheduling conflict, but I made it to the sessions on 2020-11-13 and 2020-11-20. I would say the sessions were joined by about 8 to 10 people, depending on the day. This post is a summary with some notes on what happened in this edition, with no special order.

    Pablo did the classical review of all the changes and updates that happened in all the Netfilter project software components since last workshop. I was unable to watch this presentation, so I have nothing special to comment. However, I’ve been following the development of the project very closely, and there are several interesting things going on, some of them commented below.

    Florian Westphal brought to the table status on some open/pending work for mptcp option matching, systemd integration and finally interfacing from nft with cgroupv2. I was unable to participate in the talk for the first two items, so I cannot comment a lot more. On the cgroupv2 side, several options were evaluated to how to match them, identification methods, the hierarchical tree that cgroups present, etc. We will have to wait a bit more to see how the final implementation looks like.

    Also, Florian presented his concerns on conntrack hash collisions. There are no real-world known issues at the moment, but there is an old paper that suggests we should keep and eye on this and introduce improvements to prevent future DoS attack vectors. Florian mentioned these attacks are not practical at the moment, but who knows in a few years. He wants to explore introducing RB trees for conntrack. It will probably be a rbtree structure of hash tables in order to keep supporting parallel insertions. He was encouraged by others to go ahead and play/explore with this.

  • The Peculiar State Of CPU Security Mitigation Performance On Intel Tiger Lake - Phoronix

    One area not talked about much for Intel's latest Tiger Lake processors are hardened CPU security mitigations against the various speculative execution vulnerabilities to date. What's peculiar about Tiger Lake though is now if disabling the configurable mitigations it can actually result in worse performance than the default mitigated state. At least that's what we are seeing so far with the Core i7 1165G7 on Ubuntu 20.10 Linux is the opposite of what we have been seeing on prior generations of hardware.

    [...]

    On each of these Dell XPS notebooks were clean installs of Ubuntu 20.10 with security / stable release updates of the time and on their default Linux 5.8 kernel. The out-of-the-box / default mitigation performance was tested on each notebook followed by re-testing the same laptop and software stack after booting with mitigations=off.

    Here is the geometric mean of all the results before digging into the individual data points, but as you can see mitigations=off was of noticeably help to the older Kaby Lake R and Whiskey Lake processors, previous-generation Ice Lake was of some help but less given more hardware mitigations, and now with Tiger Lake the tables have turned where disabling the mitigations actually hurt the performance.

More in Tux Machines

Chafa 1.6.0: Wider

Here’s another one from the terminal graphics extravaganza dept: Chafa 1.6.0 brings fullwidth character support, so in addition to the usual block elements and ASCII art, you now get some mean CJK art too. Or grab as many fonts as you can and combine all of the Unicode into one big glorious mess. Chafa can efficiently distinguish between thousands of symbols, so it also runs fast enough for animations — up to a point. Since some users want this in environments where it’s not practical to build from source or even to have nice things like GLib, I’ve started adding statically linked builds. These are pretty bare-bones (fewer image loaders, no man page), so look to your steadfast distribution first. Speaking of distributions, a big thank you to the packagers. Special thanks go to Florian Viehweger for getting in touch re. adding it to OpenBSD ports, and Mo Zhou (Debian), Michael Vetter (openSUSE), Herby Gillot (MacPorts), @chenrui and Carlo Cabrera (Homebrew) for getting 1.6 out there before I could even finish this post. Read more

ClusBerry 9500-CM4 – A Raspberry Pi CM4 cluster, industrial style

Raspberry Pi cluster boards / solutions pop-up from time to time. But so far, I think we’ve seen only one based on Raspberry Pi CM4 modules with the upcoming Turing Pi 2 mini-ITX cluster board supporting four of those. TECHBASE has now unveiled a different kind of Raspberry Pi CM4 cluster with ClusBerry 9500-CM4 integrating up to eight Raspberry Pi Computer Module 4 in a DIN-Rail housing for industrial applications. Read more

Rotary Un-Smartphone is a rotary dial phone based on Arduino, 4G LTE module

If you feel nostalgic and misses the days of the rotary dial phone, Sky’s Edge “Rotary Un-Smartphone” is an open-source hardware rotary dial phone controlled by an Arduino board and equipped with a multi-mode 4G/3G/2G module. It’s a bit more advanced that you old rotary phone with recent cellular technology, ePaper & OLED displays, quick dialing buttons, and the rotary dial can both be used to dial full phone number or quickly access your contact list. Read more Also: 42Gears SureMDM Simplifies Setting up Kiosk Mode on Linux Devices

today's howtos

  • How to kill all user sessions on Linux using shell script

    There are multiple ways to automate the system administrator task on Linux. It drastically reduces human efforts and saves reasonable time. shell script is one of the methods to automate frequent jobs. For a scenario, you want to run a weekly job or EOD job to populate some data for reporting purposes. To do so, you need to kill all ssh sessions that are currently accessing the application on the system before beginning the job.

  • How to install GSnap in Audacity on a Chromebook - VST Plugins

    Today we are looking at how to install GSnap, a free VST plugin, in Audacity on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below. If you have any questions, please contact us via a YouTube comment and we would be happy to assist you!

  • How to Install GitLab on Debian 10 (Buster)

    GitLab is a free and opensource front-end Git repository that features a Wiki and an issue tracking feature. It allows you to host Git repositories on your own server and setup DevOps platform. In this guide, we are going to install GitLab CE (Community Edition) on Debian 10 (Buster) system.

  • Unix Tutorial - Annual Digest - 2020

    Wow, 2020 just flew by! With one lockdown after another, most of the year was spent working from home and checking local government websites for guidance around when schools and after-schools would re-open. I didn’t blog as much as I hoped but stayed sane and otherwise productive - so can’t complain much about 2020.