Linux Weekly News

Security updates have been issued by Debian (cyrus-imapd, exo, sleuthkit, slurm-wlm, vim, and vlc), Fedora (golang-github-docker-libnetwork, kernel, moby-engine, ntfs-3g-system-compression, python-cookiecutter, python2.7, python3.6, python3.7, python3.8, python3.9, rubygem-mechanize, and webkit2gtk3), Mageia (bluez, dnsmasq, exempi, halibut, and php), Oracle (.NET 6.0, .NET Core 3.1, and xz), SUSE (chafa, firejail, kernel, python-Twisted, and tensorflow2), and Ubuntu (intel-microcode).

The 5.19-rc3 kernel prepatch is out for testing. "5.19-rc3 is fairly small, and just looking at the diffstat, a lot of it ends up being in the documentation subdirectory. With another chunk in selftests."

Some kernel features last longer than others. Support for forward-edge control-flow integrity (CFI) for kernels compiled with LLVM was added to the 5.13 kernel, but now there is already a replacement knocking on the door. Control-flow integrity will remain, but the new implementation will be significantly different — and seemingly better in a number of ways.

The Tor Project has released a new annual report.

One element of this year's work that inspires me, and shows the power of the Tor community, is the response to the internet censorship in Russia and Ukraine. The entire Tor community immediately jumped into action to keep people online. Seeing this passion in action, while keeping tens of thousands of Russians connected to the open internet, has been inspiring.

Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.13, linux-azure-5.4, linux-azure-fde, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.13, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-intel-5.13, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-oracle, linux-oracle-5.13, linux-oracle-5.4, and spip).

Fedora's objective to become the desktop Linux distribution of choice has long been hampered by Red Hat's risk-averse legal department, which strictly limits the type of software that Fedora can ship. Specifically, anything that might be encumbered by patents is off-limits, with the result that much of the media that users might find on the net is unplayable. This situation has improved over the years as the result of a lot of work within the Fedora project, but it still puts Fedora at a disadvantage relative to some other distributions. A recent discussion on video support, though, shines a light on how some surprising legal reasoning may be providing a way out of this problem; that way may not be pleasing to all involved, however.

Seven new stable kernels have been released: 5.18.5, 5.15.48, 5.10.123, 5.4.199, 4.19.248, 4.14.284, and 4.9.319. All contain a small set of patches to address the recently disclosed processor MMIO stale-data vulnerabilities; users of those series should upgrade.

Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez).

The LWN.net Weekly Edition for June 16, 2022 is available.

As with many conferences these days, the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM) had a virtual component. The main rooms were equipped with a camera trained on the podium, thus the session leader, so that remote participants could watch; this camera connected into a Zoom conference that allowed participation from afar. In a session near the end of the conference, led by conference organizer Josef Bacik, remote participants were invited to share their experiences—on camera—with those who were there in person. It was an opportunity to discuss what went right—and wrong—with an eye toward improving the experience for future events.

Readahead is an I/O optimization that causes the system to read more data than has been requested by an application—in the belief that the extra data will be requested soon thereafter. At the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM), Matthew Wilcox led a session to discuss readahead, especially as it relates to network filesystems, with assistance from Steve French and David Howells. The latency of the underlying storage needs to factor into the calculation of how much data to read in advance, but it is not entirely clear how to do so.

The mainline kernel has just received a set of patches addressing a new set of (seemingly) Intel-specific hardware vulnerabilities.

Processor MMIO Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities that can expose data. The sequences of operations for exposing data range from simple to very complex. Because most of the vulnerabilities require the attacker to have access to MMIO, many environments are not affected. System environments using virtualization where MMIO access is provided to untrusted guests may need mitigation. These vulnerabilities are not transient execution attacks. However, these vulnerabilities may propagate stale data into core fill buffers where the data can subsequently be inferred by an unmitigated transient execution attack. Mitigation for these vulnerabilities includes a combination of microcode update and software changes, depending on the platform and usage model.

Three separate CVE numbers have been issued for variants of this vulnerability; more information can be found in this documentation patch. Stable updates containing these fixes are in the review process and should be released shortly.

The 2022 Kernel Summit and Maintainers Summit will be held in Dublin; the Kernel Summit will run as part of the Linux Plumbers Conference (September 12-14) while the Maintainers Summit will be on September 15. The call for proposals for both events has been posted. The deadline for the Kernel Summit is tight (June 19), so this is not the time for anybody wanting to speak to procrastinate.

Security updates have been issued by Red Hat (.NET 6.0 and log4j), SUSE (389-ds, grub2, kernel, openssl-1_1, python-Twisted, webkit2gtk3, and xen), and Ubuntu (php7.2, php7.4, php8.0, php8.1 and util-linux).

Today's branded, logo-equipped vulnerability is known as Hertzbleed; it affects x86 processors (at least) and can be exploited in some situations to extract cryptographic keys from a remote server.

Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.

5.18.4, 5.17.15, 5.15.47, 5.10.122, 5.4.198, 4.19.247, 4.14.283, and 4.9.318 stable updates have all been released; each contains another large set of important fixes.

Note that 5.17.15 will be the last release in the 5.17.x stable series.

Zoned storage is a form of storage that offers higher capacities by making tradeoffs in the kinds of writes that are allowed to the device. It was the topic of a storage and filesystem session led by Luis Chamberlain at the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM). Over the years, zoned storage has been a frequent topic at LSFMM, going back to LSFMM 2013, where support for shingled magnetic recording (SMR) devices, which were the starting point for zoned storage, was discussed.

Mozilla has announced the enabling of its "total cookie protection" feature in all versions of the Firefox browser.

Total Cookie Protection works by creating a separate “cookie jar” for each website you visit. Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites. Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to only that website. No other websites can reach into the cookie jars that don’t belong to them and find out what the other websites’ cookies know about you.

Version 5.25.0 of the KDE-based Plasma desktop has been released. New features include support for touchpad and touchscreen gestures, an "overview" mode for navigating between windows, additional color configuration options, and more.

Security updates have been issued by Fedora (golang-github-docker-libnetwork and moby-engine), Mageia (apache, docker-containerd, kernel, kernel-linus, nats-server, and php-smarty), Slackware (php), SUSE (gimp, grub2, thunderbird, u-boot, and xen), and Ubuntu (firefox, liblouis, ncurses, and rsync).