Linux Weekly News

Debian's annual ritual of electing a project leader is underway. There are three candidates this time: Felix Lechner, Hideki Yamane, and incumbent Jonathan Carter. Platforms for the candidates are being placed on this page as they become available.

The 5.16.15, 5.15.29, 5.10.106, 5.4.185, 4.19.235, 4.14.272, and 4.9.307 stable updates have all been released; each contains another set of important fixes.

Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, and squid3), and Ubuntu (libreoffice, netkit-rsh, openssl, openssl, openssl1.0, tar, and tcpdump).

Disruptive changes are not much fun for anyone involved, though they may be necessary at times. Moving away from the SHA-1 hash function, at least for cryptographic purposes, is probably one of those necessary disruptive changes. There are better alternatives to SHA-1, which has been "broken" from a cryptographic perspective for quite some time now, and most of the software components that make up a distribution can be convinced to use other hash functions. But there are still numerous hurdles to overcome in making that kind of a switch as a recent discussion on the Fedora devel mailing list shows.

The OpenSSL project has disclosed a vulnerability wherein an attacker presenting a malicious certificate can cause the execution of an infinite loop. It is thus a denial-of-service vulnerability for any application — server or client — that handles certificates from untrusted sources. The OpenSSL 3.0.2 and 1.1.1n releases contain fixes for the problem. This advisory makes it clear that LibreSSL, too, suffers from this vulnerability; updated releases are available there too.

Red Hat recently filed a request to have the domain name WeMakeFedora.org transferred from its current owner, Daniel Pocock, alleging trademark violations, bad faith, and more. The judgment that came back will not have been to the company's liking:

The Panel finds that Respondent is operating a genuine, noncommercial website from a domain name that contains an appendage ("we make") that, as noted in the Response, is clearly an identifier of contributors to Complainant’s website. In registering the domain name using an appendage that identifies Complainant’s contributors, Respondent is not attempting to impersonate Complainant nor misleadingly to divert Internet users. Rather, Respondent is using the FEDORA mark in the domain name to identify Complainant for the purpose of operating a website that contains some criticism of Complainant. Such use is generally described as "fair use" of a trademark.

The judgment concludes with a statement that this action was an abuse of the process.

For those who do everything in the Emacs editor: the ELPA repository has just gained an OpenStreetMap viewer. A quick test (example shown on the right) suggests that it works reasonably well; click below for the details.

The gcobol project has announced its existence; it is a compiler for the COBOL language currently implemented as a fork of GCC.

There's another answer to Why: because a free Cobol compiler is an essential component to any effort to migrate mainframe applications to what mainframe folks still call "distributed systems". Our goal is a Cobol compiler that will compile mainframe applications on Linux. Not a toy: a full-blooded replacement that solves problems. One that runs fast and whose output runs fast, and has native gdb support.

The developers hope to merge back into GCC after the project has advanced further.

Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh).

Gabriel Krisman Bertazi describes the new FAN_FS_ERROR event type added to the fanotify mechanism in 5.16.

This is why we worked on a new mechanism for closely monitoring volumes and notifying recovery tools and sysadmins in real-time that an error occurred. The feature, merged in kernel 5.16, won't prevent failures from happening, but will help reduce the effects of such errors by guaranteeing any listener application receives the message. A monitoring application can then reliably report it to system administrators and forward the detailed error information to whomever is unlucky enough to be tasked with fixing it.

When the kernel first gained support for huge pages, most of the work was left to user space. System administrators had to set aside memory in the special hugetlbfs filesystem for huge pages, and programs had to explicitly map memory from there. Over time, the transparent huge pages mechanism automated the task of using huge pages. That mechanism is not perfect, though, and some users feel that they have better knowledge of when huge-page use makes sense for a given process. Thus, huge pages are now coming full circle with this patch set from Zach O'Keefe returning huge pages to user-space control.

Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd).

Linus has released 5.17-rc8 rather than the final 5.17 kernel.

Last week was somewhat messy, mostly because of embargoed patches we had pending with another variation of spectre attacks. And while the patches were mostly fine, we had the usual "because it was hidden, all our normal testing automation didn't see it either".

And once the automation sees things, it tests all the insane combinations that people don't tend to actually use or test in any normal case, and so there was a (small) flurry of fixes for the fixes.

None of this was really surprising, but I naïvely thought I'd be able to do the final release this weekend anyway.

And honestly, I considered it. I don't think we really have any pending issues that would hold up a release, but on the other hand we also really don't have any reason _not_ to give it another week with all the proper automated testing. So that's what I'm doing, and as a result we have an -rc8 release today instead of doing a final 5.17.

One of the key characteristics of a random-number generator (RNG) is its unpredictability; by definition, it should not be possible to know what the next number to be produced will be. System security depends on this unpredictability at many levels. An attacker who knows an RNG's future output may be able to eavesdrop on (or interfere with) network conversations, compromise cryptographic keys, and more. So it is a bit disconcerting to know that there is a common event that can cause RNG predictability: the forking or duplication of a virtual machine. Linux RNG maintainer Jason Donenfeld is working on a solution to this problem.

Greg Kroah-Hartman has announced the release of seven stable kernels—these contain mitigations for the Spectre branch history injection variant: 5.16.14, 5.15.28, 5.10.105, 5.4.184, 4.19.234, 4.14.271, and 4.9.306. Users should upgrade.

Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion).

Linked lists are conceptually straightforward; they tend to be taught toward the beginning of entry-level data-structures classes. It might thus be surprising that the kernel community is concerned about its longstanding linked-list implementation and is not only looking for ways to solve some problems, but has been struggling to find that solution. It now appears that some improvements might be at hand: after more than 30 years, the kernel developers may have found a better way to safely iterate through a linked list.

Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat).

The LWN.net Weekly Edition for March 10, 2022 is available.

The curl utility is a command-line program (and associated library) for interacting with various network protocols; it is commonly used to do things like transferring data from a remote server over HTTP or HTTPS using a URL. But curl also supports a lot more protocols, some of which are probably rarely used, obsolete, deprecated, or all three. As a recent discussion on the Fedora devel mailing list shows, though, it is hard to find agreement that support for only some of those protocols should be installed by default, while others might be left in an optional package for those who need them.