Linux Weekly News

Intel has announced the acquisition of Linutronix.

Linutronix is comprised of a team of highly qualified and motivated employees with a wealth of experience and involvement in the ongoing development of Linux. Led by CEO Heinz Egger and CTO Thomas Gleixner, Linutronix is the architect of PREEMPT_RT (Real Time) and the leading technology provider for industrial Linux. Gleixner has been the principal maintainer of x86 architecture in the Linux kernel since 2008.

The plan is evidently to continue to run Linutronix as an independent company rather than absorbing it into Intel.

The 5.16.11, 5.15.25, 5.10.102, 5.4.181, 4.19.231, 4.14.268, and 4.9.303 stable kernel updates have all been released; each contains another set of important fixes.

OpenSSH 8.9 has been released. This version includes a fix for a "security near miss" and removes support for MD5-hashed passwords. It also includes a new mechanism to restrict the forwarding of keys in ssh-agent, various FIDO improvements, a new "post-quantum" key-exchange algorithm, and more.

Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0).

Regular expressions are a common feature of computer languages, especially higher-level languages like Ruby, Perl, Python, and others, for doing fairly sophisticated text-pattern matching. Some languages, including Perl, incorporate regular expressions into the language itself, while others have classes or libraries that come with the language installation. Python's standard library has the re module, which provides facilities for working with regular expressions; as a recent discussion on the python-ideas mailing shows, though, that module has somewhat fallen by the wayside in recent times.

Security updates have been issued by Fedora (java-1.8.0-openjdk-aarch32, radare2, and zsh), openSUSE (ImageMagick and systemd), Red Hat (kpatch-patch, Service Telemetry Framework 1.3 (sg-core-container), and Service Telemetry Framework 1.4 (sg-core-container)), SUSE (ImageMagick, kernel-rt, nodejs12, php74, systemd, ucode-intel, and xerces-j2), and Ubuntu (c3p0, expat, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4 linux-oracle, linux-oracle-5.4, and linux-gke).

The call stack is a favorite target for attackers attempting to compromise a running process; if an attacker finds a way to overwrite a return address on the stack, they can redirect control to code of their choosing, leading to a situation best described as "game over". As a result, a great deal of effort has gone into protecting the stack. One technique that offers promise is a shadow stack; support for shadow stacks is thus duly showing up in various processors. Support for protecting user-space applications with shadow stacks is taking a bit longer; it is currently under discussion within the kernel community, but adding this feature is trickier than one might think. Among other things, these patches have been around for long enough that they have developed some backward-compatibility problems of their own.

Longtime FOSS contributor and advocate Sven Guckes has died at 55. A Twitter posting and news article (both in German) describe the Berlin-based Guckes as someone who was always ready to help users get the most out of their systems on Usenet and IRC. His home page and a Hacker News posting have more information as well. RIP. (Thanks to Martin Michlmayr.)

Security updates have been issued by Debian (php7.4, redis, snapd, twisted, webkit2gtk, and wpewebkit), Fedora (cyrus-imapd, nodejs, phpMyAdmin, polkit, snapd, webkit2gtk3, and xen), Gentoo (chromium), openSUSE (jaw, kubevirt, virt-api-container,, opera, polkit, and sphinx), Red Hat (ruby:2.6), Slackware (expat), and SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and polkit).

Google's Project Zero blog looks at how quickly the vulnerabilities it has reported over the last three years have been fixed.

From this, we can see a few things: first of all, the overall time to fix has consistently been decreasing, but most significantly between 2019 and 2020. Microsoft, Apple, and Linux overall have reduced their time to fix during the period, whereas Google sped up in 2020 before slowing down again in 2021. Perhaps most impressively, the others not represented on the chart have collectively cut their time to fix in more than half, though it's possible this represents a change in research targets rather than a change in practices for any particular vendor.

The report also says that Linux vulnerabilities were fixed more quickly than any other.

The 5.17-rc5 kernel prepatch is out for testing. "Things continue to look pretty much normal. There are fixes all over the place, but no more than usual for this time of the release".

People are attracted to free software for a number of reasons, including price, overall quality, community support, and available features. But, for many of us, the value of free software is to be found in its ability to allow us to actually own and maintain control over our systems. Antifeatures in free software tend not to last long, and free drivers can often unlock capabilities of the hardware that its vendors may not have seen fit to make available. Intel's upcoming "software defined silicon" (SDSi) mechanism may reduce that control, though, by taking away access to hardware features from anybody who has not paid the requisite fees.

Security updates have been issued by Debian (chromium and zsh), Fedora (microcode_ctl and zziplib), Mageia (docker-containerd, mariadb, nas, phoronix-test-suite, rlwrap, thunderbird, webkit2, wireshark, zsh, and zxing-cpp), openSUSE (aide, chromium, clamav, expat, htmldoc, libmspack, libsndfile, python-Twisted, qemu, rust, strongswan, tiff, virglrenderer, and xerces-j2), Slackware (mozilla and php), SUSE (aide, clamav, cobbler, expat, kernel, libmspack, libsndfile, python-numpy, python-Twisted, qemu, rust, strongswan, tcpdump, tiff, ucode-intel, virglrenderer, wpa_supplicant, and xerces-j2), and Ubuntu (kernel, libarchive, linux-hwe-5.13, and snapd).

Qualys has disclosed a vulnerability in the snap-confine component of Ubuntu's Snap packaging system. "Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host". Affected systems with untrusted users should probably be upgraded forthwith.

Linus Torvalds released the 4.4 kernel on January 10, 2016 and promptly left the building for the greener fields of 4.5. This kernel was finished from his point of view, but it was just beginning its life in the wider world, and became the first long-term-stable release to be supported for more than two years. Indeed, the 4.4 release became one of the longest-supported and most widely used releases in the history of the kernel project (so far); it was deployed in vast numbers of Android devices, among other places. The final 4.4 stable release took place on February 3, over six years after 4.4 was "finished"; it is time to take a look at what happened to 4.4 in its stable life.

Security updates have been issued by Debian (drupal7), Fedora (kernel, lua, vim, and xrdp), openSUSE (firejail, json-c, kafka, webkit2gtk3, and xorg-x11-server), Oracle (bind, firefox, ruby:2.5, ruby:2.6, and thunderbird), Red Hat (ruby:2.5 and ruby:2.6), SUSE (apache2, glibc, json-c, libvirt, webkit2gtk3, xen, and xorg-x11-server), and Ubuntu (linux-raspi, linux-raspi-5.4).

The LWN.net Weekly Edition for February 17, 2022 is available.

Blocking in the kernel's random-number generator (RNG)—causing a process to wait for "enough" entropy to generate strong random numbers—has always been controversial. It has also led to various kinds of problems over the years, from timeouts and delays caused by misuse in user-space programs to deadlocks and other problems in the boot process. That behavior has undergone a number of changes over the last few years and it looks possible that the last vestige of the difference between merely "good" and "cryptographic-strength" random numbers may go away in some upcoming kernel version.

Longtime Unix developer Lorinda Cherry passed away recently; among other things, she was the creator of the dc and bc utilities still in use today. See this posting from Douglas McIlroy for many more details on her life.

Both Firefox and Chrome are racing toward releasing version 100 in the near future, and developers for both browsers are worried that web sites with naive code to parse the version number out of the user-agent string will break.

Every strategy that adds complexity to the User-Agent string has a strong impact on the ecosystem. Let’s work together to avoid yet another quirky behavior. In Chrome and Firefox Nightly, you can configure the browser to report the version as 100 right now and report any issues you come across.