Linux Weekly News

Security updates have been issued by Fedora (ansible, chromium, kernel, mupdf, python-PyMuPDF, rust, and zathura-pdf-mupdf), openSUSE (qemu and webkit2gtk3), Red Hat (firefox and kpatch-patch), Scientific Linux (firefox), SUSE (qemu, tomcat, and webkit2gtk3), and Ubuntu (firefox and thunderbird).

The LWN.net Weekly Edition for November 4, 2021 is available.

A new security vulnerability that was disclosed on November 1 has some interesting properties. "Trojan Source", as it has been dubbed, is effectively an attack on human perceptions, especially as they are filtered through the tools used for source-code review. While the specifics of the flaw are new, this kind of trickery is not completely novel, but Trojan Source finds another way to confuse the humans who are in the loop.

Security updates have been issued by Fedora (CuraEngine, curl, firefox, php, and vim), openSUSE (apache2, pcre, salt, transfig, and util-linux), Oracle (.NET 5.0, curl, kernel, libsolv, python3, samba, and webkit2gtk3), and Red Hat (flatpak).

While it is often relatively straightforward to determine what package provided a binary that is misbehaving—crashing for instance—on Fedora and other Linux distributions, there are situations where it may be harder to do so. A feature recently proposed for Fedora 36—currently scheduled for the end of April 2022—would embed information into the binaries themselves to show where they came from. It is part of a multi-distribution effort to standardize how this information is stored in the binaries (and the libraries they use) to assist crash-reporting and other tools.

Stable kernels 5.14.16, 5.10.77, 5.4.157, 4.19.215, 4.14.254, 4.9.289, and 4.4.291 have been released. They contain important fixes and users should upgrade.

Firefox 94.0 has been released. Linux users should see improved WebGL performance and reduced power consumption for many workloads. The about:unloads page shows the user information about open tabs and allows them to release system resources by unloading tabs without closing them. Site Isolation provides better protection against side-channel attacks. See the announcement for more new features in this release.

Firefox ESR 91.3 is also available, with various stability, functionality, and security fixes.

Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman).

The Fedora 35 release has been announced.

No matter what variant of Fedora you use, you’re getting the latest the open source world has to offer. Following our “First” foundation, we’ve updated key programming language and system library packages, including Python 3.10, Perl 5.34, and PHP 8.0. Fedora Linux 35 also includes the 1.0 release of firewalld, the modern firewall service.

Some more information can be found in this "what's new" article.

The long-running and sometimes acrimonious discussion on the memory folio patch set has come to an end: the folio patches were the first thing pulled into the mainline repository for the 5.16 development cycle. Now the developers involved just have to do all of the other work identified as necessary to clean up the memory-management subsystem and isolate it from other parts of the kernel.

The Free Software Foundation has opened nominations for the Free Software Awards. Nominations are open until November 30. The dedication of the developers, documentation writers, community organizers, and volunteers of the free software movement is what has helped us all live liberation in the years the free software movement has been active. Just using free software makes you part of our collective journey to freedom, but some go above and beyond in their dedication to the free software movement. Now, it's time for us to show those community members and projects that we appreciate their vital work.

[...] Maybe you've been inspired by the work of a particular member of the free software community, or have been impressed by the great strides made by a project that incorporates free software into their platform for social change.

The 5.15 kernel was released on October 31, with the code name appropriately changed to "Trick or Treat". By that time, 12,377 non-merge changesets had been merged into the mainline, adding a net total of 332,000 lines of code. Read on for a look at where the contributions to the 5.15 kernel came from.

Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, virtualbox, wireguard-tools, and xstream), Red Hat (binutils, devtoolset-10-gcc, and flatpak), SUSE (libvirt, opensc, and transfig), and Ubuntu (webkit2gtk).

The latest branded and trademarked vulnerability type is called "Trojan Source". By playing tricks with Unicode bidirectional support, an attacker can create malicious code that appears to be benign to reviewers. "The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic." Various releases, including Rust 1.56.1, are being made to address this problem.

Linus has released the 5.15 kernel after another nine-week development cycle.

This release may have started out with some -Werror pain, but it calmed down fairly quickly and on the whole 5.15 was fair small and calm. Let's hope for more of the same - without Werror issues this time - for the upcoming merge window.

The code name for this release has been set to "Trick or Treat".

Significant features in this release include: the realtime preemption locking code, descriptorless files for io_uring, BPF timers, the removal of mandatory file-locking support, the ksmbd SMB filesystem server (but see this article), printk() indexing, the process_mrelease() system call, The DAMON memory-management optimization system, the ntfs3 filesystem implementation, and much more. See the KernelNewbies 5.15 page for more information.

Version 3.4 of The Yocto Project has been released. Yocto provides a system for building embedded Linux distributions. This release comes with "Linux kernel 5.14, glibc 2.34 and ~280 other recipe upgrades", support for building and cross-compiling Rust code, tons of new recipes, a way to create a SPDX bill of materials (BoM), overlayfs and seccomp support, optimizations, bug fixes, and more. The full release notes have further information.

For all of you youngsters out there, the Internet has always been omnipresent, computers are something you carry in your pocket, the Unix wars are about as relevant as the War of 1812, and the term "NIS" doesn't ring a bell. But, for a certain class of Unix old-timer, NIS has a distinct place in history — and, perhaps, in still-deployed systems. So the suggestion that Fedora might drop support for NIS has proved to be a bit of a wakeup call for some.

Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).

Software Freedom Conservancy has had several exemptions granted that it requested to the Digital Millennium Copyright Act (DMCA) by the US Library of Congress for activities of interest to free-software developers: Software Freedom Conservancy is proud to announce that its efforts to stand up for the rights of FOSS developers have been successful and that it has been granted almost all of the exemptions that it requested in the Librarian of Congress' recent rule making, according to the final rule Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, which was published today. Effective today, the Librarian of Congress ("LoC") granted DMCA exemptions for installing alternate firmwares on routers and for investigating copyleft compliance, and the exemption that Software Freedom Conservancy previously applied for and received on Smart TVs was also expanded. While our formal request to extend the security research exemption to include privacy research was not granted, the Register clarified that privacy research is indeed included in security research. Our executive director, Karen Sandler, also participated as an individual in a request to expand the existing exemption for medical devices which was also successful.

One does not normally expect to see a great deal of angst over a one-page shell script, even on the Internet. But Debian is special, so it has been having an extended discussion over the fate of the which command that has been escalated to the Debian Technical Committee. The amount of attention that has been given to a small, nonstandard utility shines a light on Debian's governance processes and the interaction of tradition with standards.