Linux Weekly News

The 5.11.6, 5.10.23, 5.4.105, 4.19.180, 4.14.225, 4.9.261, and 4.4.261 stable kernels have all been released, one day earlier than might have been expected. Each contains yet another set of important fixes.

Many developers use SSH to access their systems, so it is not surprising that SSH servers are widely attacked. During the FOSDEM 2021 conference, Sanja Bonic and Janos Pasztor reported on their experiment using containers as a way to easily create SSH honeypots — fake servers that allow administrators to observe the actions of attackers without risking a production system. The conversational-style talk walked the audience through the process of setting up an SSH server to play the role of the honeypot, showed what SSH attacks look like, and gave a number of suggestions on how to improve the security of SSH servers.

Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant).

The LWN.net Weekly Edition for March 11, 2021 is available.

A potentially nasty vulnerability in the Git distributed revision-control system was disclosed on March 9. There are enough qualifiers in the description of the vulnerability that it may appear to be fairly narrowly focused—and it is. That may make it less worrisome, but it is not entirely clear. As with most vulnerabilities, it all depends on how the software is being used and the environment in which it is running.

Exceptions in Python are a mechanism used to report errors (of an exceptional variety); programs can be and are written to expect and handle certain types of exceptions using try and except. But exceptions were originally meant to report a single error event and, these days, things are a tad more complicated than that. A recent Python Enhancement Proposal (PEP) targets adding exception groups, as well as new syntax to catch and handle the groups.

Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh).

The Linux Foundation has announced a project called sigstore; its purpose is to protect against supply-chain attacks by signing (and verifying) release artifacts. "Very few open source projects cryptographically sign software release artifacts. This is largely due to the challenges software maintainers face on key management, key compromise / revocation and the distribution of public keys and artifact digests. In turn, users are left to seek out which keys to trust and learn steps needed to validate signing. Further problems exist in how digests and public keys are distributed, often stored on websites susceptible to hacks or a README file situated on a public git repository. sigstore seeks to solve these issues by utilization of short lived ephemeral keys with a trust root leveraged from an open and auditable public transparency logs."

Several new versions of the Git source-code management system have been released; they fix a vulnerability that could allow a hostile remote repository to execute code locally during a clone operation. Only users with case-insensitive filesystems are affected, reducing the set of possible targets considerably, but an update still seems like a good idea.

Linaro Ltd has announced the first GNU Toolchain integration build. "Every six months, Arm releases the official GNU Toolchain release for Arm architectures for the purpose of production. Linaro will bridge the gap between the official releases by delivering monthly integration builds which offer users a snapshot of the upstream build. Although not supported, having access to these builds will allow developers to test features from a pre-built binary as soon as it lands upstream. The builds will also enable companies to check their BSP (Board Support Package) release will work with newer toolchains without having to wait for an official release."

Greg Kroah-Hartman has released stable kernels 5.11.5, 5.10.22, and 5.4.104. They all contain important fixes and users should upgrade.

Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd).

The -rc kernels released by Linus Torvalds exist for a reason: after 10,000 or so changes flow into the kernel over a two-week merge window, there will surely be some bugs in need of squashing. The -rc kernels provide an opportunity for wider testing after all those patches have been integrated. Most of the time, -rc kernels (even the initial -rc1 releases) are surprisingly safe to run. Occasionally, though, something goes wrong, giving early testers reason to reconsider their life choices. The 5.12-rc1 kernel, as it turns out, was one of those.

Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2).

The NGI POINTER organization, which is funded by the European Commission, has put out its second open call for providing development/research funding; the first open call was in April 2020. This time around, the organization is looking for individuals or projects that are working on "changing the Internet and Web with European Values at its core". The goal is to "support promising bottom-up projects that are able to build, on top of state-of-the-art research, scalable protocols and tools to assist in the practical transition or migration to new or updated technologies, whilst keeping European Values at the core". Those interested may want to look at some of the previously funded projects; more information can also be found in the Work Programme [PDF].

The 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260 stable kernels have all been released; each contains yet another set of important fixes.

Linus has released 5.12-rc2 a little sooner than would normally be expected due to the problems with 5.12-rc1. "Other than that it all looks pretty normal".

The first two articles in this series introduced four ways to order memory accesses: load-acquire and store-release operations in the first installment, read and write memory barriers in the second. The series continues with an exploration of full memory barriers, why they are more expensive, and how they are used in the kernel.

Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa).

Over the last couple of years, a lot of development effort has gone into two kernel subsystems: BPF and io_uring. The BPF virtual machine allows programs from user space to be safely run within the context of the kernel, while io_uring addresses the longstanding problem of running system calls asynchronously. As the two subsystems expand, it was inevitable that the two would eventually meet; the first encounter happened in mid-February with this patch set from Pavel Begunkov adding the ability to run BPF programs from within io_uring.