Linux Weekly News

Security updates have been issued by Debian (connman, firejail, libzstd, slirp, and xcftools), Fedora (chromium, jackson-databind, and privoxy), openSUSE (chromium), Oracle (kernel and kernel-container), Slackware (dnsmasq), SUSE (java-11-openjdk, kernel, and python), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oem-5.6, linux-oracle, linux-raspi, linux, linux-gke-5.0, linux-gke-5.3, linux-hwe, linux-raspi2-5.3, openjdk-8, openjdk-lts, and snapd).

The latest set of stable kernel updates is 5.10.15, 5.4.97, 4.19.175, 4.14.221, 4.9.257, and 4.4.257. Each contains another set of important fixes.

Google Open Source has announced the 2021 edition of Season of Docs. "In 2021, the Season of Docs program will continue to support better documentation in open source and provide opportunities for skilled technical writers to gain open source experience. In addition, building on what we’ve learned from the successful 2019 and 2020 projects, we’re expanding our focus to include learning about effective metrics for evaluating open source documentation." Open source organizations may apply to take part in Season of Docs until March 26.

Daniel Jordan looks at ktest on the Oracle Linux blog. "Where ktest is especially useful, though, is in its ability to do these things for each patch in a series, thereby freeing you from a significant amount of tedium. For your chosen configs, the series will be cleanly bisectable and won't trigger upstream build bots with easily avoided errors and warnings mid-series. (Those bots are nice for less common configs though.) Code reviewers' moods improve too because each patch will stand alone with all the necessary code."

The Python steering council has, after some discussion, accepted the controversial proposal to add a pattern-matching primitive to the language. "We acknowledge that Pattern Matching is an extensive change to Python and that reaching consensus across the entire community is close to impossible. Different people have reservations or concerns around different aspects of the semantics and the syntax (as does the Steering Council). In spite of this, after much deliberation, reviewing all conversations around these PEPs, as well as competing proposals and existing poll results, and after several in-person discussions with the PEP authors, we are confident that Pattern Matching as specified in PEP 634, et al, will be a great addition to the Python language."

Security updates have been issued by CentOS (flatpak), Debian (connman, golang-1.11, and openjpeg2), Fedora (pngcheck), Mageia (php, phppgadmin, and wpa_supplicant), openSUSE (privoxy), Oracle (flatpak and kernel), Red Hat (qemu-kvm-rhev), SUSE (kernel, python-urllib3, and python3), and Ubuntu (firefox).

Kees Cook catches up with the security-related changes in the 5.8 kernel release. "With this in place, Jump-Oriented Programming (JOP, where code gadgets are chained together with jumps and calls) is no longer available to the attacker. An attacker’s code must make direct function calls. This basically reduces the 'usable' code available to an attacker from every word in the kernel text to only function entries (or jump targets). This is a 'low granularity' forward-edge Control Flow Integrity (CFI) feature, which is important (since it greatly reduces the potential targets that can be used in an attack) and cheap (implemented in hardware). It’s a good first step to strong CFI, but (as we’ve seen with things like CFG) it isn’t usually strong enough to stop a motivated attacker."

The newly formed Rust Foundation has announced its existence. "Today, on behalf of the Rust Core team, I’m excited to announce the Rust Foundation, a new independent non-profit organization to steward the Rust programming language and ecosystem, with a unique focus on supporting the set of maintainers that govern and develop the project. The Rust Foundation will hold its first board meeting tomorrow, February 9th, at 4pm CT. The board of directors is composed of 5 directors from our Founding member companies, AWS, Huawei, Google, Microsoft, and Mozilla, as well as 5 directors from project leadership, 2 representing the Core Team, as well as 3 project areas: Reliability, Quality, and Collaboration." Mozilla has transferred its trademarks and domains for Rust over to the foundation.

The kernel's CFS bandwidth controller is an effective way of controlling just how much CPU time is available to each control group. It can keep processes from consuming too much CPU time and ensure that adequate time is available for all processes that need it. That said, it's not entirely surprising that the bandwidth controller is not perfect for every workload out there. This patch set from Huaixin Chang aims to make it work better for bursty, latency-sensitive workloads.

Stable kernels 5.10.14, 5.4.96, 4.19.174, and 4.14.220 have been released. They all contain important fixes and users should upgrade.

Security updates have been issued by Debian (chromium, gdisk, intel-microcode, privoxy, and wireshark), Fedora (mingw-binutils, mingw-jasper, mingw-SDL2, php, python-pygments, python3.10, wireshark, wpa_supplicant, and zeromq), Mageia (gdisk and tomcat), openSUSE (chromium, cups, kernel, nextcloud, openvswitch, RT kernel, and rubygem-nokogiri), SUSE (nutch-core), and Ubuntu (openldap, php-pear, and qemu).

The 5.11-rc7 kernel prepatch is out for testing. "Anyway, this is hopefully the last rc for this release, unless some surprise comes along and makes a travesty of our carefully laid plans. It happens. Nothing hugely scary stands out, with the biggest single part of the patch being some new self-tests. In fact, about a quarter of the patch is documentation and selftests."

Greg Kroah-Hartman has released the 4.9.256 and 4.4.256 in order to try to figure out if there are any user-space problems caused by the overflow of the minor version number for those stable-kernel series. "With this release, KERNEL_VERSION(4, 9, 256) is the same as KERNEL_VERSION(4, 10, 0). Nothing in the kernel build itself breaks with this change, but given that this is a userspace visible change, and some crazy tools (like glibc and gcc) have logic that checks the kernel version for different reasons, I wanted to do this release as an 'empty' release to ensure that everything still works properly." Those who could be affected would be well-advised to test this change immediately as he plans another 4.9 release in a week's time.

As has often been pointed out, the stable-kernel releases are meant to be stable; that means they should be even more averse to ABI breaks than mainline releases, if that is possible. This may be a hard promise to keep for the next set of stable kernels, though, for the most mundane of reasons: nobody thought that there would be more than 255 minor updates to any given kernel release.

Security updates have been issued by Fedora (java-11-openjdk, kernel, and monitorix), Mageia (mutt, nodejs, and nodejs-ini), Oracle (flatpak, glibc, and kernel), Red Hat (rh-nodejs14-nodejs), Scientific Linux (flatpak), and Ubuntu (flatpak and minidlna).

Of all the system calls in the Unix tradition, few are as maligned as ioctl(). But ioctl() exists for a reason — for many reasons, in truth — and cannot be expected to go away anytime soon. It is thus unsurprising that there is interest in providing ioctl()-like functionality in the io_uring subsystem. A recent RFC patch set from Jens Axboe shows the form that this feature might take in the io_uring context.

Security updates have been issued by CentOS (glibc, linux-firmware, perl, and qemu-kvm), Debian (dnsmasq), Fedora (netpbm), Mageia (firefox, messagelib, python and python3, ruby-nokogiri, and thunderbird), Oracle (kernel, perl, and qemu-kvm), Red Hat (flatpak), and SUSE (openvswitch and python-urllib3).

The LWN.net Weekly Edition for February 4, 2021 is available.

Greg Kroah-Hartman has released stable kernels 5.10.13, 5.4.95, 4.19.173, 4.14.219, 4.9.255, and 4.4.255. They all contain important fixes and users should upgrade.

The release of Firefox 85 at the end of January brought a new technique for thwarting yet-another web-tracking scheme. The use of browser cookies for tracking is well-established and the browser makers have taken steps to block the worst abuses there, but users can also take steps to manage and clear those cookies. The arms race continues, however, as tracking companies are using browser caches to store what Mozilla calls "supercookies", which allow users to be tracked across the web sites that they visit. That has led the browser makers to partition these caches by web site in order to prevent this tracking technique.