Linux Weekly News

Firefox 75.0 has been released. New features include improvements to the address bar, making search easier, all trusted Web PKI Certificate Authority certificates known to Mozilla will be cached locally, and Firefox is available as a Flatpak. See the release notes for more details.

Security updates have been issued by Fedora (kernel, kernel-headers, and kernel-tools), openSUSE (glibc and qemu), Red Hat (chromium-browser, container-tools:1.0, container-tools:rhel8, firefox, ipmitool, kernel, kernel-rt, krb5-appl, ksh, nodejs:10, nss-softokn, python, qemu-kvm, qemu-kvm-ma, telnet, and virt:rhel), Scientific Linux (ipmitool and telnet), SUSE (ceph and firefox), and Ubuntu (haproxy, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2, linux-raspi2-5.3, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and linux, linux-hwe).

Some applications require guaranteed access to the CPU without even brief interruptions; realtime systems and high-bandwidth networking applications with user-space drivers can fall into the category. While Linux provides some support for CPU isolation (moving everything but the critical task off of one or more CPUs) now, it is an imperfect solution that is still subject to some interruptions. Work has been continuing in the community to improve the kernel's CPU-isolation capabilities, notably with improvements in the nohz (tickless) mode, but it is not finished yet. Recently, Alex Belits submitted a patch set (based on work by Chris Metcalf in 2015) that introduces a completely predictable environment for Linux applications — as long as they do not need any kernel services.

Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox).

Firefox 74.0.1 has been released with two security fixes. CVE-2020-6819 is a use-after-free when running the nsDocShell destructor and CVE-2020-6820 is a use-after-free when handling a ReadableStream. In both cases there have been targeted attacks in the wild abusing these flaws. These issues have also been fixed in Firefox ESR 68.6.1.

As of this writing, 7,233 non-merge changesets have been pulled into the mainline repository for the 5.7 kernel development cycle — over the course of about three days. If current world conditions are slowing down kernel development, it would seem that the results are not yet apparent at this level. As usual, these changesets bring no end of fixes, improvements, and new features; read on for a summary of what the first part of the 5.7 merge window has brought in.

Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2).

Stable kernels 5.5.15, 5.4.30, 4.19.114, 4.14.175, 4.9.218, and 4.4.218 have been released. They all contain important fixes and users should upgrade.

GNU Guix is a transactional package manager and an advanced distribution of the GNU system which uses the Linux-libre kernel. The project has announced that Guix now runs natively on GNU/Hurd and the Linux-libre kernel is deprecated. "Running on the Hurd was always a goal for Guix, and supporting multiple kernels is a huge maintenance burden. As such it is expected that the upcoming Guix 1.1 release will be the last version featuring the Linux-Libre kernel. Future versions of Guix System will run exclusively on the Hurd, and we expect to remove Linux-Libre entirely by Guix 2.0."

The kernel provides a number of CPU-frequency governors to choose from; by most accounts, the most effective of those is "schedutil", which was merged for the 4.7 kernel in 2016. While schedutil is used on mobile devices, it still doesn't see much use on x86 desktops; the intel_pstate governor is generally seen giving better results on those processors as a result of the secret knowledge embodied therein. A set of patches merged for 5.7, though, gives schedutil a better idea of what the true utilization of x86 processors is and, as a result, greatly improves its effectiveness.

The 5.6.2 stable kernel has been released with some important fixes, including one for the 5.6 wireless regression. Users should upgrade.

Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport).

LineageOS 17.1 is out. This release of the Android-based distribution once known as CyanogenMod includes a rebase onto the Android 10 release of the Android Open Source Project, improved theme support, support for on-screen fingerprint sensors, the ability to use biometric sensors to control access to apps, and more. "On the whole, we feel that the 17.1 branch has reached feature and stability parity with 16.0 and is ready for initial release. With 17.1 being the most recent and most actively developed branch, on April 1st, 2020 it will begin receiving nightly builds and 16.0 will be moved to weekly builds."

The LWN.net Weekly Edition for April 2, 2020 is available.

Python string objects are immutable, so changing the value of a string requires that a new string object be created with the new value. That is fairly well-understood within the community, but there are some "anti-patterns" that arise; it is pretty common for new users to build up a longer string by repeatedly concatenating to the end of the "same" string. The performance penalty for doing that could be avoided by switching to a type that is geared toward incremental updates, but Python 3 has already optimized the penalty away for regular strings. A recent thread on the python-ideas mailing list explored this topic some.

The LXD system container and virtual manager, LXC container runtime, and LXCFS FUSE filesystem projects have released version 4.0 LTS. LTS versions of these intertwined projects are released every 2 years and receive 5 years of security and bugfix support.

The annual Debian project leader (DPL) election is well underway at this point; voting begins in early April and the outcome will be known after the polls close on April 18. Outgoing DPL Sam Hartman posted a lengthy "non-platform" in the run-up to the election, which detailed the highs and lows of his term, perhaps providing something of a roadmap, complete with pitfalls, for potential candidates—Hartman is not running again this time. When the nomination period completed, three people put their hats into the ring: Jonathan Carter, Sruthi Chandran, and Brian Gupta. Their platforms have been posted and there have been several threads on the debian-vote mailing list with questions for the candidates; it seems like a good time to look in on the race.

Ars Technica reports on the recently disclosed OpenWrt package verification vulnerability. The headline may be a bit overwrought, though. "These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack." It also assumes that people actually update their routers, which seems unlikely in most cases in the real world.

Stable kernels 5.6.1, 5.5.14, and 5.4.29 have been released with the usual set of important fixes. Users should upgrade.

Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, ImageMagick, kernel, kernel-rt, lftp, libosinfo, libqb, libreoffice, libsndfile, libxml2, mailman, mariadb, mod_auth_mellon, mutt, nbdkit, net-snmp, nss-softokn, okular, php, podman, polkit, poppler and evince, procps-ng, python, python-twisted-web, python3, qemu-kvm, qemu-kvm-ma, qt, rsyslog, samba, skopeo, squid, systemd, taglib, texlive, unzip, virt:8.1, wireshark, and zziplib), Slackware (gnutls and httpd), and SUSE (glibc, icu, kernel, and mariadb).