Linux Weekly News

Security updates have been issued by Debian (debian-lan-config and phpmyadmin), openSUSE (openssl-1_1), Oracle (firefox and kernel), Red Hat (.NET Core, git, java-11-openjdk, and thunderbird), SUSE (Mesa, python3, shibboleth-sp, slurm, and tigervnc), and Ubuntu (libpcap and nginx).

The LWN.net Weekly Edition for January 16, 2020 is available.

Everyone has expertise in some things, which is normally seen as a good thing to have. But Dr. Sean Brady gave some examples of ways that our expertise can lead us astray, and actually cause us to make worse decisions, in a keynote at the 2020 linux.conf.au. Brady is a forensic engineer who specializes in analyzing engineering failures to try to discover the root causes behind them. The talk gave real-world examples of expertise gone wrong, as well as looking at some of the psychological research that demonstrates the problem. It was an interesting view into the ways that our brains work—and fail to work—in situations where our expertise may be sending our thoughts down the wrong path.

The CentOS Project has announced the release of CentOS 8-1911, derived from Red Hat Enterprise Linux 8.1. See the release notes for details.

Security updates have been issued by Arch Linux (thunderbird), CentOS (firefox), openSUSE (chromium, firefox, GraphicsMagick, log4j, nodejs8, phpMyAdmin, singularity, and virglrenderer), Oracle (kernel), Red Hat (firefox), SUSE (man, nodejs10, openssl-1_1, and php7), and Ubuntu (php5, php7.0, php7.2, php7.3 and spamassassin).

The intersection of games with free and open-source software (FOSS) was the topic of a miniconf on the first day of this year's linux.conf.au, which was held January 13-17 in Gold Coast, Australia. As part of the miniconf, Bradley M. Kuhn gave a talk that was well outside of his normal conference-talk fare: the game of poker and its relationship to FOSS. It turns out that he did some side work on a FOSS-based poker site along the way, which failed by most measures, but there was also an element of success to the project. The time for a successful FOSS poker project likely has passed at this point, but there are some lessons to be learned from the journey.

Stable kernels 5.4.12, 4.19.96, 4.14.165, 4.9.210, and 4.4.210 have been released with the usual set of important fixes.

Supporting network protocols at high speeds in pure software is getting increasingly difficult, with 25-100Gb/s interfaces available now and 200-400Gb/s starting to show up. Packet processing at 100Gb/s must happen in 200 cycles or less, which does not leave much room for processing at the operating-system level. Fortunately some operations can be performed by hardware, including checksum verification and offloading parts of the packet send and receive paths.

As modern hardware adds more functionality, new options are becoming available. The 5.3 kernel includes a patch set from Pablo Neira Ayuso that added support for offloading some packet filtering with netfilter. This patch set not only adds the offload support, but also performs a refactoring of the existing offload paths in the generic code and the network card drivers. More work came in the following kernel releases. This seems like a good moment to review the recent advancements in offloading in the network stack.

Security updates have been issued by Debian (wordpress and xen), Mageia (graphicsmagick, kernel, makepasswd, and unbound), openSUSE (containerd, docker, docker-runc,, dia, ffmpeg-4, libgcrypt, php7-imagick, proftpd, rubygem-excon, shibboleth-sp, tomcat, trousers, and xen), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), SUSE (e2fsprogs, kernel, and libsolv, libzypp, zypper), and Ubuntu (libgcrypt20, libvirt, nginx, sdl-image1.2, and spamassassin).

Ars technica reports on the "Cable Haunt" vulnerability that afflicts a large number of cable modems. "The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharing prevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems). Websockets, however, aren't protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, thereby allowing attackers to reach the endpoint and serve it code." Thus far, there doesn't seem to be any information out there on whether routers running OpenWrt are vulnerable.

Git 2.25 has been released. This blog post looks at "partial clone support" and "sparse checkouts" as these features mature. "A clone of a Git repository copies all of its data: every version of every file in the history. For very large repositories, the cost of network transfer and local storage can make this awkward or even impossible, even if you're only interested in a subset of the files. In the past several versions, Git learned the ability to execute a "partial" clone, which means that it can now clone and work with repositories without having all of their contents. Partial clones are still considered an experimental feature from Git's point of view. For instance, many providers (such as GitHub) don't support this feature yet, and it's continually changing and evolving within Git from release to release."

Here is a longish blog entry from Mercurial maintainer Gregory Szorc on the painful process of converting Mercurial to Python 3. "I anticipate a long tail of random bugs in Mercurial on Python 3. While the tests may pass, our code coverage is not 100%. And even if it were, Python is a dynamic language and there are tons of invariants that aren't caught at compile time and can only be discovered at run time. These invariants cannot all be detected by tests, no matter how good your test coverage is. This is a feature/limitation of dynamic languages. Our users will likely be finding a long tail of miscellaneous bugs on Python 3 for years."

Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

The 5.5-rc6 kernel prepatch is out for testing. "Let's see how things go. I do suspect that this ends up being one of those 'rc8' releases, not because things look particularly bad right now, but simply because the holiday season has meant that both the testing side and the development side have been quiet. But who knows?"

On the stable side, 5.4.11, 4.19.95, 4.14.164, 4.9.209, and 4.4.209 have all been released with another set of important fixes.

The 5.2 kernel saw the addition of an extensive new API for the mounting (and remounting) of filesystems; this article covered an early version of that API. Since then, work in this area has mostly focused on enabling filesystems to support this API fully. James Bottomley has taken a look at this API as part of the job of redesigning his shiftfs filesystem and found it to be incomplete. What has followed is a significant set of changes that promise to simplify the mount API — though it turns out that "simple" is often in the eye of the beholder.

Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox).

Version 19.07.0 of the OpenWrt router distribution is available. "With this release, the OpenWrt project brings all supported targets back to a single common kernel version and further refines and broadens existing device support. It also introduces a new ath79 target and brings support for WPA3." There are some known issues; read through the full announcement before updating.

Stable kernels 5.4.10, 5.4.9, 4.19.94, and 4.14.163 have been released. PowerPC users should update to 5.4.10 to get a missing patch. Other users can stay with 5.4.9.

In response to a growing desire for ways to control groups of processes from user space, the kernel has added a number of mechanisms that allow one process to operate on another. One piece that is currently missing, though, is the ability for a process to snatch a copy of an open file descriptor from another. That gap may soon be filled, though, if the pidfd_getfd() system-call patch set from Sargun Dhillon is merged.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss).