Linux Weekly News

Version 6.4 of the Incus container manager is out.

This release builds upon the recently added OCI support from Incus 6.3, making it even easier to run application containers. It also adds a number of useful new features for clustered and larger environments with more control on the virtual CPU used when live migrating VMs and finer grained resource constraints within projects.

See this announcement for details.

Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu).

Linux hardware vendor System76 started promoting its work on a Rust-based, Wayland desktop environment for its Pop!_OS Ubuntu-derivative distribution almost two years ago. On August 8, the company released an alpha version of the COSMIC desktop environment for users to test out. While it has rough edges and missing features, it is stable enough to get a good feel for what the finished product has in store—and the initial results are promising.

Version 4.0 of the Magit text-based Git user interface for Emacs has been released. Changes since the 3.3.0 release include the addition of context menus, a makeover for the menu-bar menu, new menu commands, and many other new features and bug fixes. See the release notes for full details.

The Rust project has developed a set of goals for the latter half of 2024.

Rust for Linux. The experimental support for Rust development in the Linux kernel is a watershed moment for Rust, demonstrating to the world that Rust is indeed capable of targeting all manner of low-level systems applications. And yet today that support rests on a number of unstable features, blocking the effort from ever going beyond experimental status. For 2024H2 we will work to close the largest gaps that block support.

Other goals include completing the 2024 Rust Edition and improving the language's async support.

Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure).

Linus has released 6.11-rc3 right on schedule. "Nothing particularly strange or interesting going on, things look normal".

The 6.10.4, 6.6.45, and 6.1.104 stable kernel updates have been released; each contains another set of important updates as usual.

It is something of a DebConf tradition that members of the Debian Technical Committee (TC) take the stage to talk about the work that the committee does—and more. DebConf24 in Busan, South Korea was no exception, as TC chair Sean Whitton, who will complete his term at the end of the year, and one of its newest members, Stefano Rivera, described the constitutional underpinnings of the TC, how it tries to make decisions when it needs to, and the constant process of recruiting new members. After that, they took a few questions from the audience. The session provided a nice overview of the TC and its role in Debian, but it may well be of interest further afield.

The Canonical Kernel Team has announced a new policy regarding the version of the kernel that will ship with each Ubuntu release; the result will generally be the shipping of newer releases.

To provide users with the absolute latest in features and hardware support, Ubuntu will now ship the absolute latest available version of the upstream Linux kernel at the specified Ubuntu release freeze date, even if upstream is still in Release Candidate (RC) status.

The post goes on to acknowledge that "there are issues with this approach"; there are a lot of policy details that will apply depending on just how raw the shipped kernel is.

Sometimes, the smallest changes create the longest discussions. As a case in point, a proposal to make a one-line change in an informational text file on systems running the Debian unstable distribution has blown up into an interminable and sometimes unfriendly debate. At its core, though, this discussion comes down to a seemingly simple question: should a program be able to determine whether it is running on a Debian testing or unstable system?

Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

We assume that an unprivileged user has code execution. Additionally, we consider the presence of a heap vulnerability in the Linux kernel. We assume that the Linux kernel incorporates all defense mechanisms available in version 6.4, the most recent Linux kernel version when we started our work. These mechanisms include features such as WˆX, KASLR, SMAP, and kCFI. We do not assume any microarchitectural vulnerabilities, e.g., transient execution, fault injection, or hardware side channels.

Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, and salt).

The Oligo Security blog discloses a web-browser vulnerability that has been named "0.0.0.0 day". In short, browsers will allow JavaScript code to open connections to the all-zeroes IPv4 address; the result is that any port that is open on the local host can be accessed by a remote site. "When services use localhost, they assume a constrained environment. This assumption, which can (as in the case of this vulnerability) be faulty, results in insecure server implementations."

Endless OS is a Linux distribution with a focus on improving access to educational tools by providing a simple-to-manage, full-featured desktop for educators and students — one that works offline, with minimal maintenance. The distribution also aims to be suitable for older devices, in order to promote access to computers by ensuring those systems remain usable. In pursuit of those goals, it makes some unusual technical choices. But what makes the distribution really shine is its curated collection of software and educational resources.

Security updates have been issued by AlmaLinux (freeradius and freeradius:3.0), Debian (chromium, odoo, and roundcube), Fedora (microcode_ctl, mingw-qt5-qtbase, mingw-qt6-qtbase, opentofu, orc, python-setuptools, and vim), Gentoo (Nokogiri), Oracle (kernel), Red Hat (go-toolset:rhel8, golang, kernel, krb5, libtiff, python-setuptools, and python39:3.9 and python39-devel:3.9), SUSE (python-Django), and Ubuntu (krb5).

The LWN.net Weekly Edition for August 8, 2024 is available.

Mozilla has announced that Puppeteer, a browser automation and testing library, now has first-class support for Firefox using the WebDriver BiDi protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web-site tests.

Whilst the features offered by Puppeteer won't be a surprise, bringing support to multiple browsers has been a significant undertaking. The Firefox support is not based on a Firefox-specific automation protocol, but on WebDriver BiDi, a cross browser protocol that's undergoing standardization at the W3C, and currently has implementation in both Gecko and Chromium. This use of a cross-browser protocol should make it much easier to support many different browsers going forward.

The desire for the ability to checkpoint a process — to record its state in a form that can be restarted at a future time — on Linux is almost as old as Linux itself. See, for example, this announcement of a checkpoint project that appeared in LWN in 1998. While working solutions exist, they can be somewhat fragile and difficult to use; it is not surprising that some people are interested in finding a better alternative. A current effort goes by the name CRIB, for Checkpoint/Restore in (naturally) BPF. It is far from clear that CRIB will replace the existing solutions, but it is an interesting look at a different way of solving the problem.

There are lots of places in the kernel where an EINVAL can be returned to user space, but it is often unclear what the actual underlying problem is because the errno error codes are too generic. That is the problem that Miklos Szeredi wanted to discuss in a filesystem session that he led remotely at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit. He would like to help those who are trying to debug problems trace where in the kernel a particular error code is being generated.