Hírolvasó

The 6.5.4, 6.1.54, 5.15.132, and 5.10.195 stable kernel updates have been released; each contains a relatively large set of important fixes.

The security of digital products has become a topic of regulation in recent years. Currently, the European Union is moving forward with another new law, which, if it comes into effect in a form close to the current draft, will affect software developers worldwide. This new proposal, called the "Cyber Resilience Act" (CRA), brings mandatory security requirements on all digital products, both software and hardware, that are available in Europe. While it aims at a worthy goal, the proposal is causing a stir among open-source communities.

The Free Software Foundation looks forward to the 40th anniversary of the GNU project, coming soon:

On September 27, 1983, a computer scientist named Richard Stallman announced the plan to develop a free software Unix-like operating system called GNU, for "GNU's not Unix." GNU is the only operating system developed specifically for the sake of users' freedom, and has remained true to its founding ideals for forty years.

Security updates have been issued by Debian (chromium, flac, gnome-shell, libwebp, openjdk-11, and xrdp), Fedora (giflib), Oracle (kernel), Red Hat (busybox, dbus, firefox, frr, kpatch-patch, libwebp, open-vm-tools, and thunderbird), Slackware (netatalk), SUSE (flac, gcc12, kernel, libeconf, libwebp, libxml2, and thunderbird), and Ubuntu (binutils, c-ares, libraw, linux-intel-iotg, nodejs, python-django, and vsftpd).

EuroBSDCon 2023 has now ended, and slides for many of the OpenBSD developer presentations are now available in the usual place.

Video of the presentations can be expected somewhat later.

Slides from the tutorial "Network Management with the OpenBSD Packet Filter Toolset" are also available.

Version 0.93 of Game of Trees has been released (and the port updated).

Read more…

With the following commit(s), Theo de Raadt (deraadt@) moved -current to version 7.4-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2023/09/18 07:16:13 Modified files: share/mk : sys.mk etc/root : root.mail sys/conf : newvers.sh sys/arch/macppc/stand/tbxidata: bsd.tbxi usr.bin/signify: signify.1 Log message: crank to 7.4-beta

Snapshots are (already) available for several platforms. At the time of writing, there are a mixture of 7.3 and 7.4 files on at least some mirrors, so readers are advised that problems may occur.

(Regular readers will know what comes next…)

This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Processes in a Linux system run within their own virtual address spaces. Their virtual addresses map to physical pages provided by the hardware, but the kernel takes pains to hide the physical addresses of those pages; processes normally have no way of knowing (and no need to know) where their memory is located in physical memory. As a result, the system calls for memory management also deal in virtual addresses. Gregory Price is currently trying to create an exception to this rule with a proposal for a new system call that would operate on memory using physical addresses.

Security updates have been issued by Debian (firefox-esr, libwebp, and thunderbird), Fedora (chromium, curl, flac, libtommath, libwebp, matrix-synapse, python-matrix-common, redis, and rust-pythonize), Gentoo (binwalk, ghostscript, python-requests, rar, samba, and wireshark), Oracle (.NET 6.0, kernel, and kernel-container), Slackware (python3), and SUSE (firefox).

The 6.6-rc2 kernel prepatch is out for testing.

I think the most notable thing about 6.6-rc2 is simply that it's exactly 32 years to the day since the 0.01 release. And that's a round number if you are a computer person.

Because other than the random date, I don't see anything that really stands out here.

The Debian project is mourning Abraham Raji, who died in an accident on September 13. Abraham was a popular and respected Debian Developer as well a prominent free software champion in his home state of Kerala, India. He was a talented graphic designer and led design and branding work for DebConf23 and several other local events in recent years. Abraham gave his time selflessly when mentoring new contributors to the Debian project, and he was instrumental in creating and maintaining the Debian India website.

The Debian Project honors his good work and strong dedication to Debian and Free Software. Abraham’s contributions will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others.

Much of the kernel's performance is dependent on caching — keeping useful information around for future use to avoid the cost of looking it up again. The kernel aggressively caches pages of file data, directory entries, inodes, slab objects, and much more. Without active measures, though, caches will tend to grow without bounds, leading to memory exhaustion. The kernel's "shrinker" mechanism exists to be that active measure, but shrinkers have some performance difficulties of their own. This patch series from Qi Zheng seeks to address one of the worst of those by removing some locking overhead.

Security updates have been issued by Debian (c-ares and samba), Fedora (borgbackup, firefox, and libwebp), Oracle (.NET 6.0 and kernel), Slackware (libwebp), SUSE (chromium and firefox), and Ubuntu (atftp, dbus, gawk, libssh2, libwebp, modsecurity-apache, and mutt).

We are pleased to have another p2k23 report, this time from Volker Schlecht (volker@) who writes:

"Ladies and Gentlemen, our plane is equipped with two engines, and I'm afraid I need to tell you that the one that you see to your right won't start right now…"
As with several other developers my trip to p2k23 didn't exactly start off as planned. Eventually the engine did start, though (and I'm glad to report it stayed on, too) and I made it to Dublin.

Read more…

Version 16 of the PostgreSQL database manager has been released.

PostgreSQL 16 contains many new features and enhancements, including:

• Allow parallelization of FULL and internal right OUTER hash joins
• Allow logical replication from standby servers
• Allow logical replication subscribers to apply large transactions in parallel
• Allow monitoring of I/O statistics using the new pg_stat_io view
• Add SQL/JSON constructors and identity functions
• Improve performance of vacuum freezing
• Add support for regular expression matching of user and database names in pg_hba.conf, and user names in pg_ident.conf

The Software Freedom Conservancy (SFC) has announced the availability of videos from the first-ever Free and Open Source Yearly (FOSSY) conference, which was held in July in Portland, Oregon in the US. During the four days of the conference, there were a wide variety of talks from speakers with a range of experience and backgrounds, and amazing community focused discussions. Featuring wide ranging topics such as a panel discussion about software coops, what is life like without a smartphone (where the picture on the right is from), and thinking about FOSS from a systems theory perspective. Our track organizers brought together communities from all over, and led by example choosing speakers, topics and setting up panels for important conversations. There is definitely a talk that will interest you, whether you are interested in nonprofit board structure, an introduction to Reproducible Builds or maybe you are looking to have more nature adventures with free software.

The fstat() system call retrieves some of the metadata — owner, size, protections, timestamps, and so on — associated with an open file descriptor. One might not think of it as a performance-critical system call, but there are workloads that make a lot of fstat() calls; it is not something that should be slowed unnecessarily. As it turns out, though, the GNU C Library (glibc) has been doing exactly that, but a fix is in the works.

At least two people have contacted me concerning the 2 BTC bounty:

2 BTC for a human-readable bolt 12 offer generator feature integrated into a popular iOS or android bitcoin wallet. “Human-readable” means something that can be used on feature phone without QR or copy/paste ability. For example, something that looks like LN address.

This, of course, is asking to solve Zooko’s Triangle, so one of decentralizationm, human readability, or security needs to compromise! Fortunately, the reference to LN address gives a hint on how we might proceed.

The scenario, presumably, is Bob wants to pay Alice, where Alice shows Bob a “Human Readable Offer” and Bob types it into his phone. Each one runs Phoenix, Greenlight, or (if their phone is too low-end) uses some hosted service, but any new third party trust should be minimized.

There are three parts we need here:

1. Bob finds Alice’s node.
2. Bob requests Alice’s node for invoice.
3. If she wants, Alice can easily check Bob’s going to pay the right thing.

The Imagined Scenario

Consider the normal offer case: the offer encodes Alice’s nodeid and description (and maybe other info) about what’s on offer. Bob turns this into an invoice_request, sends an onion message to Alice’s node, which returns the (signed) invoice, which Bob pays. We need to encode that nodeid and extra information as compactly as we can.

Part 1: Finding Alice’s Node from a Human Readable Offer

The issue of “finding Alice’s node” has been drafted already for BOLT12, at https://github.com/rustyrussell/bolt12address (but it needs updating!). This means that if you say “rusty@blockstream.com” you can get a valid generic offer, either by contacting the webserver at “blockstream.com” or having someone else do it for you (important for privacy!), or even downloading a public list of common receivers.

Note that it’s easier to type * than @ on feature phones, so I suggest allowing both rusty@blockstream.com and RUSTY*BLOCKSTREAM.COM.

What’s Needed On The Server

1. The BOLT 12 Address Format needs to be updated.
2. It needs to be implemented for some Web server.
3. Ideally, integrate it into BTC Payserver or the like.

Part 2: Getting the Invoice

Now, presumably, we want a specific invoice: it might be some default “donate to Alice”, but it could be a specific thing “$2 hot dog”. So you really want some (short!) short-code to indicate which invoice you want. I suggest a hash, followed by some randomly chosen alphanumeric string here (case-insensitive!): an implementation may choose to restrict themselves to numbers however, as that’s faster to enter on a feature phone.

What’s Needed On The Server

1. We can put the short-code in the invreq_payer_note field in BOLT 12 or add a new odd field.
2. We need to implement (presumably in Core Lightning):
   • A way to specify/assign a short-code for each offer.
   • A way of serving a particular invoice based on this short-code match.

Part 3: Checking the Invoice

So, did you even get the right node id? That’s the insecure part; you’re trusting blockstream.com! Checking the nodeid is hard: someone can grind out a nodeid with the same first 16 digits in a few weeks. But I think you can provide some assurance, by creating a 4-color “flag” using the node id and the latest bitcoin blocks: this will change every new block, and is comparable between Alice and Bob at a glance:

This was made using this hacky code which turns my node id 024b9a1fa8e006f1e3937f65f66c408e6da8e1ca728ea43222a7381df1cc449605 into an RGB color (by hashing the nodeid+blockhash).

For a moment, when a new block comes in, one image might be displaced, hence the number, but it’ll only be out by one.

Putting it All Together What’s Needed On Alice’s Client

1. Alice needs to configure her BOLT12 Address with some provider when she sets up the phone: it should check that it works!
2. She should be able to choose an existing offer (may be a “donation” by default), or create a new one on the fly (with a new short code).
3. Display the BOLT12-ADDRESS # SHORT-CODE, and the current nodeid flag.

What’s Needed On Bob’s Client

1. It needs to be able to convert BOLT12-ADDRESS into a bolt12 address request:
   • Either via some service (to be implemented!), or by directly query (ideally over Tor).
2. It needs to be able to produce an offer from the returns bolt12 address response, by putting the SHORT-CODE into the invreq_payer_note.
3. It needs to be able to fetch an invoice for this offer.
4. It needs to be able to display the current nodeid flag for the invoice’s node id.
5. Allow Bob to confirm to send payment.

Is There Anything Else?

There are probably other ways of doing this, but this method has the advantage of driving maturity in several different areas which we want to see in Bitcoin:

1. bolt12 address to support vendor field validation for offers.
2. Simple name support for bootstrapping.
3. Driving Bitcoin to be more accessible to everyone!

Feel free to contact me with questions!

Security updates have been issued by Debian (firefox-esr, libwebp, ruby-loofah, and ruby-rails-html-sanitizer), Fedora (open-vm-tools and salt), Oracle (.NET 7.0, dmidecode, flac, gcc, httpd:2.4, keylime, libcap, librsvg2, and qemu-kvm), Red Hat (.NET 6.0 and .NET 7.0), Slackware (libarchive and mozilla), SUSE (chromium and kernel), and Ubuntu (curl, firefox, ghostscript, open-vm-tools, postgresql-9.5, and thunderbird).

Az Atlas VPN Linux kliensében talált nulladik napi sérülékenységen keresztül kiszivároghatnak a felhasználók valódi IP-címei, például egy weboldal meglátogatásakor.

The post Sérülékenység az Atlas VPN-ben: hozzáférhető a felhasználók valódi IP-címe first appeared on Nemzeti Kibervédelmi Intézet.