2 év óta
Security updates have been issued by Debian (intel-microcode, kernel, and php-dompdf), Fedora (linux-firmware, OpenImageIO, and php), Oracle (aardvark-dns, kernel, linux-firmware, python-flask, and python-werkzeug), SUSE (container-suseconnect, go1.19, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, java-11-openjdk, kernel-firmware, kubernetes1.24, openssl-1_1, poppler, python-scipy, qatengine, ucode-intel, util-linux, and vim), and Ubuntu (dotnet6, dotnet7, php-dompdf, and velocity-tools).
jake
2 év óta
The
Open Enterprise Linux Association
has
announced its
existence. It is a collaboration between CIQ (Rocky Linux), Oracle,
and SUSE to provide an RHEL-compatible distribution.
Starting later this year, OpenELA will provide sources necessary
for downstreams compatible with RHEL to exist, with initial focus
on RHEL versions EL8, EL9 and possibly EL7. The project is
committed to ensuring the continued availability of OpenELA sources
to the community indefinitely.
OpenELA’s core tenets, reflecting the spirit of the project,
include full compliance with this existing standard, swift updates
and secure fixes, transparency, community, and ensuring the
resource remains free and redistributable for all.
corbet
2 év óta
Security updates have been issued by Debian (firefox-esr), Fedora (chromium, kernel, krb5, and rust), and Ubuntu (graphite-web and velocity).
jake
2 év óta
The global interpreter lock (GIL) has been a part of CPython since the
beginning—
nearly—but
that seems likely to change over the next five or so
years. As we
described last week, the
Python steering council has
announced
its
intention to start moving toward a no-GIL
CPython, potentially as soon as Python 3.13 in October 2024
for the preliminaries. The no-GIL version of CPython comes from Sam
Gross, who
introduced
it
as a proof-of-concept nearly two years
ago; now, the idea has been formalized in a Python Enhancement Proposal
(PEP) that describes no-GIL mode and how it interacts with the rest of the
Python ecosystem.
jake
2 év óta
Once again The Kernel Testing & Dependability Micro-conference will be taking place at LPC 2023, to discuss testing and dependability related topics.
Please submit proposals for discussion via LPC submission system.
The Linux Plumbers 2023 Kernel Testing & Dependability track focuses on advancing the current state of testing of the Linux Kernel and its related infrastructure. The main purpose is to improve software quality and dependability for applications that require predictability and trust.
The goal of this micro-conference is making connections between folks working on similar projects, and help individual projects make progress.
This track is intended to promote collaboration between all the communities and people interested in the Kernel testing & dependability. This will help move the conversation forward from where we left off at the LPC 2022 Kernel Testing & Dependability MC.
We ask that any topic discussions focus on issues/problems they are facing and possible alternatives to resolving them. The Micro-conference is open to all topics related to testing on Linux, not necessarily in the kernel space.
Suggested topics:
- KernelCI: Topics on improvements and enhancements for test coverage
- Growing KCIDB, integrating more sources
- Sanitizers
- Using Clang for better testing coverage
- How to spread KUnit throughout the kernel?
- Building and testing in-kernel Rust code
- Explore ways to improve testing framework and tests in the kernelwith a specific goal to increase traceability and code coverage
- Explore how do SBOMs figure into dependability?
List of accomplishments this past year after LPC 2022:
- Developed a new, modern API for KernelCI with Pub/Sub interface
- Added Rust coverage in KernelCI
- KCIDB is continuing to gather results from many test systems: KernelCI, Red Hat’s CKI, syzbot, ARM, Gentoo, Linaro’s TuxSuite etc. The current focus is on generating common email reports based on this data and dealing with known issues.
- KFENCE is continuing to aid in detecting Out-of-bound OOB accesses, use-after-free errors (UAF), Double free and Invalid free and so on.
- Clang: CFI, weeding out issues upstream, etc.
- Kselftest continues to add coverage for new and existing features and subsystems.
- KUnit is continuing to act as the standard for some drivers and a de facto unit testing framework in the kernel
- The Runtime Verification (RV) interface from Daniel Bristot de Oliveira was merged.
Proposals can be submitted here, by August 20th:
MC leads can be reached for question and further information::
Shuah Khan (shuah@kernel.org)
Sasha Levin <sashal@kernel.org>
Guillaume Tucker <guillaume.tucker@collabora.com>
2 év óta
After a three-year hiatus, the Live Patching Microconference is back for 2023.
Accomplishments post 2019 Microconference:
- API enhancements: Livepatch pre/post (un)patch callback system state change tracking was added in v5.5. The new API enhances the safety of cumulative livepatch upgrades [v5.5]
- KLP-relocations: To facilitate module_disable_ro() removal, arch-specific livepatch .klp.arg sections were deprecated. Special arch section KLP-relocations (like x86 jump labels) are still supported for vmlinux cases, and are now applied at the same time as normal relocations. [v5.8]
- Documentation: Practical information on how to implement reliable stacktraces needed by the livepatching consistency model was added [v5.12]
- Architecture: Implemented Power32 support [v5.18]
- KLP-relocations: To support target module reloading, clear KLP-relocations in livepatch modules when their target module is unloaded. This satisfies a module loader sanity check when resolving relocations on the next target module load (x86_64 only) [v6.3]
Discussion Topics
The following topics have been proposed:
- Shadow variables are considered a livepatching power-feature that can require careful management, especially across livepatch up and downgrades. Is garbage collection or a refactoring of callbacks a better approach to manage these resources?
- klp-relocations were originally introduced to resolve livepatch / kernel and module symbol scoping issues. Recent security features like CET and IBT suggest another use case and renewed interest in having an in-tree klp-relocation build support. Is a simple conversion utility sufficient, or does said tool require greater features?
- The livepatching kselftests consist of test scripts under tools/testing/selftests and associated livepatch module code in lib/. Consolidating these under the former offers better flexibility in templating the livepatch modules as well as the benefits of building them out-of-tree. Are there any outstanding blockers to implement these changes?
- arm64 support is moving forward on several fronts: toolchain, reliable stack unwinding, user space, etc. The Toolchains MC plans to address topics like CFG in ELF and handling of noinstr functions. What issues remain in livepatching and the kernel at large to fully support arm64?
- Rust looks to be a hot topic at this year’s LPC. Its impact on kernel livepatching is relatively open ended as Rust code has only recently been merged in small parts. That said, which features, problems, patchsets should we be paying attention to as we all learn more about this newly supported kernel language?
These potential discussion topics were selected from on-going livepatching mailing list threads, but additional livepatching related topics are welcome for consideration as well. For ideas on what makes for an ideal Microconference topic, checkout this post.
2 év óta
Security updates have been issued by Debian (cjose, hdf5, and orthanc), Fedora (java-17-openjdk and seamonkey), Red Hat (curl, dbus, iperf3, kernel, kpatch-patch, libcap, libxml2, nodejs:16, nodejs:18, postgresql:10, postgresql:12, postgresql:13, and python-requests), SUSE (bluez, cjose, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, keylime, openssl-1_1, openssl-3, pipewire, poppler, qemu, rubygem-actionpack-4_2, rubygem-actionpack-5_1, rust1.71, tomcat, webkit2gtk3, and wireshark), and Ubuntu (binutils, dotnet6, dotnet7, openssh, php-dompdf, and unixodbc).
corbet
2 év óta
Getting a stack trace of a running program is useful in a variety of
scenarios: tracing, profiling, debugging, performance tuning, and more.
There are existing mechanisms to get stack traces, but there are some
downsides to them; the "Simple Frame" (SFrame) stack-trace format came
about to address the shortcomings in the other techniques. Back in May,
Steve Rostedt and Indu Bhagat gave a
talk about
SFrame support in the kernel as part of
LSFMM+BPF; a few days later, Bhagat gave
a more general talk about SFrame
(
YouTube video)
at
Open
Source Summit North America in Vancouver. That second talk helped fill
in some other aspects of SFrame and the overall stack-tracing picture.
jake
2 év óta
The
6.4.9,
6.1.44,
5.15.125,
5.10.189,
5.4.252,
4.19.290, and
4.14.321
stable kernel updates have all been released; they are dominated by fixes
for
the latest round of
speculative-execution vulnerabilities.
Do note the warning attached to each of these releases:
Note, PLEASE TEST this kernel if you are on the 6.4.y tree before
using it in a real workload. This was a quick release due to the
obvious security fixes in it, and as such, it has not had very much
testing "in the wild". Please let us know of any problems seen.
Also note that the user/kernel api for the new security mitigations
might be changing over time, so do not get used to them being fixed
in stone just yet.
corbet
2 év óta
There is a newly disclosed set of vulnerabilities in Intel processors that
have been given the name
Downfall
attacks.
Downfall attacks targets a critical weakness found in billions of
modern processors used in personal and cloud computers. This
vulnerability, identified as CVE-2022-40982, enables a user to
access and steal data from other users who share the same
computer. For instance, a malicious app obtained from an app store
could use the Downfall attack to steal sensitive information like
passwords, encryption keys, and private data such as banking
details, personal emails, and messages. Similarly, in cloud
computing environments, a malicious customer could exploit the
Downfall vulnerability to steal data and credentials from other
customers who share the same cloud computer.
A series of patches has landed in the mainline kernel, including one for gather data sampling
mitigation and one to disable the AVX
extension on CPUs where microcode mitigation is not available.
"This is a *big* hammer. It is known to break buggy userspace that
uses incomplete, buggy AVX enumeration."
Not to be left out, AMD processors suffer from a return-stack overflow
vulnerability, again exploitable via speculative execution; this patch, also just
merged, describes the problem and its mitigation.
corbet