Hírolvasó

Greg Kroah-Hartman has released the 6.3.7, 6.1.33, 5.15.116, 5.10.183, 5.4.246, 4.19.285, and 4.14.317 stable kernels. As usual, they contain many important fixes throughout the tree; users of those series should upgrade.

Security updates have been issued by Debian (jupyter-core, openssl, and ruby2.5), Fedora (firefox), Mageia (libreoffice, openssl, and python-flask), Red Hat (python and python3), Slackware (mozilla, php8, and python3), SUSE (java-1_8_0-ibm, libcares2, mariadb, and python36), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-intel-iotg, linux-raspi, linux-xilinx-zynqmp, and mozjs102).

The kernel is an increasingly dynamic body of code, where new executable text can show up at any time. Currently, the task of allocating memory for new kernel code falls on the subsystem that first brought the ability to load code into a running kernel: the module loader. This patch set from Mike Rapoport looks to move the responsibility for these allocations to a new "JIT allocator", addressing a number of rough edges in the process.

Security updates have been issued by Debian (chromium, firefox-esr, and ruby2.5), Fedora (curl, dbus, pypy, pypy3.8, pypy3.9, python3.10, and python3.8), Red Hat (python and python-flask), Scientific Linux (emacs), SUSE (firefox, google-cloud-sap-agent, libwebp, opensc, openssl, openssl-3, openssl1, python-sqlparse, python310, and supportutils), and Ubuntu (libxml2, netatalk, and sysstat).

The LWN.net Weekly Edition for June 8, 2023 is available.

Gao Xiang gave an overview of the Extended Read-Only File System (EROFS) in a filesystem session at the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit. EROFS was added to Linux 5.4 in 2019 and has been increasingly used in places beyond its roots as a filesystem for Android and embedded devices. Container images based on EROFS are being used in many places these days, for example.

At the end of our February article about the debate around the composefs read-only, integrity-protected filesystem, it was predicted that the topic would come up at the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit. That happened on the second day of the summit when Alexander Larsson led a session on composefs. While the mailing-list discussion was somewhat contentious, the session was less so, since overlayfs can be made to fit the needs of the composefs use cases. It turns out that an entirely new filesystem is not really needed.

Kritikus biztonsági sebezhetőség került nyilvánosságra az Expo.io alkalmazásfejlesztési keretrendszer Open Authorization (OAuth) implementációjában.

The post Kritikus OAuth sebezhetőség került javításra az Expo keretrendszerben first appeared on Nemzeti Kibervédelmi Intézet.

Az Eclypsium firmware- és hardverbiztonsági cég kutatói felfedezték, hogy a tajvani Gigabyte által gyártott több száz alaplapmodell olyan backdoorokat tartalmaz, amelyek jelentős kockázatot jelenthetnek a szervezetekre nézve.

The post Több száz Gigabyte modellen található backdoor, amely több millió eszközt érint first appeared on Nemzeti Kibervédelmi Intézet.

Version 15.5 of the openSUSE Leap distribution has been released. This is not intended as a feature release, but brings updated versions of many packages. The project has also announced that there will be one more 15.x release before that series ends and users have to migrate to whatever its successor will be.

Security updates have been issued by Debian (c-ares), Fedora (curl and firefox), Oracle (cups-filters, kernel, and webkit2gtk3), Red Hat (emacs and kpatch-patch), Slackware (mozilla), SUSE (kernel and openssl-1_0_0), and Ubuntu (firefox and libreoffice).

A népszerű KeePass jelszókezelőről két hete derült ki az alkalmazás kritikus sérülékenysége, amivel kinyerhető a jelszószéf mesterjelszava. A biztonsági hiba az alkalmazás 2.54-es verziójában került javításra, javasolt frissíteni az alkalmazást!

The post Frissítsen: Elérhető a javítás a KeePass jelszókezelő sérülékenységéhez first appeared on Nemzeti Kibervédelmi Intézet.

Margaret Mitchell, a researcher focused on the intersection of machine learning and ethics, was the morning keynote speaker on the third day of PyCon 2023. She spoke about her journey into machine learning and how the Python language has been instrumental in it. It was a timely and thought-provoking talk that looked beyond the machine-learning hype to consider the bigger picture.

Security updates have been issued by Debian (linux-5.10), Red Hat (cups-filters, curl, kernel, kernel-rt, kpatch-patch, and webkit2gtk3), SUSE (apache-commons-fileupload, openstack-heat, openstack-swift, python-Werkzeug, and openstack-heat, python-Werkzeug), and Ubuntu (frr, go, libraw, libssh, nghttp2, python2.7, python3.10, python3.11, python3.5, python3.6, python3.8, and xfce4-settings).

Version 0.89 of Game of Trees has been released (and the port updated):

* got 0.89; 2023-06-05 see git repository history for per-change authorship information - gotd: return early after disconnect on auth event error instead of crashing - make 'got patch' display statistics about files with conflicts and rejects - make 'got diff' not treat \r\n line endings as special - fix test failures in test_blame_lines_shifted_skip on certain times of day - show reference labels next to commit messages in tog log view - some gotwebd refactoring related to handling of file descriptors - gotwebd: lower log priority of unexpected disconnections - gotwebd: avoid needless double fseek() - fix the size of gotwebd's tempfiles array; exposed by errors from ftruncate() - simplify ancestry checks in checkout, update, rebase, and merge commands - make gitwrapper not fail if programs it wants to run do not exist on disk - stop showing backup references in the tog log and diff views - consistently use ten Xs in mkstemp(3) templates - only delete empty directories which appear in arguments to 'got rm' - simplify parsing of host names and IP addresses in gotwebd's parse.y - make 'got merge' refuse to run if a merge is in progress - make 'got merge -c' fail even if new changes only affect unrelated paths

At the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit, Luis Chamberlain led a plenary session on kernel support for block sizes larger than 4KB. There are assumptions in the current kernel that the block size used by a block-layer device is less than or equal to the system's page size—both are usually 4KB today. But there have been efforts over the years to remove that restriction; that work may be heading toward fruition, in part because of the folio efforts of late, though there are still lots of areas that need attention.

The 6.3.6, 6.1.32, 5.15.115, 5.10.182, and 5.4.245 stable kernels have been released. They contain a relatively small number of important fixes throughout the kernel tree.

Developers learning the Unix (or POSIX in general) system-call set will quickly encounter file descriptors, which are used to represent open files and more. Developers also tend to learn early on that the first three file descriptors are special, with file descriptor zero being the standard input stream, one being standard output, and two being standard error. The kernel, though, does not normally attach any specific meaning to a given descriptor number, so it was somewhat surprising when a recent BPF patch series attempted to attach a special meaning to zero when used as a file descriptor.

Security updates have been issued by Debian (chromium, cpio, mariadb-10.3, nbconvert, sofia-sip, and wireshark), Fedora (ImageMagick, mingw-python-requests, openssl, python3.6, texlive-base, and webkitgtk), Red Hat (apr-util, git, gnutls, kernel, kernel-rt, and kpatch-patch), Slackware (cups and ntp), and Ubuntu (linux-azure-fde, linux-azure-fde-5.15 and perl).

Az Kiberbiztonsági és Infrastruktúra-biztonsági Ügynökség (CISA) egy aktívan kihasznált, kritikus nulladik napi sebezhetőségről (CVE-2023-34362) adott ki riasztást a Progress Software MOVEit Transfer nevű fájlcserélő alkalmazás kapcsán. 

The post Frissítsen most! Aktív kihasználás alatt a MOVEit Transfer kritikus sebezhetősége first appeared on Nemzeti Kibervédelmi Intézet.