Hírolvasó

Linus has released 6.4-rc5 for testing.

Nothing particularly strange here, most notable is probably just the quick revert of the module loading trial that caused problems for people in rc4 depending on just random timing luck (or rather, lack there-of). So if you tried rc4, and some devices randomly didn't work for you, that was likely the issue.

Red Hat's Matthias Clasen has let it be known that LibreOffice will be dropped from a future Red Hat Enterprise Linux release, and the future of its support in Fedora is unclear as well.

The Red Hat Display Systems team (the team behind most of Red Hat’s desktop efforts) has maintained the LibreOffice packages in Fedora for years as part of our work to support LibreOffice for Red Hat Enterprise Linux. We are adjusting our engineering priorities for RHEL for Workstations and focusing on gaps in Wayland, building out HDR support, building out what’s needed for color-sensitive work, and a host of other refinements required by Workstation users. This is work that will improve the workstation experience for Fedora as well as RHEL users, and which, we hope, will be positively received by the entire Linux community.

The tradeoff is that we are pivoting away from work we had been doing on desktop applications and will cease shipping LibreOffice as part of RHEL starting in a future RHEL version. This also limits our ability to maintain it in future versions of Fedora.

As the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit neared its conclusion, two sessions were held in the memory-management track on process-oriented topics. Mike Rapoport ran a session on memory-management documentation (or the lack thereof), while Andrew Morton talked about the state of the subsystem's development process in general. Both sessions were relatively brief and did not foreshadow substantial changes to come.

Security updates have been issued by Debian (cups and netatalk), SUSE (cups, ImageMagick, installation-images, libvirt, openvswitch, and qemu), and Ubuntu (avahi, cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws-5.4, linux-bluefield, linux-intel-iotg, and linux-intel-iotg-5.15).

Version 1.70.0 of the Rust language is out. Changes include enabling the "sparse" protocol for Cargo, a couple of new types for the initialization of shared data, and more. "You should see substantially improved performance when fetching information from the crates.io index."

Like most other distributions, the Debian project decided to end the separation between the root and /usr filesystems years ago. Unlike most others, though, Debian is still working on the implementation of this decision. The upcoming Debian 12 ("bookworm") release will feature a merged /usr in most respects, but there are a couple of nagging issues that threaten to stretch this transition out for some time yet.

A new version of NixOS, which is a Linux distribution based on the Nix package manager, has been released: NixOS 23.05 is now available. The release notes list numerous updates, including Nix 2.13, Linux 6.1, glibc 2.37, Cinnamon 5.6, GNOME 44, and KDE Plasma 5.27. The 23.05 release was made possible due to the efforts of 1867 contributors, who authored 36566 commits since the previous release. Our thanks go the contributors who also take care of the continued stability and security of our stable release.

NixOS is already known as the most up to date distribution while also being the distribution with the most packages. This release saw 16240 new packages and 13524 updated packages in Nixpkgs. We also removed 13466 packages in an effort to keep the package set maintainable and secure. In addition to packages the NixOS distribution also features modules and tests that make it what it is. This release brought 282 new modules and removed 183. In that process we added 2882 options and removed 728.

Security updates have been issued by Debian (libwebp, openssl, sssd, and texlive-bin), Fedora (bitcoin-core, editorconfig, edk2, mod_auth_openidc, pypy, pypy3.9, python3.10, and python3.8), Red Hat (kernel, openssl, pcs, pki-core:10.6, and qatzip), SUSE (chromium, ImageMagick, openssl-1_1, and tiff), and Ubuntu (cups, libvirt, and linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi).

A dél-koreai AhnLab Security Emergency Response Center (ASEC) arra figyelmeztet, hogy a hírhedt észak-koreai Lazarus APT csoport (APT38) sebezhető Windows IIS (Internet Information Services) webszervereket vett célba. A csoport elsősorban pénzügyi motivációból indít támadásokat, ezért kollektív fenyegtést jelent a szervezetekre nézve.

The post Windows IIS webszerverek kerültek az észak-koreai hackerek célkeresztjébe first appeared on Nemzeti Kibervédelmi Intézet.

Május elején figyelmeztetünk rá, hogy a ZyXEL egyes tűzfalaiban kritikus sebezhetőség (CVE-2023-28771) került javításra. Nemrégiben egy Mirai botnet variáns segítségével az említett sérülékenységet kihasználva számos ZyXEL tűzfalat törtek fel.

The post Figyelem: Három kritikus ─ egy aktívan kihasznált ─ sebezhetőség érint ZyXEL termékeket! first appeared on Nemzeti Kibervédelmi Intézet.

The LWN.net Weekly Edition for June 1, 2023 is available.

The code-tagging mechanism proposed last year by Suren Baghdasaryan and Kent Overstreet has been the subject of a number of (sometimes tense) discussions. That conversation came to the memory-management track at the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit, where its developers (Baghdasaryan attending in-person and Overstreet remotely) tried to convince the attendees that its benefits justify its cost.

David Malcolm writes about a number of new features that have been added to the static analyzer in the GCC 13 release.

The above example makes the common mistake with C-style strings of forgetting the null terminator when computing how much space to allocate for str.

GCC 13's -fanalyzer option now keeps track of the sizes of dynamically allocated buffers, and for many cases it checks the simulated memory reads and writes against the sizes of the relevant buffers. With this new work it detects the above problem.

Az NCC Group kiberbiztonsági cég új ingyenesen elérhető, nyílt forráskódú eszközöket adott ki, amelyek hasznosak lehetnek  alkalmazásfejlesztők és pentesterek számára.

The post Új nyílt forráskódú eszközök fejlesztők és a pentesterek számára first appeared on Nemzeti Kibervédelmi Intézet.

A hálózati biztonsági megoldásokat kínáló Barracuda figyelmeztette ügyfeleit, hogy egyes fenyegető szereplők a közelmúltban sikeres támadásokat hajtottak végre sérülékeny ESG-k (Email Security Gateway) ellen, egy mostanra javított, kritikus nulladik napi sebezhetőséget kihasználva.

The post Nulladik napi sebezhetőséggel törtek fel Barracuda ESG-t használó szervezeteket first appeared on Nemzeti Kibervédelmi Intézet.

Security updates have been issued by Debian (connman and kamailio), Fedora (texlive-base), Mageia (cups-filters, postgresql, qtbase5, tcpreplay, tomcat, and vim), Slackware (openssl), SUSE (amazon-ssm-agent, cni, cni-plugins, compat-openssl098, installation-images, libaom, openssl, openssl-1_0_0, openssl-1_1, terraform, terraform-provider-helm, tiff, tomcat, and wireshark), and Ubuntu (batik, flask, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-oracle, linux-oracle-5.4, mozjs102, nanopb, openssl, openssl1.0, snapd, and texlive-bin).

The 6.3.5, 6.1.31, 5.15.114, 5.10.181, 5.4.244, 4.19.284, and 4.14.316 stable kernels have all been released; each contains another set of important fixes.

Martin Petersen and John Garry led a session at the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit on work they have been doing to implement atomic block writes of various sizes for SCSI and NVMe. The idea is to support devices that can guarantee atomic operations for sizes larger than their block size. It is an attempt to "find common ground" between the two standards, Petersen said, because the two have slightly different semantics, depending on the device type, and different restrictions, which has made for an "interesting project". It has been a challenge to find an abstraction layer that can work with the "five different variants of SCSI and NVMe implementations that may or may not be out there".

Security updates have been issued by Debian (libssh and sssd), Fedora (microcode_ctl and python3.6), Gentoo (cgal, firefox firefox-bin, openimageio, squashfs-tools, thunderbird thunderbird-bin, tiff, tomcat, webkit-gtk, and xorg-server xwayland), SUSE (c-ares and go1.18-openssl), and Ubuntu (Jhead, node-hawk, node-nth-check, and perl).