Hírolvasó

The Rust community has experienced some turbulence in response to the cancellation of a keynote talk at the upcoming RustConf event. The Rust project leadership has now put out a blog post apologizing for and explaining its role in the event, describing its "decision-making and communication processes" as the primary cause of the failure.

Organizationally, within leadership chat we will enforce a strict consensus rule for all decision making, so that there is no longer ambiguity of whether something is an individual opinion or a group decision. We are going to launch the new governance council as soon as possible. We’ll assist the remaining teams to select their representatives in a timely manner, so that the new governance council can start and the current leadership chat can disband.

Thanks to an LWN comment from "engla", we have learned that the videos from the recently completed 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit are now available on YouTube. LWN sat in on many of the talks, of course, and we are still chugging along on our coverage of the conference.

Version 1.9 of Julia, which is an open-source programming language popular in scientific computing, was released in early May. There are a number of interesting new features this time around, including more work addressing the startup-time complaints and a number of improvements to the package system. Beyond that, there are a few interesting features from the Julia 1.8 release to catch up on.

A series of blog posts from the 2023 Python Language Summit has been posted; topics covered include the C API, the global interpreter lock, the standard library, and a talk on burnout from Guido van Rossum:

The first known case of burnout in the field of open-source software, van Rossum speculated, may have been Charles Babbage, who gave up the post of Lucasian Professor of Mathematics (the “Chair of Newton”) at Cambridge University in 1839.

Certain topics return predictably to development conferences every year, usually because developers are still struggling to find a viable solution to a specific problem. One such topic is the lack of scalability in the kernel's page-fault-handling code, so it was no surprise to see this problem on the agenda for the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit. Matthew Wilcox led a session in the memory-management track to discuss the state of page-fault handling and what can be done to improve it further.

Security updates have been issued by Debian (docker-registry, gpac, libraw, libreoffice, rainloop, and sysstat), Fedora (bottles, c-ares, edk2, libssh, microcode_ctl, python-vkbasalt-cli, rust-buffered-reader, rust-nettle, rust-nettle-sys, rust-rpm-sequoia, rust-sequoia-keyring-linter, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-policy-config, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, rust-sequoia-wot, and xen), SUSE (opera), and Ubuntu (Jhead, linuxptp, and sudo).

Niels Provos reflects on 25 years of experience with Bcrypt and ponders the future of password security in a ;login article.

Bcrypt's endurance can be attributed to several other factors beyond our intentional algorithm design. Its wide availability in open-source implementations has facilitated widespread adoption and integration into various systems. According to Wikipedia, there are implementations of bcrypt in C, C++, C#, Embarcadero Delphi, Elixir, Go, Java, JavaScript, Perl, PHP, Python, and Ruby. Moreover, bcrypt's focus on computational cost scaling makes it an attractive choice for large Internet services compared to newer algorithms like Argon2, which also scale in memory consumption.

The 6.4-rc4 kernel prepatch is out for testing, a few hours earlier than usual. "Other than that timing change, things look fairly normal".

The LibreSSL project has announced the release of versions 3.6.3 and 3.7.3, and (development) version 3.8.0 of the software.

The announcement for versions 3.6.3 and 3.7.3 reads:

We have released LibreSSL 3.6.3 and 3.7.3, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. They include the following fixes: * Bug fix - Hostflags in the verify parameters would not propagate from an SSL_CTX to newly created SSL. * Reliability fix - A double free or use after free could occur after SSL_clear(3). The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

The announcement for version 3.8.0 reads:

Read more…

"I/O hints" for storage devices, which are meant to improve performance by giving the devices extra information about the nature of the I/O, have a long history with Linux. But the code for write hints was "ripped out last year", according to a message from Ted Ts'o proposing a discussion about new optimizations for cloud-storage devices. That discussion took place in a combined storage and filesystem session at the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit. In it, Ts'o proposed that the Linux community define its own set of hints rather than just following along with the hints in the standards—which have largely been ignored by the vendors in any case.

The "vmap area" is a range of kernel address space used when the kernel needs to virtually map a range of memory; among other things, memory allocations obtained from vmalloc() and loadable modules are placed there. At the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit, Uladzislau Rezki, presenting remotely, explained a performance problem related to the vmap area and discussed possible solutions.

The kernel's memory-management subsystem is optimized for the sharing of resources to the greatest extent possible. But, as Pasha Tatashin pointed out during a memory-management session at the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit, a lot of memory has a single owner and will never be shared. He presented some ideas for optimizing the management of that memory to a somewhat skeptical crowd.

Security updates have been issued by Debian (sniproxy), Fedora (c-ares), Oracle (apr-util, curl, emacs, git, go-toolset and golang, go-toolset:ol8, gssntlmssp, libreswan, mysql:8.0, thunderbird, and webkit2gtk3), Red Hat (go-toolset-1.19 and go-toolset-1.19-golang and go-toolset:rhel8), Slackware (ntfs), SUSE (rmt-server), and Ubuntu (linux-raspi, linux-raspi-5.4 and python-django).

Over on the Collabora blog, Marius Vlad looks at the Weston 12.0 release. Weston is the reference compositor for the Wayland project. The highlights include two new backends and support for multiple scanout devices, along with "multiple fixes and internal changes that would further facilitate integration of functionality like color management or the ability to load up multiple backends at the same time". As we're heading towards having the ability to load multiple backends, two new ones have seen the day in this new release: backend-vnc, which is similar to backend-rdp, is based on aml and neatvnc libraries. It has TLS support and user authentication. The other backend added is the PipeWire one; it creates a node for each output and like the plugin with the same backend name, it can be used to capture Weston outputs for processing with other applications.

Issues around zoned storage for filesystems was the topic of a combined storage and filesystem session at 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit led by Bart Van Assche, Viacheslav A. Dubeyko, and Naohiro Aota. Zoned storage began with the advent of shingled magnetic recording (SMR) devices, but is now implemented by NVMe zoned namespaces (ZNS) as well. SMR devices can have multiple zones with different characteristics, with some zones that can only be written in sequential order, while other, conventional zones can be written in any order. The talk was focused on filesystems using the sequential type of zones since the conventional zones are already well-supported in Linux and its filesystems.

The conversion to folios is intended to, among other things, make it easy for the kernel to manage chunks of memory in a number of different sizes. So far, though, that flexibility is not being used in the kernel's handling of anonymous pages. At the 2023 Linux Storage, Filesystem, Memory-Management and BPF Summit, Yu Zhao and Yang Shi ran a session in the memory-management track aimed at charting a path toward support for anonymous pages in a variety of sizes.

Security updates have been issued by Debian (python2.7), Fedora (maradns), Red Hat (devtoolset-12-binutils, go-toolset and golang, httpd24-httpd, jenkins and jenkins-2-plugins, rh-ruby27-ruby, and sudo), Scientific Linux (git), Slackware (texlive), SUSE (cups-filters, poppler, texlive, distribution, golang-github-vpenso-prometheus_slurm_exporter, kubernetes1.18, kubernetes1.23, openvswitch, rmt-server, and ucode-intel), and Ubuntu (ca-certificates, calamares-settings-ubuntu, Jhead, libhtml-stripscripts-perl, and postgresql-10, postgresql-12, postgresql-14, postgresql-15).

A Google bejelentette nyolc új TLD kiadását (mint például a „.dad” és a „.nexus”), amelyek között akad olyan, amit nem fogadott egyöntetűen pozitívan az IT-biztonsági közösség. Egyesek szerint a „.zip” és „.mov” végződésű domainek alkalmasak lehetnek adathalászatra és más típusú online csalásokra.

The post .ZIP, .MOV? Nem, nem fájlkiterjesztések, hanem új Top Level Domainek! first appeared on Nemzeti Kibervédelmi Intézet.

A ReversingLabs két rosszindulatú csomagot (nodejs-encrypt-agent és nodejs-cookie-proxy-agent) fedezett fel az npm repositoryjában, amelyek TurkoRatet tartalmaznak.

The post Adatlopó malware-t találtak egyes NPM csomagokban first appeared on Nemzeti Kibervédelmi Intézet.

The LWN.net Weekly Edition for May 25, 2023 is available.