Hírolvasó

Linus Torvalds released 6.4-rc1 and closed the merge window on May 7. By that time, 13,044 non-merge changesets had found their way into the mainline repository for the 6.4 release. A little over 5,000 of those changesets came in after our summary of the first half of the merge window was written. Those changes brought a long list of new features and capabilities to the kernel.

Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk).

A Cisco SPA112 2 portos telefonadapter kritikus sérülékenységének (CVE-2023-20126 - CVSS: 9,8 pont) kihasználása tetszőleges távoli kódfuttatást tesz lehetővé a támadók számára.

The post Kritikus sérülékenység érint egy népszerű Cisco telefon adaptert first appeared on Nemzeti Kibervédelmi Intézet.

FluHorse névre keresztelték azt a hivatalos alkalmazásokat meghamisító rosszindulatú androidos kártevőt, amelyet a Check Point Research fedezett fel, és amellyel 2022. május óta vesznek célba kelet-ázsiai felhasználókat.

The post Újabb 2FA kódokat lopó androidos kártevőt fedeztek fel first appeared on Nemzeti Kibervédelmi Intézet.

Linus has released 6.4-rc1 and closed the merge window for this development cycle.

The one feature that didn't make it was the x86 shadow stack code. That side was probably a bit unlucky, in that it came in as I was looking at x86 issues anyway, and so I looked at it quite a bit, and had enough reservations that I asked for a couple of fairly big re-organizations.

This is just one more setback in the long-running shadow-stack story; see this article for some background.

In the end, 13,044 non-merge changesets were pulled during this merge window.

Version 4.2 of the Yocto Project distribution builder has been released. It features improved Rust support, a number of BitBake enhancements, lots of updated software, and numerous security fixes.

Thanks to the following commit by Todd Miller (millert@), cron(8) now supports random values in a range with a step value (i.e. "<lo>~<hi>/<step>" in crontab(5) entries): CVSROOT: /cvs Module name: src Changes by: millert@cvs.openbsd.org 2023/05/06 17:06:27 Modified files: usr.sbin/cron : crontab.5 entry.c macros.h Log message: Support random offsets when using ranges with a step value in cron. This extends the random range syntax to support step values. Instead of choosing a random number between the high and low values, the field is treated as a range with a random offset less than the step value. This can be used to avoid thundering herd problems where multiple machines contact a server all at the same time via cron jobs. The syntax is similar to the existing range/step syntax but uses a random range. For example, instead of "0-59/10" in the minutes field, "0~59/10" can be used to run a command every 10 minutes where the first command starts at a random offset in the range [0,9]. The high and low numbers are optional, "~/10" can be used instead. Requested by job@, OK phessler@

Some things, it seems, just cannot be hurried. Back in 2007, your editor first started considering alternatives to the proprietary accounting system that had been used by LWN since the beginning. That search became more urgent in 2012, and returned in 2017 with a focused effort to find something better. But another five years passed before some sort of conclusion was reached. It has finally happened, though; LWN is no longer using proprietary software for its accounting needs.

Security updates have been issued by Debian (chromium, evolution, and odoo), Fedora (java-11-openjdk), Oracle (samba), Red Hat (libreswan and samba), Slackware (libssh), SUSE (amazon-ssm-agent, apache2-mod_auth_openidc, cmark, containerd, editorconfig-core-c, ffmpeg, go1.20, harfbuzz, helm, java-11-openjdk, java-1_8_0-ibm, liblouis, podman, and vim), and Ubuntu (linux-aws, linux-aws-hwe, linux-intel-iotg, and linux-oem-6.1).

The OpenBSD project has released a new version of OpenBGPD, the OpenBSD Border Gateway Protocol (BGP) routing daemon, version 8.0. The announcement reads,

From: Claudio Jeker <claudio () openbsd ! org> Date: Thu, 04 May 2023 16:24:30 +0000 To: openbsd-announce Subject: OpenBGPD 8.0 released We have released OpenBGPD 8.0, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon.

Read more…

The SemiAnalysis site has what is said to be a leaked Google document on the state of open-source AI development. Open source, it concludes, is winning.

At the beginning of March the open source community got their hands on their first really capable foundation model, as Meta’s LLaMA was leaked to the public. It had no instruction or conversation tuning, and no RLHF. Nonetheless, the community immediately understood the significance of what they had been given.

A tremendous outpouring of innovation followed, with just days between major developments (see The Timeline for the full breakdown). Here we are, barely a month later, and there are variants with instruction tuning, quantization, quality improvements, human evals, multimodality, RLHF, etc. etc. many of which build on each other.

(Thanks to Dave Täht).

The 2018 Linux Storage, Filesystem, and Memory-Management (LSFMM) conference included a session on get_user_pages(), an internal kernel interface that can, in some situations, be used in ways that will lead to data corruption or kernel crashes. As the 2023 LSFMM+BPF event approaches, this problem remains unsolved and is still the topic of ongoing discussion. This patch series from Lorenzo Stoakes, which is another attempt at a partial solution, is the latest focus point.

The Red Hat Developer site has an overview of some of the new C-language features supported by the GCC 13 release.

The nullptr constant first appeared in C++11, described in proposal N2431 from 2007. Its purpose was to alleviate the problems with the definition of NULL, which can be defined in a variety of ways: (void *)0 (a pointer constant), 0 (an integer), and so on. This posed problems for overload resolution, generic programming, etc. While C doesn’t have function overloading, the protean definition of NULL still causes headaches.

Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7).

A két tech óriás közös erőkkel dolgoznak egy új iparági szabvány kialakításán, amelynek célja, hogy megakadályozzák a Bluetooth-kompatibilis eszközök általi felhasználói nyomkövetést. A Google és az Apple által bemutatott specifikációtervezet szerint a gyártók könnyebben értesíthetik majd felhasználóikat az ilyen jellegű nyomkövetésekről. Az Apple és a Google sajtóközleményei szerint – a maga nemében egyedülálló – specifikáció […]

The post A Google és az Apple közösen veszik fel a harcot a Bluetooth alapú nyomkövetés ellen first appeared on Nemzeti Kibervédelmi Intézet.

A Google bejelentette, hogy minden platformján és szolgáltatásán elérhetővé teszi a Passkey funkciót, így a felhasználók jelszavak megadása nélkül jelentkezhetnek majd be Google fiókjaikba. Bár a cég az elmúlt évek során több fiókvédelmi kiegészítő megoldást is bevezetett, mint a kétfaktoros azonosítás és a Google Jelszókezelő,  a tech óriás felismerte, hogy a jelszókezelésből fakadó problémák hatékony […]

The post Indul a jelszómentesség a Google-nál first appeared on Nemzeti Kibervédelmi Intézet.

The LWN.net Weekly Edition for May 4, 2023 is available.

The Python packaging picture is generally a bit murky; there are lots of different stakeholders, with disparate wishes and needs, which all adds up to a fairly large set of multi-faceted problems. Back in the first three months of the year, we looked at various discussions around packaging, some of which are still ongoing. A packaging summit was held at PyCon 2023 to bring some of the participants of those discussions together in one room. One of its sessions was on adding a namespaces feature to the Python Package Index (PyPI). It provides a look into some of the difficulties that can arise, especially when trying to accommodate a long legacy of existing practices, which is often a millstone around the neck of those trying to make packaging improvements.

Version 8.4 of rpki-client has been released, with a number of improvements and new features:

rpki-client 8.4 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.

Read more…