Hírolvasó

Linux Plumbers Conference 2023 is pleased to host the eBPF & Networking Track!

For the fourth year in a row, the eBPF & Networking Track is going to bring together developers, maintainers, and other contributors from all around the globe to discuss improvements to the Linux kernel’s networking stack as well as BPF subsystem and their surrounding user space ecosystems such libraries, loaders, compiler backends, and other related system tooling.

The gathering is designed to foster collaboration and face to face discussion of ongoing development topics as well as to encourage bringing new ideas into the development community for the advancement of both subsystems.

Proposals can cover a wide range of topics related to Linux networking and BPF covering improvements in areas such as (but not limited to) core networking, protocols, routing, performance, tunneling, drivers, BPF infrastructure and its use in tracing, security, networking, scheduling and beyond, as well as non-kernel components like libraries, compilers, testing infra and tools.

Please come and join us in the discussion. We hope to see you there!

A Protonmail bejlentette régóta várt Proton Pass nevű szolgáltatásának béta verzióját, amely egyelőre még csak a Lifetime és Visionary felhasználók számára lesz kipróbálható. A teszteléshez szükséges meghívók a héten kerülnek kiküldésre a felhasználók Protonmailes e-mail címeire.

The post Tesztelési fázisba lépett a Protonmail jelszókezelője first appeared on Nemzeti Kibervédelmi Intézet.

A VMware egy kritikus sérülékenységet javított az Aria Operations for Logs termékében, amely hitelesítés nélkül távoli kódfuttatást tesz lehetővé illetéktelenek számára.

The post Kritikus hibát javítottak a VMware Aria Operations for Logs-ban first appeared on Nemzeti Kibervédelmi Intézet.

F38 just released and seeing a bunch of people complain that TF2 dies on AMD or other platforms when lavapipe is installed. Who's at fault? I've no real idea. How to fix it? I've no real idea.

What's happening?

AMD OpenGL drivers use LLVM as the backend compiler. Fedora 38 updated to LLVM 16. LLVM 16 is built with c++17 by default. C++17 introduces new "operator new/delete" interfaces[1].

TF2 ships with it's own libtcmalloc_minimal.so implementation, tcmalloc expects to replace all the new/delete interfaces, but the version in TF2 must not support or had incorrect support for the new align interfaces.

What happens is when TF2 probes OpenGL and LLVM is loaded, when DenseMap initializes, one "new" path fails to go into tcmalloc, but the "delete" path does, and this causes tcmalloc to explode with

"src/tcmalloc.cc:278] Attempt to free invalid pointer"

Fixing it?

I'll talk to Valve and see if we can work out something, LLVM 16 doesn't seem to support building with C++14 anymore. I'm not sure if static linking libstdc++ into LLVM might avoid the tcmalloc overrides, it might not also be acceptable to the wider Fedora community.

[1] https://www.cppstories.com/2019/08/newnew-align/

Linus has released the 6.3 kernel as expected.

It's been a calm release this time around, and the last week was really no different. So here we are, right on schedule, with the 6.3 release out and ready for your enjoyment.

That doesn't mean that something nasty couldn't have been lurking all these weeks, of course, but let's just take things at face value and hope it all means that everything is fine, and it really was a nice controlled release cycle. It happens.

Significant changes in this release include the removal of a lot of obsolete Arm board files and drivers, ongoing improvements to the (still minimal) Rust language support, red-black trees for BPF programs, ID-mapped mounts for tmpfs filesystems, BIG TCP support for IPv4, support for non-executable memfds, the hwnoise jitter-measurement tool, and a lot more. See the LWN merge-window summaries (part 1, part 2) and the (in-progress) KernelNewbies 6.3 page for more information.

This ten days old but hopefully better late than never: the Python Software Foundation has put out an article describing how the proposed European "cyber resilience act" threatens the free-software community.

Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products. The risk of huge potential costs would make it impossible in practice for us to continue to provide Python and PyPI to the European public.

The Internet Systems Consortium has also recently put out a statement on the proposal.

The concept of movable memory was initially designed for hot-pluggable memory on server-class systems, but it would now appear that this mechanism is finding a new use in consumer-electronics devices as well. The designated movable block patch set was first submitted by Doug Berger in September 2022. By adding more flexibility around the configuration and use of movable memory, this work will, it is hoped, improve how Linux performs on resource-constrained systems.

The Python Package Index (PyPI) has, like many language-specific repositories, had ongoing problems with malicious uploads. PyPI is now launching an authentication mechanism called trusted publishers in an attempt to fight this problem.

Instead, PyPI maintainers can configure PyPI to trust an identity provided by a given OpenID Connect Identity Provider (IdP). This allows allows PyPI to verify and delegate trust to that identity, which is then authorized to request short-lived, tightly-scoped API tokens from PyPI. These API tokens never need to be stored or shared, rotate automatically by expiring quickly, and provide a verifiable link between a published package and its source.

Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf).

Joshua Stein (jcs@) has committed viogpu(4), which provides support for the virtio(4) GPU interface (provided by QEMU and other virtual machines) to create a wscons(4) console.

CVSROOT: /cvs Module name: src Changes by: jcs@cvs.openbsd.org 2023/04/20 13:28:31 Modified files: share/man/man4 : Makefile sys/arch/amd64/conf: GENERIC sys/arch/arm64/conf: GENERIC RAMDISK sys/dev/pv : files.pv virtio.c virtioreg.h sys/dev/wscons : wsconsio.h Added files: share/man/man4 : viogpu.4 sys/dev/pv : viogpu.c viogpu.h Log message: add viogpu, a VirtIO GPU driver works enough to get a console on qemu with more work to come from others feedback from miod ok patrick

Great stuff! This moves us closer to having a fully functional wscons console on virtual machines in those specific environments too. We will be watching further development closely.

Version 0.87 of Game of Trees has been released (and the port updated):

* got 0.87; 2023-04-19 see git repository history for per-change authorship information - add gitwrapper(1) - tog: resume blame and diff search from the first line - fix crash in got log due to NULL-deref in got_object_blob_close - add support for protecting references against 'got send -f' to gotd - fix spurious empty packfile error from gotd when rewinding a branch - tog: implement automated test harness - update the base commit ID of unmodified files if the blob ID matches - fix rebase/histedit -a leaving some files on the temporary branch - make 'got revert' and 'got rm' work on non-existent directories - got: flush stdout before printing the error in main() - when aborting rebase/histedit/merge, unlink files added by merged changes - fix 'got commit' using a bad parent commit ID when worktree is out-of-date - allow no-op merge commits to be created - fix sending merge commits - show how to fetch a pull request in got.1 pull request example section

A highlight of this release is the addition of gitwrapper(1), a utility facilitating co-existence with git.

GNOME is, of course, a widely-used desktop environment for Linux systems; on March 22, the project released GNOME 44, codenamed "Kuala Lumpur". This version features enhancements to the settings panels, quick settings, the files application, and an updated file chooser with a grid view, among others. The full list of changes can be seen in the release notes available on the GNOME website.

The Ubuntu 23.04 release is out. Headline features include a new installer, GNOME 44, Azure Active Directory authentication, and more.

The newest Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, and Xubuntu are also being released today.

See the release notes for more information.

Distributors have been enabling the SELinux security module for nearly 20 years now, and many administrators have been disabling it on their systems for almost as long. There are a few ways in which SELinux can be disabled on any given system, including command-line options, a run-time switch, or simply not loading a policy after boot. One of those ways, however, is about to be disabled itself.

The latest crop of stable kernels is out; 6.2.12, 6.1.25, 5.15.108, 5.10.178, 5.4.241, 4.19.281, and 4.14.313 have been released. As is usual, they all contain important fixes throughout the kernel tree.

Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon).

A Google 2023.04.18-án vészhelyzeti javításokat vezetett be a Chrome webböngésző újabb aktívan kihasználható, nagy súlyú nulladik napi hibájának kezelésére. .A CVE-2023-2136 számon nyomon követhető “integer overflow” típusú sebezhetőség a Skia nyílt forráskódú 2D-s grafikus könyvtárt érinti. Clément Lecigne, a Google Threat Analysis Group (TAG) munkatársa fedezte fel és jelentette a hibát 2023. április 12-én. A Google Chrome […]

The post Újabb zero-day sérülékenységet javítottak a Google Chrome-ban first appeared on Nemzeti Kibervédelmi Intézet.

Több mint 1 millió WordPress weboldal fertőződött meg egy kampány során. A támadók bővítmények és témák sebezhetőségeit használták ki arra, hogy rosszindulatú kódokat juttassanak a weboldalakra.

The post Balada Injector, a WordPress oldalak rémálma first appeared on Nemzeti Kibervédelmi Intézet.

The LWN.net Weekly Edition for April 20, 2023 is available.

Vanilla OS, a lightweight, immutable operating system designed for developers and advanced users, has been using Ubuntu as its base. However, a recent announcement has revealed that, in the upcoming Vanilla OS 2.0 Orchid release, the project will be shifting to Debian unstable (Sid) as its new base operating system. Vanilla OS is making the switch due to Ubuntu's changes to its version of the GNOME desktop environment along with the distribution's reliance on the Snap packaging format. The decision has generated a fair amount of interest and discussion within the open-source community.