Hírolvasó

The 5.16.13, 5.15.27, 5.10.104, 5.4.183, 4.19.233, 4.14.270, and 4.9.305 stable kernel updates are available; each contains another set of important fixes.

DENT is a special-purpose Linux distribution aimed at router deployments; "DENT utilizes the Linux Kernel, Switchdev, and other Linux based projects as the basis for building a new standardized network operating system without abstractions or overhead". Version 2.0 has been released:

DENT 2.0 adds secure scaling with Internet Protocol version 6 (IPv6) and Network Address Translation (NAT) to support a broader community of enterprise customers. It also adds Power over Ethernet (PoE) control to allow remote switching, monitoring, and shutting down. Connectivity of IoT, Point of Sale (POS), and other devices is highly valuable to retail storefronts, early adopters of DENT. DENT 2.0 also adds traffic policing, helping mitigate attack situations that overload the CPU.

The Collabora blog looks at recent developments in the PipeWire media system and looks forward to what is yet to come:

Now in 2022, we are looking to the future. We already have designs to improve WirePlumber and experiment with new things. On the short-term horizon, we have plans to rework some parts of WirePlumber in order to make its configuration more user-friendly and the scripts easier to work with. We are also planning to revisit the policy logic and try to go a step beyond what PulseAudio has ever offered. In addition, we are looking forward to experimenting with complex cameras to improve how PipeWire and libcamera work together for an optimal user experience.

Version 98.0 of the Firefox browser is out. The big change this time is a new "optimized download flow" that is alleged to make the process of downloading files go much more smoothly. There are also some significant security fixes in this release.

Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis).

It is a good bet that a significant amount of code in the kernel is entirely unused. Even so, that code must still be maintained and shipped, posing an ongoing cost to the development community. What should be done with code that is unmaintained and, possibly, unused? Answering that question requires understanding which users still exist, if any, and taking a hard look at what the future support requirements for that code will be. The kernel community has recently discussed this problem in the context of filesystems, and the Reiserfs filesystem in particular, with a focus on the approaching 2038 deadline.

Linus has released 5.17-rc7, which is hopefully the final prepatch in this development series: "as things stand, I expect that final 5.17 will be next weekend unless something surprising comes up".

Max Kellermann has disclosed a disconcerting kernel vulnerability:

Two weeks ago, I found a vulnerability in the Linux kernel since version 5.8 commit f6dd975583bd ("pipe: merge anon_pipe_buf*_ops") due to uninitialized variables. It enables anybody to write arbitrary data to arbitrary files, even if the file is O_RDONLY, immutable or on a MS_RDONLY filesystem. It can be used to inject code into arbitrary processes.

This vulnerability has been named "dirty pipe"; Kellermann has put up a web page describing it in detail. Updates from distributors are already being released.

Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, kernel-firmware, libeconf, shadow and util-linux, libxml2, mariadb, nodejs14, python-Twisted, vim, wireshark, wpa_supplicant, and zsh), and Ubuntu (firefox, openjdk-lts, openjdk-17, and php8.0).

Google's Chrome browser seemingly dominates the Internet at this point, but that does not mean that everybody wants to run it. Chrome, of course, is built on an open-source project called Chromium but is not an open-source product itself; it includes a number of proprietary add-ons. But the Chromium source is out there and can, with some effort, be used to build a working, open-source browser; a number of distributors do so. But Chromium is famously hard to package, and distributors have, at times, struggled to keep up with it; a recent discussion in the Fedora community has brought new attention to this problem.

Security updates have been issued by Debian (varnish), Fedora (barrier and polkit), openSUSE (bitcoin, conmon, libcontainers-common, libseccomp, podman, firefox, nodejs-electron, nodejs8, php7, and webkit2gtk3), SUSE (conmon, libcontainers-common, libseccomp, podman, cyrus-sasl, expat, firefox, nodejs8, php7, tomcat, and webkit2gtk3), and Ubuntu (containerd).

The disclosure of the Meltdown and Spectre vulnerabilities put a spotlight on the risks that come with sharing address spaces too widely. Even if the protection mechanisms provided by the hardware should prevent access to sensitive data, those vulnerabilities can often be used to leak that data anyway. So, from the beginning, mitigation strategies have included reducing the sharing of address spaces, but there is more that could be done and ongoing interest in doing so. Now, this patch set posted by Junaid Shahid (containing work from Ofir Weisse and inspired by earlier patches from Alexandre Chartre) shows what would be required to create a general address-space isolation (ASI) mechanism for the kernel.

Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4).

The LWN.net Weekly Edition for March 3, 2022 is available.

Perhaps February was "compiler modernization" month. The Linux kernel recently decided to move to the C11 standard for its code; Python has just undergone a similar process for determining which flavor of C to use for building its CPython reference implementation. A calculation in the CPython interpreter went awry when built with a pre-release version of the upcoming GCC 12; that regression led down a path that ended up with the adoption of C11 for CPython as well.

The 5.16.12, 5.15.26, 5.10.103, 5.4.182, 4.19.232, 4.14.269, and 4.9.304 stable kernel updates have all been released; each contains another set of important fixes.

Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc).

Debian has been working on some "constitutional maintenance" of late; a general resolution (GR) on tweaks to the project's decision-making processes passed at the end of January. As part of the discussion surrounding those changes, the question of secret voting came up; currently, Debian publicly lists every voter for a GR and their ranking of the options. Another GR has been proposed to change that, but the discussion has shown that the definition of "secret" is not exactly the same for everyone. In addition, secret voting is not the only change being proposed.

The Free Software Foundation has announced that Zoë Kooyman will be the organization's new executive director.

Kooyman was appointed by the FSF board following a careful selection process that included a review by a FSF staff committee and evaluation criteria such as management, fundraising, business and finance, legal, and technical skills. She succeeds John Sullivan, who served as executive director for twelve years.

Versions 21.02.2 and 19.07.9 of the OpenWrt router distribution are available. Both releases include a number of security fixes. Additionally, 21.02.2 adds support for a set of new devices, adds a new rpcapd package, and includes various other enhancements.