Hírolvasó

Security updates have been issued by Debian (thunderbird), Oracle (kernel, kernel-container, and ruby:2.5), Red Hat (rh-ruby26-ruby), Slackware (libxml2 and libxslt), SUSE (htmldoc and SUSE Manager Server 4.2), and Ubuntu (mariadb-10.3, mariadb-10.5, policykit-1, qemu, virglrenderer, and webkit2gtk).

As of February 24th, 2022, LibreSSL's development branch has been updated to version 3.5.0.

The complete release notes may be viewed here:

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0-relnotes.txt

There is a lot there which would be best to read in its entirety rather than attempting to summarize here. However, for the sake of emphatic repetition and encouragement from the community at large, this quote seems salient and worth sharing:
This is a development release for the 3.5.x branch, and we appreciate additional testing and feedback before the final release coming soon with OpenBSD 7.1.

On February 23rd, 2022 OpenSSH was updated to version 8.9.

The complete release notes may be found here:

https://www.openssh.com/txt/release-8.9

For users not running OpenBSD, OpenSSH 8.9p1 portable was also released.

Of particular interest from the release notes is a mitigation for a "Security Near Miss" as well as MD5-hashed passphrases finally being deprecated from the portable release [editor's note: it's about time!].

The Armbian project, which is a Debian-based distribution for Arm-based single-board computers (SBCs) and development boards, has a lengthy release announcement for Armbian 22.02. Beyond lots of updates and bug fixes (of course), Armbian has added support for Debian unstable ("sid"), Raspberry Pi images, a new Extensions build framework, build automation (continuous integration and continuous deployment) improvements, and more. There is also upcoming support for Ubuntu 22.04 images. Historically, in many cases board manufacturers have been ‘maintaining’ (in parallel) some heavily patched Linux kernel which have diverged so far from mainline as to be considered an entirely different operating system. That mess, is what some refer to as a Board Support Package (BSP), ‘legacy’ kernel, or ‘vendor’ bootloader.

Those sources get ‘thrown over the wall’ upon release, very often never to be touched again. They are full of proprietary code (binary blobs), dirty hacks, ancient kernels, and all manner of other garbage that will never see the light of day in mainline Linux. All of which is very similar to the situation on Android, if you know anything about that.

In fact, if not for projects like Armbian, our SBCs would likewise become throwaway devices, too — just like your Android — in pretty short order. That is, if you ever even got them to work in the first place.

Restartable sequences, a Linux kernel feature that facilitates the writing of lockless, per-CPU code in user space, has been around for some years, but it only just received support in the GNU C Library this month. Now that this barrier has been crossed, it would seem that the time has come to start adding features. Mathieu Desnoyers has responded to this challenge with a patch set adding an extension mechanism and a new "virtual CPU ID" feature.

The 5.17-rc6 kernel prepatch has been released.

While things look reasonably normal, we _are_ getting pretty late in the release, and we still have a number of known regressions. They don't seem all that big and scary, but some of them were reported right after the rc1 release, so they are getting a bit long in the tooth. I'd hate to have to delay 5.17 just because of them, and I'm starting to be a bit worried here. I think all the affected maintainers know who they are.

Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0).

Dropped packets are a fact of life in networking; there can be any number of reasons why a packet may not survive the journey to its destination. Indeed, there are so many ways that a packet can meet its demise that it can be hard for an administrator to tell why packets are being dropped. That, in turn, can make life difficult in times when users are complaining about high packet-loss rates. Starting with 5.17, the kernel is getting some improved instrumentation that should shed some light on why the kernel decides to route packets into the bit bucket.

Back in July, the Free Software Foundation (FSF) put out a call for white papers to explore the issues around GitHub's Copilot AI-assisted programming tool, especially with regard to copyleft licensing; each selected white paper was awarded $500. The FSF has now published five of the submissions that the organization thought "advanced discussion of important questions, and did so clearly". In our call for papers, we set forth several areas of interest. Most of these areas centered around copyright law, questions of ownership for AI-generated code, and legal impacts for GitHub authors who use a GNU or other copyleft license(s) for their works. We are pleased to announce the community-provided research into these areas, and much more.

First, we want to thank everyone who participated by sending in their papers. We received a healthy response of twenty-two papers from members of the community. The papers weighed-in on the multiple areas of interest we had indicated in our announcement. Using an anonymous review process, we concluded there were five papers that would be best suited to inform the community and foster critical conversations to help guide our actions in the search for solutions.

One of the submissions published was from Policy Fellow at Software Freedom Conservancy, Bradley M. Kuhn; that organization has announced the formation of a committee to "develop recommendations and plans for a Free and Open Source Software (FOSS) community response to the use of machine learning tools for code generation and authorship". A public ai-assist mailing list has been set up for discussions. "The inaugural members of the Committee are: Matthew Garrett, Benjamin Mako Hill, Bradley M. Kuhn, Heiki Lõhmus, Allison Randal, Karen M. Sandler, Slavina Stefanova, John Sullivan, David ‘Novalis’ Turner, and Stefano ‘Zack’ Zacchiroli."

Security updates have been issued by Fedora (dotnet6.0, kernel, libarchive, libxml2, and wireshark), openSUSE (opera), Oracle (cyrus-sasl), Red Hat (cyrus-sasl, python-pillow, and ruby:2.5), Scientific Linux (cyrus-sasl), and Ubuntu (snapd).

Version 1.59.0 of the Rust language has been released. There are a number of new features, including support for inline assembly (in unsafe blocks, naturally), the ability to use tuples and slices on the left-hand side of an assignment, const generic defaults, and more. Incremental compilation is also disabled by default in this release to work around a known bug.

Despite its generally fast-moving nature, the kernel project relies on a number of old tools. While critics like to focus on the community's extensive use of email, a possibly more significant anachronism is the use of the 1989 version of the C language standard for kernel code — a standard that was codified before the kernel project even began over 30 years ago. It is looking like that longstanding practice could be coming to an end as soon as the 5.18 kernel, which can be expected in May of this year.

The Inside Rust Blog has posted the Rust compiler team's goals for this year in the hope of encouraging others to help.

In theory, any unsoundness issue potentially undermines Rust's promise of reliability. We want, by the end of this year, to have a clear understanding of how each of those I-unsound issues came to be. We are looking into systematically detecting such issues and whether we can deploy mitigations or fixes for entire classes of issues, instead of addressing them on a case by case basis.

Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird).

The LWN.net Weekly Edition for February 24, 2022 is available.

Over the past seven years or so, Python has slowly been moving its development infrastructure to GitHub; we covered some of the early discussions at the end of 2014. One piece of that infrastructure, bug tracking, has not been moved from bugs.python.org, but plans are underway to make that happen soon. It is not a simple or straightforward process to do so, however, so the transition will take up to a week to complete; there are a number of interesting facets to the switch, as it entails clearing some technical, and even legal, hurdles.

Ard Biesheuvel writes about 32-bit Arm systems on the Google Security Blog, with a focus on why these processors are still in use and what is being done to increase their security at the kernel level.

Preventing stack overflows from corrupting unrelated memory contents is the goal of VMAP_STACK, which we are enabling for 32-bit ARM as well. When VMAP_STACK is enabled, kernel mode stacks are allocated from the kernel heap as before, but mapped into a different part of the kernel's address space, and surrounded by guard regions, which are guaranteed to be kept unpopulated. Given that accesses to such unpopulated regions will trigger an exception, the kernel's memory management layer can step in and terminate the program as soon as a stack overflow occurs, and prevent it from causing memory corruption.

Intel has announced the acquisition of Linutronix.

Linutronix is comprised of a team of highly qualified and motivated employees with a wealth of experience and involvement in the ongoing development of Linux. Led by CEO Heinz Egger and CTO Thomas Gleixner, Linutronix is the architect of PREEMPT_RT (Real Time) and the leading technology provider for industrial Linux. Gleixner has been the principal maintainer of x86 architecture in the Linux kernel since 2008.

The plan is evidently to continue to run Linutronix as an independent company rather than absorbing it into Intel.

The 5.16.11, 5.15.25, 5.10.102, 5.4.181, 4.19.231, 4.14.268, and 4.9.303 stable kernel updates have all been released; each contains another set of important fixes.

OpenSSH 8.9 has been released. This version includes a fix for a "security near miss" and removes support for MD5-hashed passwords. It also includes a new mechanism to restrict the forwarding of keys in ssh-agent, various FIDO improvements, a new "post-quantum" key-exchange algorithm, and more.