Hírolvasó

Stable kernels 5.14.14, 5.10.75, 5.4.155, 4.19.213, and 4.14.252 have been released. They all contain important fixes and users of those series should upgrade.

Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi and strongswan).

Over at the Project Zero blog, Jann Horn has a lengthy post on a kernel bug, ways to exploit it, and various ideas on mitigation. While the exploitation analysis is highly detailed, more than half of the post looks at various defenses to this kind of bug. This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Buster's 4.19.0-13-amd64 kernel. Based on that, it explores options for security mitigations that could prevent or hinder exploitation of issues similar to this one.

I hope that stepping through such an exploit and sharing this compiled knowledge with the wider security community can help with reasoning about the relative utility of various mitigation approaches.

A lot of the individual exploitation techniques and mitigation options that I am describing here aren't novel. However, I believe that there is value in writing them up together to show how various mitigations interact with a fairly normal use-after-free exploit.

On October 11, the first release candidate for Qubes OS version 4.1 was announced. Qubes OS is a security-oriented desktop operating system that uses multiple virtual machines (VMs or "qubes") to isolate various types of functionality. The idea is to compartmentalize different applications and operating-system subsystems to protect them from each other and to limit access to the user's data if an application is compromised. Version 4.1 will bring several important enhancements to help Qubes OS continue to live up to its motto: "A reasonably secure operating system".

Software Freedom Conservancy has announced that it filed suit against TV maker Vizio over "repeated failures to fulfill even the basic requirements of the General Public License (GPL)". The organization raised the problems with Vizio in August 2018, but the company stopped responding in January 2020, according to the announcement. "We are asking the court to require Vizio to make good on its obligations under copyleft compliance requirements," says [Software Freedom Conservancy executive director Karen] Sandler. She explains that in past litigation, the plaintiffs have always been copyright holders of the specific GPL code. In this case, Software Freedom Conservancy hopes to demonstrate that it's not just the copyright holders, but also the receivers of the licensed code who are entitled to rights.

The lawsuit suit seeks no monetary damages, but instead seeks access to the technical information that the copyleft licenses require Vizio to provide to all customers who purchase its TVs (specifically, the plaintiff is asking for the technical information via "specific performance" rather than "damages").

The complaint is also available.

Software Freedom Conservancy announced it has filed a lawsuit against California TV manufacturer Vizio Inc. for GPL violations. The lawsuit alleges that Vizio’s TV products, built on its SmartCast system, contain software that Vizio unfairly appropriated from a community of developers who intended consumers to have very specific rights to modify, improve, share, and reinstall modified versions of the software.

[...] Software Freedom Conservancy, a nonprofit organization focused on ethical technology, is filing the lawsuit as the purchaser of a product which has copylefted code. This approach makes it the first legal case that focuses on the rights of individual consumers as third-party beneficiaries of the GPL.

Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan).

Differences of opinion over which kernel symbols should be exported to loadable modules have been anything but uncommon over the years. Often, these disagreements relate to which kernel capabilities should be available to proprietary modules. Sometimes, though, it hinges on the disagreements over the best way to solve a problem. The recent discussion around the removal of an export for a core kernel function is a case in point.

Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx).

The 5.15-rc6 kernel prepatch is out. "I'd love to say that it's all looking average, but rc6 is actually bigger than rc5 was, and larger than normal for this time in the release cycle. It's not _enormously_ larger than normal, and it's not the largest rc6 we've had, but it's still slightly worrisome."

Greg Kroah-Hartman has released the 5.14.13, 5.10.74, 5.4.154, 4.19.212, 4.14.251, 4.9.287, and 4.4.289 stable kernel updates. Each contains another set of important fixes.

You would like to do some formal verification of C code? Or you would like a challenge for your formal-verification tool? Either way, here you go!
 
 
 

1. Stupid RCU Tricks: rcutorture Catches an RCU Bug, also known as Verification Challenge 1.
   
2. Verification Challenge 2: RCU NO_HZ_FULL_SYSIDLE.
   
3. Verification Challenge 3: cbmc.
   
4. Verification Challenge 4: Tiny RCU.
   
5. Verification Challenge 5: Uses of RCU.
   
6. Verification Challenge 6: Linux-Kernel Tree RCU.
   
7. Verification Challenge 7: Heavy Modifications to Linux-Kernel Tree RCU.
   

The name Debian brings to mind a Linux distribution, but the Debian project is far more than that; it is an ongoing experiment in democratic project governance. Debian's processes can result in a lot of public squabbling; one should not lose track, though, of the fact that those processes have enabled a large community to maintain and grow a complex distribution for decades without the benefit of an overseeing corporate overlord. Processes can be improved, though; a recent proposal from Russ Allbery gives an interesting picture of where the pain points are and what can be made better.

Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

The latest release of the Ubuntu Linux distribution is out: Ubuntu 21.10, code named "Impish Indri". The release notes fills in all of the details for the new features in this version, but the announcement lists some as well: Ubuntu Desktop 21.10 makes wayland sessions available while using the Nvidia proprietary driver. PulseAudio 15 introduces support for Bluetooth LDAC and AptX codecs, as well as HFP Bluetooth profiles providing better audio quality. The recovery key feature at installation time has been improved, with the recovery key now optional, stronger and editable. Ubuntu Desktop 21.10 includes GNOME version 40, with a new and improved Activities Overview design. Workspaces are now arranged horizontally, and the overview and app grid are accessed vertically. Each direction has accompanying keyboard shortcuts, touchpad gestures and mouse actions.

Ubuntu Server 21.10 integrates recent innovations from key open infrastructure projects like OpenStack Xena, QEMU 6.0, PHP8, libvirt 7.6, Kubernetes, and Ceph with advanced life-cycle management tools for multi-cloud and on-prem operations from bare metal, VMWare and OpenStack, to every major public cloud.

Version 4.0 of the Devuan distribution has been released; it is code-named Chimaera. This release is based on Debian Bullseye, has improved desktop support, and benefits from more accessibility work. See the release notes for details.

The OpenBSD project has released OpenBSD 7.0, the project's 51st release. As usual, the release page offers highlights, installation and upgrade instructions, as well as links to other resources such as the detailed changelog.

Notable improvements include, but are not limited to:

• Support has been added for a new hardware platform, riscv64, for 64-bit RISC-V systems. [See earlier reports.]
• /etc/bsd.re-config(5) was introduced, providing a mechanism to make config(8)-modified GENERIC kernels compatible with KARL.
• Hibernate time has been reduced. [See earlier report.]
• The timeout(1) utility was imported from NetBSD. [See earlier report.]
• openrsync(1) now has include and exclude options. [See earlier report.]
• doas(1) will now retry up to 3 times on password authentication failure.
• ucc(4), a driver for USB HID Consumer Control keyboards, was added. This exposes volume, audio, and application launch keys.
• xterm(1) is now unveiled. [See earlier report.]
• printf(3) and friends now log an error and abort when confronted with format %n.
• iked(8) now has client-side support for DNS configuration. [See earlier report.]
• traceroute(8) speed has been boosted through asynchronous handling of probe packets and DNS. [See earlier report.]
• dhcpleased(8) and resolvd(8) are both enabled by default and provide the standard mechanism for configuring IPv4 addresses by DHCP. [See previous reports.] The combination also makes nameserver information gathered via slaacd usable in dynamic configurations. dhclient(8) remains available for special cases. A "nameserver" command was added to route(8), allowing sending DNS nameserver prooposals to resolvd(8) over the routing socket.
• In LibreSSL 3.4.1, support has been added for the OpenSSL 1.1.1 TLSv3 APIs. The "new" X.509 validator is enabled, allowing verification of modern certificate chains.
• In OpenSSH 8.8, the RSA/SHA1 signature type [not RSA ("ssh-rsa") keys - see previous report] is disabled by default. scp(1) supports optional use of the SFTP protocol. [Since our previous report, the default has reverted to using the original scp/rcp protocol by default.]

Those upgrading from the 6.9 release (or earlier) should consult the Upgrade Guide.

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation. Corporate entities may prefer to send money to The OpenBSD Foundation, a Canadian non-profit corporation. You can also get merchandise and help OpenBSD visibility. Also, don't forget to listen to the release song (mp3 or ogg) and check out the lyrics.

Thanks to the developers for all the excellent work that has gone into this great new release!

Concerns over the performance of programs written in Python are often overstated — for some use cases, at least. But there is no getting around the problem imposed by the infamous global interpreter lock (GIL), which severely limits the concurrency of multi-threaded Python code. Various efforts to remove the GIL have been made over the years, but none have come anywhere near the point where they would be considered for inclusion into the CPython interpreter. Now, though, Sam Gross has entered the arena with a proof-of-concept implementation that may solve the problem for real.

The KDE project is celebrating its 25th anniversary with a special release of the Plasma desktop.

This time around, Plasma renews its looks and, not only do you get a new wallpaper, but also a gust of fresh air from an updated theme: Breeze - Blue Ocean. The new Breeze theme makes KDE apps and tools not only more attractive, but also easier to use both on the desktop and your phone and tablet.

Of course, looks are not the only you can expect from Plasma 25AE: extra speed, increased reliability and new features have also found their way into the app launcher, the software manager, the Wayland implementation, and most other Plasma tools and utilities.

Lots of details can be found in the changelog.

Security updates have been issued by Mageia (golang, grilo, mediawiki, plib, python-flask-restx, python-mpmath, thunderbird, and xstream/xmlpull/mxparser), Oracle (389-ds-base, grafana, httpd:2.4, kernel, libxml2, and openssl), Red Hat (httpd), and SUSE (kernel).