Hírolvasó

Security updates have been issued by Debian (qemu), Fedora (condor, grilo, libopenmpt, opencryptoki, and php), openSUSE (xen), and SUSE (ffmpeg, file, php72, rubygem-addressable, and xen).

Florian Obser (florian@) has committed a significant speed boost for traceroute(8):

CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2021/09/03 03:13:00 Modified files: usr.sbin/traceroute: Makefile traceroute.8 traceroute.c traceroute.h worker.c Log message: Make traceroute(8) faster by sending probes and doing DNS async. Traditional traceroute would send one probe and then wait for up to 5 seconds for a reply and then send the next probe. On a lossy link that eventually ends in a black hole this would take about 15 minutes and people would hit control-c in anger. This rewrites the traceroute engine to use libevent and asr's async DNS interface. Probes are now send every 30ms or as soon as we get an answer back. With that we got the 15 minute worse case down to about 10 seconds. A minor adjustment that is possible with this is to delay printing a line until we get to a line with answers. This has two effects: 1) If there are intermediate hops that don't answer, output pauses for a bit so we keep the visual cue of "something might be wrong here". 2) If there is a black hole at the end, we don't print out many "* * *" lines and thus scrolling the interesting bits out of the terminal. We collapse those lines and just print 64 * * * at the end. Unfortunately the -c option to send udp probes to a fixed port had to go for now. But we should be able to add it back. "Once you have seen the new one you can't go back to the old one" & enthusiastic OK deraadt@ OK sthen@ "I am very distressed that florian went to bed without committing it" beck@

Florian tooted links to recordings showing the old and new behaviours with an earlier version of this work.

With the following commit, Matthieu Herrb (matthieu@) gave xterm(1) some unveil(2) goodness:

CVSROOT: /cvs Module name: xenocara Changes by: matthieu@cvs.openbsd.org 2021/09/02 03:31:38 Modified files: app/xterm : main.c Log message: Unveil paths needed by xterm at run-time. work with tb@ and deraadt@ Only in (default) case where there are no exec-formatted or exec-selected resources set. In those case the commands and their arguments could be anywhere.

As of this writing, 3,440 non-merge changesets have been pulled into the mainline repository for the 5.15 development cycle. A mere 3,440 patches may seem like a slow start, but those patches are densely populated with significant new features. Read on for a look at what the first part of the 5.15 merge window has brought.

On the ADA Logics blog, David Korczynski and Adam Korczynski write about their work integrating 115 open-source projects with Google's OSS-Fuzz project for doing continuous fuzz testing. They describe the process of integrating a project into OSS-Fuzz, and discuss their findings, which include more than 2000 bugs (500+ security relevant), of which 1300+ have been fixed at this point: Throughout the process we integrated projects written in C, C++, Python, Go and Rust and the types of bugs we found across the projects are a reflection of the language the project was written in. Typically, for managed languages the bugs are within the umbrella term of uncaught exceptions and denial of service bugs, whereas in native languages the bugs are mostly split between assert violations, NULL-dereferences, heap-out-of-bounds, stack-out-of-bounds, stack overflows, integer arithmetic, memory leaks, out-of-memory and timeout bugs.

Security updates have been issued by openSUSE (ffmpeg and gstreamer-plugins-good), SUSE (apache2, apache2-mod_auth_mellon, ffmpeg, gstreamer-plugins-good, libesmtp, openexr, rubygem-puma, xen, and xerces-c), and Ubuntu (openssl).

With the following commit, Tobias Heider (tobhe@) added client-side support for DNS configuration to iked(8):

CVSROOT: /cvs Module name: src Changes by: tobhe@cvs.openbsd.org 2021/09/01 09:30:07 Modified files: sbin/iked : config.c iked.c iked.h ikev2.c ikev2_msg.c ikev2_pld.c policy.c types.h vroute.c Log message: Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC route messages to propose the name server to resolvd(8). For now, iked will only propose a single name server from the first established connection. Automatic name server configuration is enabled by default for policies using the 'iface' option. discussed with deraadt@ ok for the DNS parts florian@ ok for the rest patrick@

Job Snijders (job@) imported the timeout(1) utility from NetBSD:

CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2021/09/01 09:50:34 Added files: usr.bin/timeout: Makefile timeout.1 timeout.c Log message: Import timeout(1) from NetBSD The timeout(1) utility can be used to run commands with a time limit. OK deraadt@ beck@

Following initial import, job@ and others applied the OpenBSD-stick.

The LWN.net Weekly Edition for September 2, 2021 is available.

Discussions on ways to "modernize" the Emacs editor have come up in various guises over the past few years. Changes of that nature tend to be somewhat contentious in the Emacs community, pitting the "old guard" that values the existing features (and keybindings) against those who argue for changes to make Emacs more approachable (and aesthetically pleasing) to newcomers. Those discussions tend toward mega-thread status, so it should be no surprise that a query about possibly moving Emacs development to a "forge" (e.g. GitHub or GitLab) got similar treatment. As always in Emacs-land, there are multiple facets to the discussion, including the desirability of moving away from an email-based workflow, accommodating younger, forge-centric developers without forcing existing developers into that model, and—naturally—licensing.

Security updates have been issued by CentOS (bind, GNOME, hivex, kernel, and sssd), Debian (gpac and squashfs-tools), Fedora (c-ares and openssl), openSUSE (dovecot23), Oracle (bind, hivex, kernel, and sssd), Red Hat (kernel), Scientific Linux (bind, hivex, kernel, libsndfile, libX11, and sssd), Slackware (ntfs), SUSE (dovecot23), and Ubuntu (ntfs-3g).

The Free Software Foundation (FSF) clarifies the purpose of its copyright policies and examines the impact of potential alternatives. For some GNU packages, the ones that are FSF-copyrighted, we ask contributors for two kinds of legal papers: copyright assignments, and employer copyright disclaimers. We drew up these policies working with lawyers in the 1980s, and they make possible our steady and continuing enforcement of the GNU General Public License (GPL).

These papers serve four different but related legal purposes, all of which help ensure that the GNU Project's goals of freedom for the community are met.

A longstanding tug-of-war between system package managers and Python's own installation mechanisms (primarily pip, but there are others) looks on its way to being resolved—or at least regularized. PEP 668 ("Graceful cooperation between external and Python package managers") has been created to provide ways for the two types of package installation to work together, rather than at cross-purposes at times. Since many operating systems depend on Python tools, with package versions that may differ from those of users' Python applications, making them play together nicely should result in more stable systems.

The 5.15 merge window is off to a fast start; stay tuned for our usual full summary. It is worth mentioning, though, that the realtime preemption locking code has been pulled into the mainline with little fanfare. This work began in 2004 and has fundamentally changed many parts of the core kernel. With this pull, the sleepable locks that make deterministic realtime response possible have finally joined all of that other work (though the kernel must be built with the REALTIME configuration option to use them).

Congratulations are due to all of the realtime developers who pushed this project forward for nearly two decades.

Security updates have been issued by CentOS (libsndfile and libX11), Debian (ledgersmb, libssh, and postgresql-9.6), Fedora (squashfs-tools), openSUSE (389-ds, nodejs12, php7, spectre-meltdown-checker, and thunderbird), Oracle (kernel, libsndfile, and libX11), Red Hat (bind, cloud-init, edk2, glibc, hivex, kernel, kernel-rt, kpatch-patch, microcode_ctl, python3, and sssd), SUSE (bind, mysql-connector-java, nodejs12, sssd, and thunderbird), and Ubuntu (apr, squashfs-tools, thunderbird, and uwsgi).

OpenBSD Journal co-editor Solène Rapenne (solene@) writes, I have a simple DSL line with 15 Mb/s in download and 900 kb/s upload rates and there are many devices using the Internet and two people in remote work. Some poorly designed software (mostly on windows) will auto update without allowing to reduce the bandwidth or some huge bloated website will require lot of download and will impact workers using the network.

The point of this article is to explain how to use OpenBSD as a router on your network to allow the Internet access to be used fairly by devices on the network to guarantee everyone they will have at least a bit of Internet to continue working flawlessly.

Read the whole thing, Fair Internet bandwidth management on a network using OpenBSD for a walkthrough of implementing queueing and QoS traffic shaping for your network.

Theo de Raadt (deraadt@) committed a change which significantly reduces hibernate time on machines with larger amounts of RAM:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2021/08/30 03:45:29 Modified files: sys/kern : subr_hibernate.c Log message: increase hibernate writeout speed a little. modern machines have vast tracts of unused memory, and the empty-space RLE scanner (uvm_page_rle) would rescan for empty space needlessly wasting excessive cpu time 16G machine, 100sec -> 9sec 40G machine, 325sec -> 28sec with kettenis mlarkin

We are always happy to bear good news!

The 5.14 kernel was released on August 29 after a nine-week development period. This cycle was not as active as its predecessor, which set a record for the number of developers involved, but there was still a lot going on and a number of long-awaited features were merged. Now that the release is out, the time has come for our traditional look at where the code in 5.14 came from and how it got there.

Security updates have been issued by Debian (exiv2, grilo, gthumb, and redis), Fedora (krb5, nbdkit, and rubygem-addressable), Mageia (libass and opencontainers-runc), openSUSE (cacti, cacti-spine, go1.15, opera, qemu, and spectre-meltdown-checker), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, libsndfile, and libX11), SUSE (389-ds, qemu, and spectre-meltdown-checker), and Ubuntu (grilo).

In a message to tech@ Damien Miller (djm@) explained the consequences of his recent commit:

[…] RSA/SHA1, a.k.a the "ssh-rsa" signature type is now disabled by default in OpenSSH. While The SSH protocol confusingly uses overlapping names for key and signature algorithms, this does not stop the use of RSA keys and there is no need to regenerate "ssh-rsa" keys - most servers released in the last five years will automatically negotiate the use of RSA/SHA-256/512 signatures. This has been coming for a long time, but I do expect it will be distruptive for some people as there are likely to be some devices out there that cannot be upgraded to support the safer algorithms. In these cases, it is possible to selectively re-enable RSA/SHA1 support by specifying PubkeyAcceptedAlgorithms=+ssh-rsa in the ssh_config(5) or sshd_config(5) for the endpoint. Please report any problems here, to bugs@ or to openssh@ […]

TL;DR:

• The "ssh-rsa" signature type is now disabled by default.
• "ssh-rsa" signatures can be selectively re-enabled if necessary.
• RSA ("ssh-rsa") keys are not affected by this change and remain valid.