Hírolvasó

Greg Kroah-Hartman has released stable kernels 5.10.13, 5.4.95, 4.19.173, 4.14.219, 4.9.255, and 4.4.255. They all contain important fixes and users should upgrade.

The release of Firefox 85 at the end of January brought a new technique for thwarting yet-another web-tracking scheme. The use of browser cookies for tracking is well-established and the browser makers have taken steps to block the worst abuses there, but users can also take steps to manage and clear those cookies. The arms race continues, however, as tracking companies are using browser caches to store what Mozilla calls "supercookies", which allow users to be tracked across the web sites that they visit. That has led the browser makers to partition these caches by web site in order to prevent this tracking technique.

Greg Kroah-Hartman has a suggestion for anybody who would like to help him maintain long-term-stable kernel releases. "All I request is that people test the -rc releases when I announce them, and let me know if they work or not for their systems/workloads/tests/whatever. [...] But, if you want to do more, I always really appreciate when people email me, or stable@vger.kernel.org, git commit ids that are needed to be backported to specific stable kernel trees because they found them in their testing/development efforts."

Security updates have been issued by Debian (open-build-service and openldap), Fedora (jasper, libebml, and tcmu-runner), openSUSE (segv_handler), Red Hat (thunderbird), Scientific Linux (kernel), SUSE (cups and openvswitch), and Ubuntu (apport and ca-certificates).

Version 4.2 of the desktop-oriented Solus distribution is available. "We recognized that Desktop Icons was an important part of the workflow of many users, so we spent considerable time during this development cycle ensuring there was a solution for them as well as our downstream users of Budgie. Expanding on this, Solus 4.2 defaults to having desktop icons enabled to make Solus more approachable to new users." Some more information on the desktop changes can be found in this blog entry from December.

The LibreOffice 7.1 "Community" release is out. "LibreOffice 7.1 Community adds several interoperability improvements with DOCX/XLSX/PPTX files: improvements to Writer tables (better import/export and management of table functions, and better support for change tracking in floating tables); a better management of cached field results in Writer; support of spacing below the header's last paragraph in DOC/DOCX files; and additional SmartArt improvements when importing PPTX files." The announcement also goes on at length about the new "community" label and how this release "is not targeted at enterprises".

A longstanding hole in the Sudo privilege-delegation tool that was discovered in late January is a potent local vulnerability. Exploiting it allows local users to run code of their choosing as root by way of a bog-standard heap-buffer overflow. It seems like the kind of bug that might have been found earlier via code inspection or fuzzing, but it has remained in this security-sensitive utility since it was introduced in 2011.

Security updates have been issued by Debian (firefox-esr, libdatetime-timezone-perl, python-django, thunderbird, and tzdata), Fedora (kf5-messagelib and qt5-qtwebengine), Mageia (kernel-linus), openSUSE (firefox, jackson-databind, and messagelib), Oracle (flatpak), Red Hat (glibc, kernel, kernel-alt, kernel-rt, linux-firmware, net-snmp, perl, qemu-kvm, and qemu-kvm-ma), SUSE (firefox, java-11-openjdk, openvswitch, terraform, and thunderbird), and Ubuntu (fastd, firefox, python-django, and qemu).

Version 2.33 of the GNU C library is out. Changes this time include a number of dynamic linker improvements, 32-bit RISC-V support, and a number of security fixes.

Does your pf configuration have route-to rules? If so, you need to consider the implications of this commit by David Gwynne (dlg@) carefully.

CVSROOT: /cvs Module name: src Changes by: dlg@cvs.openbsd.org 2021/01/31 17:31:05 Modified files: sbin/pfctl : parse.y pfctl_parser.c share/man/man5 : pf.conf.5 sys/net : if_pfsync.c pf.c pfvar.h Log message: change route-to so it sends packets to IPs instead of interfaces. this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating.

This change is intended to make configuration and maintenance easier, but it runs a high risk of breaking existing configurations. Read on for the rest of David's commit message, with some background.

Read more…

The kernel development community talks often about subsystems and subsystem maintainers, but it is less than entirely clear about what a "subsystem" is in the first place. People wanting to understand how kernel development works could benefit from a clearer idea of what actually comprises a subsystem within the kernel. In an attempt to better understand how kernel development works, Pia Eichinger and her colleagues spent a lot of time looking for the actual boundaries; Eichinger presented that work at the 2021 linux.conf.au online gathering.

Security updates have been issued by Arch Linux (home-assistant, libgcrypt, libvirt, and mutt), Debian (ffmpeg, kernel, libonig, libsdl2, mariadb-10.1, and thunderbird), Fedora (chromium, firefox, jasper, libebml, mingw-python3, netpbm, opensmtpd, thunderbird, and xen), Gentoo (firefox and thunderbird), Mageia (db53, dnsmasq, kernel, kernel-linus, and php-pear), openSUSE (go1.14, go1.15, messagelib, nodejs8, segv_handler, and thunderbird), Oracle (firefox, kernel, and thunderbird), Red Hat (flatpak), SUSE (firefox and rubygem-nokogiri), and Ubuntu (mysql-5.7, mysql-8.0 and python-django).

The 5.11-rc6 kernel prepatch is out for testing. "Things look a little calmer than last week, and over-all very average for rc6. So - like always this late in the release schedule - I'd certainly have liked things to be even calmer, but nothing here really stands out."

The stable-kernel machine has produced another set of updates: 5.10.12, 5.4.94, 4.19.172, 4.14.218, 4.9.254, and 4.4.254. Each contains a relatively small set of important fixes.

There was a time when people who were exploring computational technology saw it as the path toward decentralization and freedom worldwide. What we have ended up with, instead, is a world that is increasingly centralized, subject to surveillance, and unfree. How did that come to be? In a keynote at the online 2021 linux.conf.au event, Cory Doctorow gave his view of this problem and named its source: monopoly.

The GNU Privacy Guard (GnuPG or GPG) project has announced a critical security bug in Libgcrypt version 1.9.0 released January 19. "Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt." Version 1.9.1 has been released to address the problem and all users of 1.9.0 should update immediately. It is a heap buffer overflow, but no version of GnuPG uses the 1.9 series yet. "Exploiting this bug is simple and thus immediate action for 1.9.0 users is required. A CVE-id has not yet been assigned. We track this bug at https://dev.gnupg.org/T5275. The 1.9.0 tarballs on our FTP server have been renamed so that scripts won't be able to get this version anymore."

David Malcolm describes the progress in the GCC static analyzer for the upcoming GCC 11 release. "In GCC 10, I added the new -fanalyzer option, a static analysis pass for identifying various problems at compile-time, rather than at runtime. The initial implementation was aimed at early adopters, who found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd Edlinger, who discovered the issue, had to wade through many false positives accompanying the real issue. Other users also managed to get the analyzer to crash on their code. I’ve been rewriting the analyzer to address these issues in the next major release, GCC 11. In this article, I describe the steps I’m taking to reduce the number of false positives and make this static analysis tool more robust."

Security updates have been issued by Arch Linux (dnsmasq, erlang, flatpak, go, gobby, gptfdisk, jenkins, kernel, linux-hardened, linux-lts, linux-zen, lldpd, openvswitch, podofo, virtualbox, and vlc), Fedora (erlang, firefox, nss, and seamonkey), Gentoo (imagemagick, nsd, and vlc), openSUSE (chromium and python-autobahn), Oracle (firefox and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (firefox, jackson-databind, and thunderbird), and Ubuntu (libxstream-java).

Jeffrey Walsh started off his 2021 linux.conf.au presentation with a statement that, while 2020 was not the greatest year ever, there were still some good things that happened; one of those was the Emacs 27.1 release. This major update brought a number of welcome new features, but also led to yet another discussion on the future of Emacs. With that starting point, Walsh launched into a fast-moving look at the history of Emacs, why users still care about it, what changes are coming, and (especially) what was involved in moving Emacs away from the X window system and making it work with the Wayland compositor.

Security updates have been issued by Debian (ansible, firefox-esr, and slurm-llnl), Fedora (firefox, nss, php-pear, seamonkey, and thunderbird), Gentoo (phpmyadmin and telegram-desktop), openSUSE (chromium and python-autobahn), Oracle (firefox and sudo), Red Hat (firefox), Scientific Linux (firefox), and Ubuntu (ceph, kernel, linux, linux-lts-xenial, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-aws, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, and tcmu).