Hírolvasó

SELinux is a security mechanism with a lot of ability to restrict user-space compromises in various useful ways. It has also generally been considered a heavyweight option that is not suitable for more resource-restricted systems like wireless routers. Undeterred by this perception, some OpenWrt developers are adding SELinux as an option for protecting the distribution, which targets embedded devices.

Keeping device firmware up-to-date can be a challenge for end users. Firmware updates are often important for correct behavior, and they can have security implications as well. The Linux Vendor Firmware Service (LVFS) project is playing an increasing role in making firmware updates more straightforward for both end users and vendors; LVFS just announced its 20-millionth firmware download. Since even a wireless mouse dongle can pose a security threat, the importance of simple, reliable, and easily applied firmware updates is hard to overstate.

Version 4.16.0 of the RPM package manager has been released. "This turned out to be a much bigger release than anticipated with several groundbreaking new features, despite finally being back to annual cycle almost to date." Highlights include new database backends, macro and %if expressions including ternary operator and native version comparison, optional MIME type based file classification, new version parsing and comparison API in C and Python, license clarification, and more. The release notes have more details.

Security updates have been issued by Arch Linux (chromium, firefox, libvirt, and podman), Debian (firefox-esr and nss), Gentoo (bitcoind, chromium, cifs-utils, gpsd, libuv, and xen), Mageia (firefox, gnutls, mediawiki, samba, and Thunderbird), openSUSE (brotli and cifs-utils), Red Hat (audiofile, bluez, cloud-init, cpio, cups, curl, dbus, dnsmasq, e2fsprogs, evince and poppler, exiv2, expat, firefox, fontforge, freeradius, freerdp, glib2 and ibus, glibc, httpd, hunspell, ipa, kernel, kernel-rt, libcroco, libexif, libmspack, libpng, librabbitmq, libsndfile, libsrtp, libssh2, libtiff, libvirt, libvpx, libwmf, libxml2, libxslt, mariadb, mod_auth_openidc, NetworkManager, nss and nspr, okular, OpenEXR, openldap, openwsman, pcp, python, python-pillow, python3, qemu-kvm, qemu-kvm-ma, qt5-qtbase, samba, SDL, spamassassin, squid, subversion, systemd, tigervnc, tomcat, unoconv, and webkitgtk4), SUSE (bcm43xx-firmware, nodejs8, pdns, python-pip, and xen), and Ubuntu (libapreq2, netqmail, samba, and tomcat6).

Fish (the "friendly interactive shell") has the explicit goal of being more user-friendly than other shells. It features a modern command-line interface with syntax highlighting, tab completion, and auto-suggestions out of the box (all with no configuration required). Unlike many of its competitors, it doesn't care about being POSIX-compliant but attempts to blaze its own path. Since our last look at the project, way back in 2013, it has seen lots of new releases with features, bug fixes, and refinements aimed at appealing to a wide range of users. Some of the biggest additions landed in the 3.0 release, but we will also describe some other notable changes from version 2.1 up through latest version.

Security updates have been issued by Debian (firefox-esr and mediawiki), openSUSE (firefox, libqt5-qtbase, and rubygem-actionpack-5_1), Red Hat (qemu-kvm, qemu-kvm-ma, and virt:rhel), SUSE (dpdk, firefox, and go1.15), and Ubuntu (dpdk, imagemagick, italc, libpgf, libuv1, pam-python, squid3, ssvnc, and teeworlds).

Recently, the Mercurial project has been discussing its plans to migrate away from the compromised SHA-1 hashing algorithm in favor of a more secure alternative. So far, the discussion is in the planning stages of algorithm selection and migration strategy, with a general transition plan for users. The project, for the moment, is favoring the BLAKE2 hashing algorithm.

OpenSSH 8.4 is out. The SHA-1 algorithm is deprecated and the "ssh-rsa" public key signature algorithm will be disabled by default "in a near-future release." They note that it is possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.

Security updates have been issued by Debian (curl, libdbi-perl, linux-4.19, lua5.3, mediawiki, nfdump, openssl1.0, qt4-x11, qtbase-opensource-src, ruby-gon, and yaws), Fedora (grub2, libxml2, perl-DBI, singularity, and xawtv), Mageia (cifs-utils, kio-extras, libproxy, mbedtls, nodejs, novnc, and pdns), openSUSE (bcm43xx-firmware, chromium, conmon, fuse-overlayfs, libcontainers-common, podman, firefox, libqt4, libqt5-qtbase, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and tiff), SUSE (firefox, go1.14, ImageMagick, and libqt5-qtbase), and Ubuntu (firefox, gnuplot, libquicktime, miniupnpd, ruby-sanitize, and sudo).

Ingo (schwarze@) writes in about a side project he's been working on to do his own accounting:

Sometimes, it happens to me that i make little progress with the work i planned to do (so let's not talk about the badly needed mandoc release today) and instead end up doing work that wasn't planned at all.

Read more…

The 5.9-rc7 kernel prepatch is out for testing. "But while I do now know of any remaining gating issues any more, the fixes came in fairly late. So unless I feel insanely optimistic and/or a burning bush tells me that everything is bug-free, my plan right now is that I'll do another rc next Sunday rather than the final 5.9 release. And btw, please no more burning bushes. We're kind of sensitive about those on the West coast right now."

The 5.8.12, 5.4.68, and 4.19.148 stable kernels have been released; each contains another set of important fixes.

It has only been a few months since the Emacs community went through an extended discussion on how to make the Emacs editor "popular again". As the community gears up for the Emacs 28 development cycle, (after the Emacs 27.1 release in August) that discussion has returned with a vengeance. The themes of this discussion differ somewhat from the last; developers are concerned about making Emacs — an editor with decades of history — seem "modern" to attract new users.

Version 5.0 of the Calibre electronic-book manager has been released. "There has been a lot of work on the calibre E-book viewer. It now supports Highlighting. The highlights can be colors, underlines, strikethrough, etc. and have added notes. All highlights can be both stored in EPUB files for easy sharing and centrally in the calibre library for easy browsing. Additionally, the E-book viewer now supports both vertical and right-to-left text." Another significant change is a port to Python 3; that was a necessary change but it means that there are a number of plugins that have not yet been ported and thus won't work. The status of many plugins can be found on this page.

Security updates have been issued by Debian (rails), openSUSE (chromium, jasper, ovmf, roundcubemail, samba, and singularity), Oracle (firefox), SUSE (bcm43xx-firmware, firefox, libqt5-qtbase, qemu, and tiff), and Ubuntu (aptdaemon, atftp, awl, packagekit, and spip).

Fresh off the k2k20 hackathon, Rafael Sadowski (rsadowski@) writes in:

Due to the pandemic, this hackathon seemed to be called very spontaneously. Fortunately, the hackathon was over a weekend. This enabled me to attend without missing any professional obligations. On Friday morning, shortly after sunrise, I took the train to Bad Liebenzell. On the train I worked for my employer until I reached Karlsruhe at about 11am. I swapped my MacBook for my OpenBSD ThinkPad T470s.

Read more…

The set_fs() function dates back to the earliest days of the Linux kernel; it is a key part of the machinery that keeps user-space and kernel-space memory separated from each other. It is also easy to misuse and has been the source of various security problems over the years; kernel developers have long wanted to be rid of it. They won't completely get their wish in the 5.10 kernel but, as the result of work that has been quietly progressing for several months, the end of set_fs() will be easily visible at that point.

Version 13 of the PostgreSQL database management system is out. "PostgreSQL 13 includes significant improvements to its indexing and lookup system that benefit large databases, including space savings and performance gains for indexes, faster response times for queries that use aggregates or partitions, better query planning when using enhanced statistics, and more. Along with highly requested features like parallelized vacuuming and incremental sorting, PostgreSQL 13 provides a better data management experience for workloads big and small, with optimizations for daily administration, more conveniences for application developers, and security enhancements."