Hírolvasó

Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

The 5.5-rc6 kernel prepatch is out for testing. "Let's see how things go. I do suspect that this ends up being one of those 'rc8' releases, not because things look particularly bad right now, but simply because the holiday season has meant that both the testing side and the development side have been quiet. But who knows?"

On the stable side, 5.4.11, 4.19.95, 4.14.164, 4.9.209, and 4.4.209 have all been released with another set of important fixes.

The 5.2 kernel saw the addition of an extensive new API for the mounting (and remounting) of filesystems; this article covered an early version of that API. Since then, work in this area has mostly focused on enabling filesystems to support this API fully. James Bottomley has taken a look at this API as part of the job of redesigning his shiftfs filesystem and found it to be incomplete. What has followed is a significant set of changes that promise to simplify the mount API — though it turns out that "simple" is often in the eye of the beholder.

Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox).

Version 19.07.0 of the OpenWrt router distribution is available. "With this release, the OpenWrt project brings all supported targets back to a single common kernel version and further refines and broadens existing device support. It also introduces a new ath79 target and brings support for WPA3." There are some known issues; read through the full announcement before updating.

Stable kernels 5.4.10, 5.4.9, 4.19.94, and 4.14.163 have been released. PowerPC users should update to 5.4.10 to get a missing patch. Other users can stay with 5.4.9.

In response to a growing desire for ways to control groups of processes from user space, the kernel has added a number of mechanisms that allow one process to operate on another. One piece that is currently missing, though, is the ability for a process to snatch a copy of an open file descriptor from another. That gap may soon be filled, though, if the pidfd_getfd() system-call patch set from Sargun Dhillon is merged.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss).

Samuel Maddock writes that the adoption of the "encrypted media extensions" by the World Wide Web Consortium has had just the sort of effect that people were worried about four years ago. "No longer is it possible to build your own web browser capable of consuming some of the most popular content on the web. Websites like Netflix, Hulu, HBO, and others require copyright content protection which is only accessible through browser vendors who have license agreements with large corporations."

There is another Firefox release out there; this advisory suggests that updating quickly would be a good idea: "Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw."

An update has now been committed to the -stable branch for the latest firefox version, and the package is available for updating!

Previously, solene@ wrote:
Dear OpenBSD users, due to Firefox being too complicated to package (thanks to cbindgen and rust dependencies) on the stable branch (as this would require testing all rust consumers), the 6.6-stable branch won't receive updates for www/mozilla-firefox, so it will remain vulnerable to MFSA2020-03 and vulnerabilities that may appear after.

Read more…

The LWN.net Weekly Edition for January 9, 2020 is available.

One of Guido van Rossum's last items of business as he finished his term on the inaugural steering council for Python was to review the Python Enhancement Proposal (PEP) that proposes a new update and union operators for dictionaries. He would still seem to be in favor of the idea, but it will be up to the newly elected steering council and whoever the council chooses as the PEP-deciding delegate (i.e. BDFL-Delegate). Van Rossum provided some feedback on the PEP and, inevitably, the question of how to spell the operator returned, but the path toward getting a decision on it is now pretty clear.