Hírolvasó

Linus has released the 5.5-rc1 kernel prepatch and closed the merge window for this development cycle. "Everything looks fairly regular - it's a tiny bit larger (in commit counts) than the few last merge windows have been, but not bigger enough to really raise any eyebrows. And there's nothing particularly odd in there either that I can think of: just a bit over half of the patch is drivers, with the next big area being arch updates. Which is pretty much the rule for how things have been forever by now. Outside of that, the documentation and tooling (perf and selftests) updates stand out, but that's actually been a common pattern for a while now too, so it's not really surprising either."

Alexandr Nedvedicky (sashan@) wrote to tech@ regarding a recent significant change: Hello, commit from today [1] makes IP stack more paranoid. Up to now OpenBSD implemented so called 'weak host model' [2]. The today's commit alters that for hosts, which don't forward packets (don't act as routers). Your laptops, desktops and servers now check packet destination address with IP address bound to interface, where such packet is received on. If there will be mismatch the packet will be discarded and 'wrongif' counter will be bumped. You can use 'netstat -s|grep wrongif' to display the counter value. It is understood the behavior, which has been settled in IP stack since 80's, got changed. tech@openbsd.org (or bugs@openbsd.org) wants to hear back from you, if this change breaks your existing set up. There is a common believe this change won't hurt majority (> 97%) users, though there is some non-zero risk, hence this announcement is being sent. thanks and regards sashan [1] https://marc.info/?l=openbsd-cvs&m=157580332113635&w=2 [2] https://en.wikipedia.org/wiki/Host_model

Read more…

A "split lock" is a low-level memory-bus lock taken by the processor for a memory range that crosses a cache line. Most processors disallow split locks, but x86 implements them, Split locking may be convenient for developers, but it comes at a cost: a single split-locked instruction can occupy the memory bus for around 1,000 clock cycles. It is thus understandable that interest in eliminating split-lock operations is high. What is perhaps less understandable is that a patch set intended to detect split locks has been pending since (at least) May 2018, and it still is not poised to enter the mainline.

William Tolley has disclosed a severe VPN-related problem in most current systems: "I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections." There are various partial mitigations available, but a full solution to the problem has not yet been worked out. Most VPNs are vulnerable, but Tor evidently is not.

Security updates have been issued by Debian (libav), Fedora (kernel, libuv, and nodejs), Oracle (firefox), Red Hat (firefox and java-1.7.1-ibm), SUSE (clamav, cloud-init, dnsmasq, dpdk, ffmpeg, munge, opencv, and permissions), and Ubuntu (librabbitmq).

In November, the topic of init systems and, in particular, support for systems other than systemd reappeared on the Debian mailing lists. After one month of sometimes fraught discussion, this issue has been brought to the project's developers to decide in the form of a general resolution (GR) — the first such since the project voted on the status of debian-private discussions in 2016. The issues under discussion are complex, so the result is one of the most complex ballots seen for some time in Debian, with seven options to choose from.

Greg Kroah-Hartman has announced the release of the 5.4.2, 5.3.15, and 4.19.88 stable kernels. They contain a relatively large collection of important fixes throughout the tree; users of those kernel series should upgrade.

[Update: A bit later, the 4.14.158, 4.9.206, and 4.4.206 stable kernels were also released.]

Security updates have been issued by Arch Linux (firefox), Fedora (cyrus-imapd, freeipa, haproxy, ImageMagick, python-pillow, rubygem-rmagick, sqlite, squid, and tnef), openSUSE (haproxy), Oracle (microcode_ctl), and Ubuntu (squid, squid3).

The LWN.net Weekly Edition for December 5, 2019 is available.

One of the features of the Clang/LLVM compiler that has been rather lacking for GCC may finally be getting filled in. In a mid-November post to the gcc-patches mailing list, David Malcolm described a new static-analysis framework for GCC that he wrote. It could be the starting point for a whole range of code analysis for the compiler.

Making a comparison between Linux and Kubernetes is often one of apples to oranges. There are, however, some similarities and there is an effort within the Kubernetes community to make Kubernetes more like a Linux distribution. The idea was outlined in a session about Kubernetes release engineering at KubeCon + CloudNativeCon North America 2019. "You might have heard that Kubernetes is the Linux of the cloud and that's like super easy to say, but what does it mean? Cloud is pretty fuzzy on its own," Tim Pepper, the Kubernetes release special interest group (SIG Release) co-chair said. He proceeded to provide some clarity on how the two projects are similar.

Fresh from the just concluded e2k19 hackathon, Claudio Jeker (claudio@) writes in:

After 2 years it was once again time to pack skis and snowshoes, put a satellite dish onto a sledge and hike through the snowy rockies to the Elk Lakes hut.

Read more…

Security updates have been issued by CentOS (389-ds-base, ghostscript, kernel, and tcpdump), Debian (libonig), Fedora (clamav, firefox, and oniguruma), openSUSE (calamares, cloud-init, haproxy, libarchive, libidn2, libxml2, and ucode-intel), Scientific Linux (SDL and tcpdump), Slackware (mozilla), and Ubuntu (haproxy, intel-microcode, and postgresql-common).

ZDNet reports that two more malicious modules have been removed from the Python Package Index. "The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names. The first is 'python3-dateutil,' which imitated the popular 'dateutil' library. The second is 'jeIlyfish' (the first L is an I), which mimicked the 'jellyfish' library." The latter of the two had been in PyPI for nearly a year.