Hírolvasó

When virtio was merged in Linux v2.6.24, its author, Rusty Russell, described the goal as being for "common drivers to be efficiently used across most virtual I/O mechanisms". Today, much progress has been made toward that goal, with virtio supported by multiple hypervisors and guest drivers shipped by many operating systems. But these applications of virtio are implemented in software, whereas Michael Tsirkin's "VirtIO without the Virt" talk at KVM Forum 2019 laid out how to implement virtio in hardware.

Security updates have been issued by Fedora (dpdk, mingw-djvulibre, mingw-hunspell, mingw-ilmbase, mingw-OpenEXR, php-symfony, php-symfony3, and rsyslog), openSUSE (chromium and squid), SUSE (aspell, cups, djvulibre, and dpdk), and Ubuntu (djvulibre).

Over on the Project Zero blog, Maddie Stone has a lengthy post about a zero-day exploit that was found and fixed in the Android Binder interprocess communication mechanism. The post details the search for the problem, which was apparently being used in the wild, its fix, and how it can be exploited. This is all part of an effort to "make zero-day hard"; one of the steps the project is taking is to disseminate more information on these bugs. "Complete detailed analysis of the 0-days from the point of view of bug hunters and exploit developers and share it back with the community. Transparency and collaboration are key. We want to share detailed root cause analysis to inform developers and defenders on how to prevent these types of bugs in the future and improve detection. We hope that by publishing details about the exploit and its methodology, this can inform threat intelligence and incident responders. Overall, we want to make information that’s often kept in silos accessible to all."

Fedora's Modularity initiative has been no stranger to controversy since its inception in 2016. Among other things, there were enough problems with the original design that Modularity went back to the drawing board in early 2018. Modularity has since been integrated with both the Fedora and Red Hat Enterprise Linux (RHEL) distributions, but the controversy continues, with some developers asking whether it's time for yet another redesign — or to abandon the idea altogether. Over the last month or so, several lengthy, detailed, and heated threads have explored this issue; read on for your editor's attempt to integrate what was said.

Greg Kroah-Hartman has announced the release of the 5.3.12, 4.19.85, and 4.14.155 stable kernels. As usual, they contain fixes throughout the kernel tree; users of those series should upgrade.

Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb).

The LWN.net Weekly Edition for November 21, 2019 is available.

The idea of stacking (or chaining) Linux security modules (LSMs) goes back 15 years (at least) at this point; progress has definitely been made along the way, especially in the last decade or so. It has been possible to stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for some time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may not seem like a truly important feature, but there is a use case where it is pretty clearly needed: containers. Longtime LSM stacker (and Smack maintainer) Casey Schaufler gave a presentation at the 2019 Linux Security Summit Europe to report on the status and plans for allowing arbitrary LSM stacking.

Next up in the series of p2k19 reports is Ken Westerback (krw@), who writes:

tl;dr - Great City, Great Coffee, Great Hacking. I already miss Bucharest.

Read more…

Our next p2k19 report comes from Jeremy Evans (jeremy@):

While I had originally planned to attend the entire hackathon, circumstances changed and I was only able to make it there for a few days. Still, I was able to get some work done.

Read more…

Fresh from the just concluded p2k19 hackathon comes this report from Landry breuil (landry@), who writes:

This year having been a bit hectic with work and house renovation, i was really planning to enjoy bucarest as the first real break of the year.. and it definitely was a blast.

Read more…

Fresh from Bucharest is this story from Martin Pieuchot (mpi@) with his experience from p2k19:

Since I attend OpenBSD hackathons, I hear stories about how crazy are the ports hackathons. So I try my best to look like a porter in order to experience this craziness. I must admit p2k19 was awesome but the craziness of port hackathons is still an enigma to me.

Read more…

Damien Miller (djm@) posted to tech@:

Hi, I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly. This means there will be no additional configuration hoops to jump through to use U2F/FIDO2 security keys.

Read more…

The first p2k19 hackathon report comes from Marc Espie (espie@), who writes:

I already came to Bucharest a year ago for EuroBSDcon, but I welcomed the chance at spending more time here, especially at a hackathon organized by Paul, who is such a great guy.

I heard that there was a lot of chanting involved around the city, but we had magical weather, totally unseasonally warm and sunny for november in Romania.

Read more…

Theo de Raadt (deraadt@) posted to tech@:

The ntpd options -s and -S are going to be removed soon and at startup with print: -s option no longer works and will be removed soon. Please reconfigure to use constraints or trusted servers. Probably after 6.7 we'll delete the warning. Maybe for 6.8 we'll remove -s and -S from getopt, and starting with those options will fail. Effective immediately, the -s option stops doing what you expect. It now does nothing. Big improvements have happened in ntpd recently. At startup, ntpd aggressively tries to learn from NTP packets validated by constraints, and set the time. That means a smarter variation of -s is the default, but the information is now *VALIDATED* by constraints. 2 additional constraints have been added. If you have upgraded, please review /etc/examples/ntpd.conf for modern use Those who cannot use https constraints, can instead tag server lines with the keyword "trusted", which means you believe MITM attacks are not possible on the network to those specific NTP servers. Do this only on servers directly connected over trusted network. If someone does "servers pool.ntp.org trusted", we're going to have a great laugh. We're creating something a bit complex, but our goal is for every machine to have a close approximation of correct time. If we get there, some good things will happen. Some serious cargo-culting for using -s has gotten in the way (-s performs no MITM checks).

Read more…