Hírolvasó

Security updates have been issued by Debian (firefox-esr, jruby, and squid3), Fedora (librabbitmq, libuv, and xpdf), openSUSE (calamares and opera), Oracle (kernel and nss), Red Hat (httpd24-httpd, kernel, kernel-alt, kpatch-patch, nss-softokn, sudo, and thunderbird), SUSE (apache2-mod_perl, java-1_8_0-openjdk, and postgresql), and Ubuntu (eglibc, firefox, and samba).

Daniel Vetter has posted a summary of his LPC talk on kernel graphics drivers. "Unfortunately the business case for 'upstream first' on the kernel side is completely broken. Not for open source, and not for any fundamental reasons, but simply because the kernel moves too slowly, is too big, drivers aren’t well contained enough and therefore customer will not or even can not upgrade. For some hardware upstreaming early enough is possible, but graphics simply moves too fast: By the time the upstreamed driver is actually in shipping distros, it’s already one hardware generation behind. And missing almost a year of tuning and performance improvements. Worse it’s not just new hardware, but also GL and Vulkan versions that won’t work on older kernels due to missing features, fragmenting the ecosystem further."

By the end of the merge window, 12,632 non-merge changesets had been pulled into the mainline repository for the 5.5 release. This is thus a busy development cycle — just like the cycles that preceded it. Just over half of those changesets were pulled after the writing of our first 5.5 merge-window summary. As is often the case later in the merge window, many of those changes were relatively boring fixes. There were still a number of interesting changes, though; read on for a summary of what happened in the second half of this merge window.

Security updates have been issued by CentOS (SDL), Debian (htmldoc, librabbitmq, nss, openjdk-7, openslp-dfsg, and phpmyadmin), Fedora (chromium, community-mysql, kernel, libidn2, oniguruma, proftpd, and rabbitmq-server), Mageia (ansible, clamav, evince, firefox, graphicsmagick, icu, libcryptopp, libtasn1, libtiff, libvncserver, libvpx, lz4, nss, openexr, openjpeg2, openssl, phpmyadmin, python-psutil, python-twisted, QT, sdl2_image, SDL_image, sysstat, thunderbird, and tnef), Oracle (firefox), Red Hat (java-1.8.0-ibm and nss), Scientific Linux (firefox and kernel), SUSE (kernel), and Ubuntu (nss).

Linus has released the 5.5-rc1 kernel prepatch and closed the merge window for this development cycle. "Everything looks fairly regular - it's a tiny bit larger (in commit counts) than the few last merge windows have been, but not bigger enough to really raise any eyebrows. And there's nothing particularly odd in there either that I can think of: just a bit over half of the patch is drivers, with the next big area being arch updates. Which is pretty much the rule for how things have been forever by now. Outside of that, the documentation and tooling (perf and selftests) updates stand out, but that's actually been a common pattern for a while now too, so it's not really surprising either."

Alexandr Nedvedicky (sashan@) wrote to tech@ regarding a recent significant change: Hello, commit from today [1] makes IP stack more paranoid. Up to now OpenBSD implemented so called 'weak host model' [2]. The today's commit alters that for hosts, which don't forward packets (don't act as routers). Your laptops, desktops and servers now check packet destination address with IP address bound to interface, where such packet is received on. If there will be mismatch the packet will be discarded and 'wrongif' counter will be bumped. You can use 'netstat -s|grep wrongif' to display the counter value. It is understood the behavior, which has been settled in IP stack since 80's, got changed. tech@openbsd.org (or bugs@openbsd.org) wants to hear back from you, if this change breaks your existing set up. There is a common believe this change won't hurt majority (> 97%) users, though there is some non-zero risk, hence this announcement is being sent. thanks and regards sashan [1] https://marc.info/?l=openbsd-cvs&m=157580332113635&w=2 [2] https://en.wikipedia.org/wiki/Host_model

Read more…

A "split lock" is a low-level memory-bus lock taken by the processor for a memory range that crosses a cache line. Most processors disallow split locks, but x86 implements them, Split locking may be convenient for developers, but it comes at a cost: a single split-locked instruction can occupy the memory bus for around 1,000 clock cycles. It is thus understandable that interest in eliminating split-lock operations is high. What is perhaps less understandable is that a patch set intended to detect split locks has been pending since (at least) May 2018, and it still is not poised to enter the mainline.

William Tolley has disclosed a severe VPN-related problem in most current systems: "I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections." There are various partial mitigations available, but a full solution to the problem has not yet been worked out. Most VPNs are vulnerable, but Tor evidently is not.

Security updates have been issued by Debian (libav), Fedora (kernel, libuv, and nodejs), Oracle (firefox), Red Hat (firefox and java-1.7.1-ibm), SUSE (clamav, cloud-init, dnsmasq, dpdk, ffmpeg, munge, opencv, and permissions), and Ubuntu (librabbitmq).

In November, the topic of init systems and, in particular, support for systems other than systemd reappeared on the Debian mailing lists. After one month of sometimes fraught discussion, this issue has been brought to the project's developers to decide in the form of a general resolution (GR) — the first such since the project voted on the status of debian-private discussions in 2016. The issues under discussion are complex, so the result is one of the most complex ballots seen for some time in Debian, with seven options to choose from.

Greg Kroah-Hartman has announced the release of the 5.4.2, 5.3.15, and 4.19.88 stable kernels. They contain a relatively large collection of important fixes throughout the tree; users of those kernel series should upgrade.

[Update: A bit later, the 4.14.158, 4.9.206, and 4.4.206 stable kernels were also released.]

Security updates have been issued by Arch Linux (firefox), Fedora (cyrus-imapd, freeipa, haproxy, ImageMagick, python-pillow, rubygem-rmagick, sqlite, squid, and tnef), openSUSE (haproxy), Oracle (microcode_ctl), and Ubuntu (squid, squid3).

The LWN.net Weekly Edition for December 5, 2019 is available.

One of the features of the Clang/LLVM compiler that has been rather lacking for GCC may finally be getting filled in. In a mid-November post to the gcc-patches mailing list, David Malcolm described a new static-analysis framework for GCC that he wrote. It could be the starting point for a whole range of code analysis for the compiler.

Making a comparison between Linux and Kubernetes is often one of apples to oranges. There are, however, some similarities and there is an effort within the Kubernetes community to make Kubernetes more like a Linux distribution. The idea was outlined in a session about Kubernetes release engineering at KubeCon + CloudNativeCon North America 2019. "You might have heard that Kubernetes is the Linux of the cloud and that's like super easy to say, but what does it mean? Cloud is pretty fuzzy on its own," Tim Pepper, the Kubernetes release special interest group (SIG Release) co-chair said. He proceeded to provide some clarity on how the two projects are similar.