Hírolvasó

Az EV-k súlyos értékvesztése egy komoly probléma trey 2025. 04. 17., cs – 08:50

A 2.6.32-es Linux kernel se egy ócska kiadás ... trey 2025. 04. 17., cs – 08:45

Inside this week's LWN.net Weekly Edition:

• Front: APT 3.0; Fedora 42; Lots more LSFMM+BPF coverage.
• Briefs: CVE funding; Yelp vulnerability; Fedora 42; Manjaro 25.0; GCC 15; Pinta 3.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Debian's Advanced Package Tool (APT) is the suite of utilities that handle package management on Debian and Debian-derived operating systems. APT recently received a major upgrade to 3.0 just in time for inclusion in Debian 13 ("trixie"), which is planned for release sometime in 2025. The version bump is warranted; the latest APT has user-interface improvements, switches to Sequoia to verify package signatures, and includes solver3—a new solver that is designed to improve how it evaluates and resolves package dependencies.

GNOME contributor Michael Catanzaro has written a blog post about a noteworthy vulnerability in GNOME's help browser, Yelp.

I don't normally blog about particular CVEs, but Yelp CVE-2025-3155 is noteworthy because it is quite severe, public for several weeks now, and not yet fixed upstream. In short, help files can read your filesystem and execute arbitrary JavaScript code, allowing an attacker to exfiltrate any files your Unix user has access to.

The vulnerability was first reported on December 25, and it was made public on March 26 after the 90-day-disclosure deadline was reached. Patches have been proposed to fix the issue. The bug reporter has published a writeup demonstrating the attack. Catanzaro asks that Linux vendors "please consider applying the provided patches even though they have not yet been accepted upstream".

Allowing directories to be modified in parallel was the topic of Jeff Layton's filesystem-track session at the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit (LSFMM+BPF). There are certain use cases, including for the NFS and Lustre filesystems, as mentioned in a patch set referenced in the topic proposal, where contention in creating multiple files in a directory is causing noticeable performance problems. In some testing, Layton has found that the inode read-write semaphore (i_rwsem) for the directory is serializing operations; he wanted to discuss alternatives.

The BPF verifier is not magic; it cannot solve the halting problem. Therefore, it has to err on the side of assuming that a program will run too long if it cannot prove that the program will not. The ultimate check on the size of a BPF program is the one-million-instruction limit — the verifier will refuse to process more than one-million instructions, no matter what a BPF program does. Alexei Starovoitov gave a talk at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit about that limit, why correctly written BPF programs shouldn't hit it, and how to make the user experience of large BPF programs better in the future.

Sergiu Gatlan reports that the US government has extended funding for the Common Vulnerabilities and Exposures (CVE) program, following yesterday's reports that funding would run out as of April 16.

"The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

The article also mentions the launch of a CVE Foundation, to transition the CVE program to a dedicated foundation and eliminate "a single point of failure in the vulnerability management ecosystem", as well as a European vulnerability database (EUVD) backed by the European Union Agency for Cybersecurity (ENISA). Details on these initiatives are scant at the moment, and it is unclear whether restoration of funding will have any impact on these efforts.

As a system runs, its memory becomes fragmented; it does not take long before the allocation of large, physically contiguous memory ranges becomes difficult or impossible. The contiguous memory allocator (CMA) is a kernel subsystem that attempts to address this problem, but it has never worked as well as some would like. Two sessions in the memory-management track at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit looked at how CMA can be improved; the first looked at providing guaranteed allocations, while the second addressed some inefficiencies in CMA.

Security updates have been issued by AlmaLinux (gvisor-tap-vsock, kernel, and kernel-rt), Fedora (chromium, dnf, dotnet9.0, golang, lemonldap-ng, mariadb10.11, perl-Crypt-URandom-Token, perl-DBIx-Class-EncodedColumn, php-tcpdf, podman-tui, and trunk), Red Hat (java-17-openjdk and kernel), Slackware (mozilla), SUSE (apache2-mod_auth_openidc, cosign, etcd, expat, flannel, kernel, libsqlite3-0, libvarnishapi3, mozjs52, Multi-Linux Manager 4.3: Server, Multi-Linux Manager 5.0: Server, Proxy and Retail Server, pgadmin4, rekor, rsync, rubygem-bundler, and webkit2gtk3), and Ubuntu (7zip, Docker, and quickjs).

Szintetikus e-mailekkel próbálja tovább fejleszteni chatbotjait az Apple

A keresőszolgáltatás mindenhol megszüntetni az országokhoz kötődő legfelső szintű domainek használatát, melyek a google.com -ra irányítanak majd.

Az eszközök automatikusan újraindulnak és első feloldás előtti állapotba állnak egy közelgő frissítés után.

Napi ROTFL - "A Tisza-kormány bűncselekménnyé nyilvánítaná a hírhamisítást" trey 2025. 04. 16., sze – 12:48

A csoportos kereset több százezer angol cég és más szervezet nevében kér kártérítést a keresőcég monopoltevékenysége miatt.

A piaci ingadozások ellenére a 12,5 milliárd dollárra értékelt Figma pozitív cash flow-t mutat, így optimistán tervezi a részvények kibocsátását.

A cég már a lebutított AI-chipjeit sem szállíthatja kínai partnereinek.

"Törölték Rogán Antalt a szankciós listáról" trey 2025. 04. 16., sze – 07:35

In the first filesystem-track session at the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit (LSFMM+BPF), virtual filesystem (VFS) layer co-maintainer Christian Brauner had a few different topics he wanted to talk about. Issues on the agenda included iterating through anonymous mount namespaces, a needed feature for ID-mapped mounts, the perennial unprivileged mounts topic, potentially using hazard pointers for file reference counting, and Rust bindings. He did not expect to get through all of them in the 30 minutes allotted, but the session did move along pretty quickly to at least introduce them to the assembled filesystem developers.

Security Week is one of several outlets reporting that the funding for the CVE program at MITRE disappears as of April 16.

Maintained by MITRE Corporation, a not-for-profit organization that operates federal R&D centers, the CVE program is funded through multiple channels, including the U.S. government, industry partnerships, and international organizations.

Earlier this month, in anticipation of the US government funding cuts, MITRE initiated layoffs that affected more than 400 employees in its Virginia office. The cuts were ordered after the Trump administration announced more than $28 million in canceled contracts for the company.