Post Syndicated from corbet original https://lwn.net/Articles/1001597/

Security updates have been issued by AlmaLinux (postgresql:15, postgresql:16, and ruby:3.1), Debian (jinja2), Fedora (python-multipart, python-python-multipart, python3.12, retsnoop, rust-rbspy, rust-rustls, and zabbix), Oracle (kernel, libsoup, postgresql:12, postgresql:13, postgresql:15, postgresql:16, redis:7, and ruby:3.1), SUSE (nodejs18, pam, qt6-webengine, and radare2), and Ubuntu (dogtag-pki, linux-intel-iotg, linux-intel-iotg-5.15, ofono, rabbitmq-server, and webkit2gtk).

Post Syndicated from corbet original https://lwn.net/Articles/1001441/

The OpenWrt project has issued an
advisory regarding a vulnerability found in its Attended Sysupgrade
Server that could allow compromised packages to be installed on a router by
an attacker. No official OpenWrt images were affected, and the
vulnerability is not known to be exploited, but users who have installed
images created with an instance of this server are recommended to
reinstall.

For a detailed description of how the exploit works, see this
blog post.

Then, as the hash collision occurred, the server returns the
overwritten build artifact to the legitimate request that requests
the following packages. […]

By abusing this, an attacker could force the user to upgrade to the
malicious firmware, which could lead to the compromise of the
device.

Post Syndicated from corbet original https://lwn.net/Articles/1001435/

The 6.13-rc2 kernel prepatch is out for
testing. “The diffstat looks a bit unusual with 80%+ drivers, and a lot of it
one-liners, but that’s actually just because of a couple of automated
scripts that got run after -rc1 for some cleanups. Nothing
particularly interesting, but it makes for a lot of noise in the diff.”
One of those scripts was the EXPORT_SYMBOL_NS() change (to make it
use a quoted string for the namespace name) described in this article.

Post Syndicated from corbet original https://lwn.net/Articles/1000654/

The page
structure sits at the core of the kernel’s memory-management subsystem
(for now), and a key part of that structure is its reference count, stored
in refcount. The page reference count tells the kernel how many
users a given page has and when it can be freed. That count is not needed
for every page in the system, though. Matthew Wilcox has recently resurrected
an old
patch set that expands the concept of a “frozen” page — one that lacks a
meaningful reference count — to the immediate benefit of the slab allocator
but in the service of a longer-term goal as well.

Post Syndicated from corbet original https://lwn.net/Articles/1001013/

Apertis is a Collabora-developed
Debian derivative distribution designed to be incorporated into electronic
devices; the v2024
release is now available. It is now based on the Bookworm release, and
includes support for Podman, ONNX
Runtime, OP-TEE, and more.

Apertis relies on the Debian Free Software Guidelines to ensure all
software shipped is open source or, in limited cases, at least
freely distributable. However, for some customers this is not
enough to be able to adopt OSS solutions as in their evaluations
some provisions in common licenses like the GPL-3 are at odds with
regulatory constraints they are subject to. Apertis does not set to
solve this decades-long debate, and instead its goal is to increase
the adoption of modern, maintained OSS solutions in markets where
this has historically been a challenge. To enable this, Apertis
supports avoiding the use of any software under some licenses (like
the [GPL v3.0 license family) on target images, while still making
them fully available for development and for customers that do not
share those licensing concerns. To avoid these licenses, Apertis
uses more modern alternatives instead of relying on outdated and
unmaintained pre-GPL-3 versions. For instance, coreutils and
findutils (GPL-3+) are replaced in Apertis by rust-coreutils and
rust-findutils.

Post Syndicated from corbet original https://lwn.net/Articles/1000880/

Mozilla would
appear to have concluded that the solution to its problems is an
extensive rebranding effort:

We teamed up with global branding powerhouse Jones Knowles Ritchie
(JKR) to revamp our brand and revitalize our intentions across our
entire ecosystem. At the heart of this transformation is making
sure people know Mozilla for its broader impact, as well as
Firefox. Our new brand strategy and expression embody our role as a
leader in digital rights and innovation, putting people over
profits through privacy-preserving products, open-source developer
tools, and community-building efforts.

Post Syndicated from corbet original https://lwn.net/Articles/998950/

The LWN.net Weekly Edition for December 5, 2024 is available.

Post Syndicated from corbet original https://lwn.net/Articles/1000727/

Linus Walleij writes
about a pair of security features for 32-bit Arm systems; these landed
in 6.10, but, he says, have now stabilized to the point that distributors
may want to enable them.

PAN is an abbreviation for the somewhat grammatically incorrect
Privileged Access Never. […]

For modern ARM32 systems with large memories configured to use LPAE
nothing like PAN was available: this version of the MMU simply did
not implement a PAN option.

As of the patch originally developed by Catalin Marinas, we deploy
a scheme that will use the fact that LPAE has two separate
translation table base registers (TTBR:s): one for userspace
(TTBR0) and one for kernelspace (TTBR1).

Post Syndicated from corbet original https://lwn.net/Articles/998783/

Linux offers two broad ways of performing I/O to files. Buffered I/O,
which is the usual way of accessing a file, stores a copy of the
transferred data in the kernel’s page cache to speed future accesses.
Direct I/O, instead, moves data directly between the storage device and a
user-space buffer, avoiding the page cache. Both modes have their
advantages and disadvantages. In 2019, Jens Axboe proposed an uncached buffered mode to get some
of the advantages of both, but that effort stalled at the time. Now, uncached buffered
I/O is back with some impressive performance results behind it.

Post Syndicated from corbet original https://lwn.net/Articles/1000591/

Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy).

Post Syndicated from corbet original https://lwn.net/Articles/998990/

The 6.13 merge window closed with the release of 6.13-rc1 on December 1. By that time,
11,307 non-merge commits had been pulled into the mainline
repository; about 9,500 of those landed after our first-half merge-window summary was
written. There was a lot of new material in these patches, including
architecture-support improvements, new BPF features, an efficient way to
add guard pages to an address space, more Rust support, a vast number of
new device drivers, and more.

Post Syndicated from corbet original https://lwn.net/Articles/1000379/

Linus has released 6.13-rc1 and closed the
merge window for this release. “And for once – possibly the first time
ever – it looks like the release cycle doesn’t clash horribly up with
the holiday season, and we’ll have time both to stabilize this release,
_and_ the work for 6.14 won’t be starting until well into January.“

Post Syndicated from corbet original https://lwn.net/Articles/1000273/

Version
1.83.0 of the Rust language has been released.

This release includes several large extensions to what code running
in const contexts can do. This refers to all code that the
compiler has to evaluate at compile-time: the initial value of
const and static items, array lengths, enum
discriminant values, const generic arguments, and functions
callable from such contexts (const fn).

There are also quite a few new stabilized APIs.

Post Syndicated from corbet original https://lwn.net/Articles/1000272/

The OpenWrt One router, which was reviewed
here recently, is
now generally available.

This is the first wireless Internet router designed and built with
your software freedom and right to repair in mind. The OpenWrt One
will never be locked down and is forever unbrickable. This device
services your needs as its owner and user. Everyone deserves
control of their computing. The OpenWrt One takes a great first
step toward bringing software rights to your home: you can control
your own network with the software of your choice, and ensure your
right to change, modify, and repair it as you like.

Post Syndicated from corbet original https://lwn.net/Articles/999770/

For the most part, the 6.13 merge window has gone smoothly, with relatively
few problems or disagreements — other than this
one, of course. There is one other exception, though, relating to the
kernel’s presentation of a process’s command line to interested user-space
observers when a relatively new system call is used. A pull request with a
simple change to make that information more user-friendly ran afoul of
Linus Torvalds, who has his own view of how it should be managed.

Post Syndicated from corbet original https://lwn.net/Articles/999744/

Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson).

Post Syndicated from corbet original https://lwn.net/Articles/999004/

Version
8.4.1 of the PHP language has been released. See this page for details on
the new features in this release. “PHP 8.4 is a major update of the PHP
language. It contains many new features, such as property hooks,
asymmetric visibility, an updated DOM API, performance improvements, bug
fixes, and general cleanup.“

Post Syndicated from corbet original https://lwn.net/Articles/998623/

As of this writing, just over 1,800 non-merge changesets have been pulled
into the mainline kernel for the 6.13 release. That number may seem small,
given that a typical merge window brings in at least 12,000 commits, but
the early pulls this time around have focused on significant core changes,
and there are quite a few of them. The time has come to summarize the
changes pulled so far, including lazy preemption, multi-grained timestamps,
new extended-attribute system calls, and more.

Post Syndicated from corbet original https://lwn.net/Articles/998144/

The LWN.net Weekly Edition for November 21, 2024 is available.

Post Syndicated from corbet original https://lwn.net/Articles/998863/

Version 4.3 of
the Blender animation system has been released. “Brush assets, faster
sculpting, a revolutionized Grease Pencil, and more. Blender 4.3 got you
covered.“