Post Syndicated from corbet original https://lwn.net/Articles/978711/

It has been four months since Greg
Kroah-Hartman and MITRE
announced that the Linux kernel project had become its own CVE Numbering
Authority (CNA). Since then, the Linux CNA Team has developed workflows
and mechanisms to help manage the various tasks associated with this
challenge. There does however, appear to be a lack of understanding among
community members of the processes and rules the team have been working
within. The principal aim of this article, written by a member of the
Linux kernel CNA team, is to clarify how the team works and how kernel CVE
numbers are assigned.

Post Syndicated from corbet original https://lwn.net/Articles/978806/

Version 6.1 of
the Plasma desktop environment has been released.

Plasma 6 hits its stride with version 6.1. While Plasma 6.0 was all
about getting the migration to the underlying Qt 6 frameworks
correct (and what a massive job that was), 6.1 is where developers
start implementing the features that will take you desktop to a new
level.

Enhancements include better remote-desktop support, improved customization,
persistent apps, smoother animation under Wayland, and more; see the
changelog for the full list.

Post Syndicated from corbet original https://lwn.net/Articles/978804/

Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd).

Post Syndicated from corbet original https://lwn.net/Articles/978733/

PostmarketOS is an Alpine Linux
derivative distribution aimed at mobile devices; the v24.06
release claims support for over 250 devices, though the level of that
support varies widely. “This release is geared mainly towards Linux
enthusiasts. We are working hard on stability improvements and automated
testing, but if you expect Android or iOS levels of polish, then this is
not for you yet.” Changes include an upgrade to Alpine Linux 3.20,
newer GNOME and KDE versions, and more.

Post Syndicated from corbet original https://lwn.net/Articles/978189/

Software-interrupt handlers (also called “bottom halves”) have a long
history in the Linux kernel; for much of that history, developers have
wished that they could go away. One of their unfortunate characteristics
is that they can add unexpected latency to the execution of unrelated
processes; this problem is felt especially acutely in the
realtime-preemption community. The solution adopted there has created
problems of its own, though; in response Sebastian Andrzej Siewior is proposing
a new locking mechanism for realtime builds of the kernel that may have
benefits for non-realtime users as well.

Post Syndicated from corbet original https://lwn.net/Articles/978629/

Linus has released 6.10-rc4 for testing.
“Apart from a rather unusual spike in the diffstat due to a parisc fix,
things look normal and pretty small.“

Post Syndicated from corbet original https://lwn.net/Articles/978591/

The
6.9.5,
6.6.34,
6.1.94,
5.15.161,
5.10.219,
5.4.278, and
4.19.316
stable kernels have all been released; each contains another set of
important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/978541/

The Python Software Foundation has published a
set of reports from the 2024 Python Language summit. Topics covered
include version numbering, the limited C API, a new default read-eval-print
loop, and Python’s security model in light of the XZ backdoor:

For multiple reasons like being able to fix bugs and
single-maintainer modules, CPython doesn’t require reviewers on the
pull requests of core developers. This can lead to “unilateral
action”, meaning that a change is introduced into CPython without
the review of someone besides the author. Other situations like
release managers backporting fixes to other branches without review
are common.

Post Syndicated from corbet original https://lwn.net/Articles/978441/

This
Project Zero article looks at the exploitation of a few Android driver
bugs in great detail.

As it becomes more difficult to find 0-days in core Android,
third-party Linux kernel drivers continue to become a more and more
attractive target for attackers. While the bulk of present-day
detected ITW [in-the-wild] Android exploitation targets GPU
drivers, it’s equally important that other third-party drivers are
encouraged towards the same security standards.

Post Syndicated from corbet original https://lwn.net/Articles/978323/

Version
1.79.0 of the Rust language has been released. Changes this time
include inline const expressions, the “associated item bounds
syntax”, and more.

Post Syndicated from corbet original https://lwn.net/Articles/977365/

The LWN.net Weekly Edition for June 13, 2024 is available.

Post Syndicated from corbet original https://lwn.net/Articles/978010/

The mseal() system call allows a
process to prevent any future changes to portions of its address space
(thus “sealing” them); it was patterned after the mimmutable() system call in OpenBSD.
mseal() generated a lot of discussion, but it was finally merged
for the upcoming 6.10 kernel release. While mseal() was initially
aimed at securing the Chrome browser, the hope was that it would be useful
elsewhere; as a step toward realizing that hope, Adhemerval Zanella has
posted a
patch series adding support for — and use of — mseal() to the
GNU C library (glibc).

Post Syndicated from corbet original https://lwn.net/Articles/978151/

Systemd 256 has been released. As usual, the list of changes is long; see
this article for an overview, or the
announcement for all the details.

Post Syndicated from corbet original https://lwn.net/Articles/978137/

The openSUSE
Leap 15.6 release is available; this is intended to be the last
Leap 15.x release before Leap 16 comes out.
“Leap 15.6 is projected to receive maintenance and security updates
until the end of 2025 to ensure sufficient overlap with the next
release“. Changes include the addition of the Cockpit server-management tool, a
6.4 kernel, GNOME 45, and many other upgrades. This release also
removes a long list of unmaintained Python packages. See the
release notes for details.

Post Syndicated from corbet original https://lwn.net/Articles/978007/

The extensible scheduler class
(“sched_ext”) framework allows the writing of CPU schedulers as a set of
BPF programs. It has been somewhat
controversial, and its merging into the kernel has been blocked despite
a clear level of interest from users.

Linus Torvalds has now let
it be known that he has made a decision and, overriding the scheduler
maintainer, will merge sched_ext for the 6.11 release.

I honestly see no reason to delay this any more. This whole
patchset was the major (private) discussion at last year’s kernel
maintainer summit, and I don’t find any value in having the same
discussion (whether off-list or as an actual event) at the upcoming
maintainer summit one year later, so to make any kind of sane
progress, my current plan is to merge this for 6.11.

Post Syndicated from corbet original https://lwn.net/Articles/977973/

Version
127.0 of the Firefox browser is out. Changes include support for DNS
prefetching and the ability to close duplicate tabs in a window. The
browser will now try to upgrade images and videos with HTTP URLs that are
found in an HTTPS page to HTTPS as well; if that fails, the non-HTTPS
resources will simply fail to load.

Update: this
Mozilla Secuirty Blog post describes the HTTPS-related changes in
detail.

Post Syndicated from corbet original https://lwn.net/Articles/977939/

Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff).

Post Syndicated from corbet original https://lwn.net/Articles/977310/

P4, short for “Programming
Protocol-independent Packet Processors”, is a programming language aimed at
networking devices; it is useful for the configuration of firewalls and
complicated routing architectures. Since a lot of advanced networking is
done with Linux systems, it stands to reason that there would be value in
supporting P4 and, indeed, an
implementation of P4 in the kernel’s traffic-control subsystem was
first posted by Jamal Hadi Salim at the beginning of 2023. After nearly
18 months, though, this feature has not been merged, and the chances
of that happening would appear to be getting worse.

Post Syndicated from corbet original https://lwn.net/Articles/977765/

Version 5.40.0 of the Perl language has been released. “Perl 5.40.0
represents approximately 11 months of development since Perl 5.38.0 and
contains approximately 160,000 lines of changes across 1,500 files from 75
authors“. Significant changes include a new __CLASS__
keyword, a :reader: attribute for field variables, a new
“^^” logical-XOR operator (because two of those were not enough),
moving “try/catch” out of the experimental category, and more; see
this
page for lots of details.

Post Syndicated from corbet original https://lwn.net/Articles/977725/

The 6.10-rc3 kernel prepatch is out.
“So things look good, the water is warm, please jump right in and keep
testing,“