Post Syndicated from corbet original https://lwn.net/Articles/967959/

Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).

Post Syndicated from corbet original https://lwn.net/Articles/967856/

Version 10.0 of the NetBSD system has been released.

The netbsd-10 release branch is more than a year old now, so it is
high time the 10.0 release makes it to the front stage. This
matches the long time it took for the development branch to get
ready for branching, a lot of development went into this new
release.

This also caused the release announcement to be one of the longest
we ever did.

As might be imagined, there are a lot of changes; see the
above-mentioned release announcement for the details.

Post Syndicated from corbet original https://lwn.net/Articles/967792/

The 6.9-rc2 kernel prepatch is out for
testing. “Neither snow nor rain nor heat nor gloom of night stays kernel rc releases.

Nor does Easter.“

Post Syndicated from corbet original https://lwn.net/Articles/967420/

I’m on a holiday and only happened to look at my emails and it
seems to be a major mess.

— Lasse Collin

The reality that we are struggling with is that the free software
infrastructure on which much of computing runs is massively and
painfully underfunded by society as a whole, and is almost entirely
dependent on random people maintaining things in their free time
because they find it fun, many of whom are close to burnout. This
is, in many ways, the true root cause of this entire event.

— Russ Allbery

Incredible work from Andres. The attackers made a serious
strategic mistake: they made PostgreSQL slightly slower.

— Thomas
Munro

There is no way to discuss this in public without turning a single
malicious entity into 10 000 malicious entities once the
information is widely known.

Making sure the impact and mitigations are known before posting
this publicly so that everyone knows what to do before the 10 000
malicious entities start attacking is just common sense.

— Marc
Deslauriers

Again the FOSS world has proven to be vigilant and proactive in
finding bugs and backdoors, IMHO. The level of transparency is
stellar, especially compared to proprietary software
companies. What the FOSS world has accomplished in 24 hours after
detection of the backdoor code in #xz deserves a moment of
humbleness. Instead we have flamewars and armchair experts shouting
that we must change everything NOW. Which would introduce even more
risks. Progress is made iteratively. Learn, adapt, repeat.

— Jan Wildeboer

Post Syndicated from corbet original https://lwn.net/Articles/967180/

Andres Freund has posted a
detailed investigation into a backdoor that was shipped with versions
5.6.0 and 5.6.1 of the xz compression utility. It appears that the
malicious code may be aimed at allowing SSH authentication to be bypassed.

I have not yet analyzed precisely what is being checked for in the
injected code, to allow unauthorized access. Since this is running
in a pre-authentication context, it seems likely to allow some form
of access or other form of remote code execution.

The affected versions are not yet widely shipped, but checking systems for
the bad version would be a good idea.

Post Syndicated from corbet original https://lwn.net/Articles/966869/

Radicle is a new, peer-to-peer,
MIT/Apache-licensed collaboration platform written in Rust and built on top
of Git. It adds support for issues and pull requests (which Radicle calls
“patches”) on top of core Git, which are stored in the Git repository
itself. Unlike GitHub, GitLab, and similar forges, Radicle is distributed;
it doesn’t rely on having everyone use the same server. Instead, Radicle
instances form a network that synchronizes changes between nodes.

Post Syndicated from corbet original https://lwn.net/Articles/967107/

Christian Schaller writes
about the desktop-oriented work aimed at the upcoming Fedora 40
release.

Another major feature landing in Fedora Workstation 40 that Jonas
Ådahl and Ray Strode has spent a lot of effort on is finalizing the
remote desktop support for GNOME on Wayland. So there has been
support for remote connections for already logged in sessions
already, but with these updates you can do the login remotely too
and thus the session do not need to be started already on the
remote machine. This work will also enable 3rd party solutions to
do remote logins on Wayland systems, so while I am not at liberty
to mention names, be on the lookout for more 3rd party Wayland
remoting software becoming available this year.

Post Syndicated from corbet original https://lwn.net/Articles/966996/

Version 4.10.0 of the Samba Windows interoperability suite has been
released. Changes include better support for group-managed service
accounts, an experimental Windows search protocol client, support for
conditional access control entries, and more.

Post Syndicated from corbet original https://lwn.net/Articles/966868/

The PostgreSQL community is dealing with the loss of Simon Riggs, who
passed away on March 26:

Simon was responsible for many of the enterprise features we find
in PostgreSQL today, including point in time recovery, hot standby,
and synchronous replication. He was the founder of 2ndQuadrant
which employed many of the PostgreSQL developers, later becoming
part of EDB where he worked as a Postgres Fellow until his
retirement. He was responsible for the UK PostgreSQL conferences
for many years until he passed that responsibility to PostgreSQL
Europe last year.

Post Syndicated from corbet original https://lwn.net/Articles/965541/

The 6.9-rc1
kernel prepatch was released on March 24, closing the merge window for
this development cycle. By that time, 12,435 non-merge changesets had been
merged into the mainline, making for a less-busy merge window than the last
couple of kernel releases (but similar to the 12,492 seen for 6.5). Well
over 7,000 of those changes were merged after the first-half merge-window summary was
written, meaning that the latter part of the merge window brought many more
interesting changes.

Post Syndicated from corbet original https://lwn.net/Articles/966547/

Version 29.3 of the
Emacs editor has been released:

Emacs 29.3 is an emergency bugfix release; it includes no new
features except a small number of changes intended to resolve
security vulnerabilities uncovered in Emacs 29.2.

Those vulnerabilities mostly have to do with executing untrusted Lisp code;
see the
NEWS file for a bit more information.

Post Syndicated from corbet original https://lwn.net/Articles/965837/

While a programming error in the kernel may be subject to direct
exploitation, usually a more roundabout approach is required to take
advantage of a security bug. One popular approach for those wishing to
take advantage of vulnerabilities is heap spraying, and
it has often been employed to compromise the kernel. In the future,
though, heap-spraying attacks may be a bit harder to pull off, thanks to the
“dedicated bucket allocator” proposed by Kees Cook.

Post Syndicated from corbet original https://lwn.net/Articles/966205/

Version
1.77.0 of the Rust language has been released. Changes include support
for NUL-terminated C-string literals, the ability for async
functions to call themselves recursively, the stabilization of the
offset_of!() macro, and more.

Post Syndicated from corbet original https://lwn.net/Articles/966181/

Verson 5.39.9 of the Perl language has been released. Changes this time
include a new “medium-precedence” logical exclusive-or operator, a number
of updated modules, and more; see this
page for details.

Post Syndicated from corbet original https://lwn.net/Articles/966133/

The Redis in-memory database system has had
its license changed to either the Redis Source Available
License or the Server Side
Public License (covered here in 2018);
neither license qualifies as free software.

Under the new license, cloud service providers hosting Redis
offerings will no longer be permitted to use the source code of
Redis free of charge. For example, cloud service providers will be
able to deliver Redis 7.4 only after agreeing to licensing terms
with Redis, the maintainers of the Redis code.

Distributors like Fedora are already looking
at removing Redis as a consequence. (Thanks to Emmanuel Seyman).

Post Syndicated from corbet original https://lwn.net/Articles/966129/

Danilo Krummrich has announced the
existence of the “Nova” project within Red Hat.

We just started to work on Nova, a Rust-based GSP-only driver for
Nvidia GPUs. Nova, in the long term, is intended to serve as the
successor of Nouveau for GSP-firmware-based GPUs.

With Nova we see the chance to significantly decrease the
complexity of the driver compared to Nouveau for mainly two
reasons. First, Nouveau’s historic architecture, especially around
nvif/nvkm, is rather complicated and inflexible and requires major
rework to solve certain problems (such as locking hierarchy in VMM
/ MMU code for VM_BIND currently being solved with a workaround)
and second, with a GSP-only driver there is no need to maintain
compatibility with pre-GSP code.

Besides that, we also want to take the chance to contribute to the
Rust efforts in the kernel and benefit from from more memory safety
offered by the Rust programming language.

Given that the effort has just begun, it will be a while before this driver
shows up in a distribution release.

Post Syndicated from corbet original https://lwn.net/Articles/965368/

The LWN.net Weekly Edition for March 21, 2024 is available.

Post Syndicated from corbet original https://lwn.net/Articles/966096/

Version 46 of the GNOME desktop
has been released. “GNOME 46 is code-named ‘Kathmandu’, in recognition
of the amazing work done by the organizers of GNOME.Asia 2023.”
Significant changes include a new global search feature, enhancements to
the Files app, improved remote login support, and more.

Post Syndicated from corbet original https://lwn.net/Articles/965959/

Version
124.0 of the Firefox browser is out. Changes include support for
“caret browsing mode” in the PDF viewer and the ability to control the
sorting of tabs in the Firefox View screen.

Post Syndicated from corbet original https://lwn.net/Articles/965958/

Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).