Post Syndicated from corbet original https://lwn.net/Articles/960456/

The LWN.net Weekly Edition for February 8, 2024 is available.

Post Syndicated from corbet original https://lwn.net/Articles/961116/

At the beginning of November, we let it be
known that we were looking to hire a writer/editor to augment the LWN
team. In past attempts, we have found it difficult to attract writers who
could produce the kind of content that LWN readers expect. This time
around, as we have said before, was different; we had a number of
candidates who could have filled the bill and were forced to make some
difficult choices.

While “hire them all” was an attractive idea, it was not one that our
budget would support. We did conclude, however, that we could stretch to a
second hire. So we are pleased to announce that the opportunity to bring
Joe Brockmeier on board was too good to pass up — so we didn’t. You will
start to see his work return to LWN within the next few days.

Post Syndicated from corbet original https://lwn.net/Articles/961173/

Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django).

Post Syndicated from corbet original https://lwn.net/Articles/961083/

Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc).

Post Syndicated from corbet original https://lwn.net/Articles/960041/

A common problem in kernel development is controlling when a
specific task should be done. Kernel code often executes in contexts where
some actions (sleeping, for example, or calling into filesystems) are not
possible. Other actions, while possible, may prevent the kernel from
taking care of a more important task in a timely manner. The kernel
community has developed a number of deferred-execution mechanisms designed
to ensure that every task is handled at the right time. One of those
mechanisms, tasklets, has been eyed for removal for years; that removal
might just happen in the near future.

Post Syndicated from corbet original https://lwn.net/Articles/960842/

The 6.8-rc3 kernel prepatch is out for
testing. “A slightly larger rc3 that I’d have hoped for, although at
this stage in the release process it’s not something that really worries me
yet.”

Post Syndicated from corbet original https://lwn.net/Articles/960606/

Simon Phipps writes
on the Open Source Initiative blog that the latest version of the
European Cyber Resilience Act is much improved: “As a result of all this
effort from so many people, the final text of the CRA mitigated pretty much
all the risks we had identified to individual developers and to Open Source
foundations.”

Post Syndicated from corbet original https://lwn.net/Articles/960604/

Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland).

Post Syndicated from corbet original https://lwn.net/Articles/960088/

Filesystem development is not an easy task; the performance demands are
typically high, and the consequences for mistakes usually involve lost data
and irate users. The implementation of a virtual (or “pseudo”) filesystem
— a filesystem implemented within the kernel and lacking a normal backing
store — can also be challenging, but for different reasons. A series of
conversations around the eventfs virtual filesystem has turned a spotlight
on the difficulty of creating a virtual filesystem for Linux.

Post Syndicated from corbet original https://lwn.net/Articles/960446/

A new version of the Damn Small
Linux distribution has come out with an updated definition of “damn
small”:

The new goal of DSL is to pack as much usable desktop distribution
into an image small enough to fit on a single CD, or a hard limit
of 700MB. This project is meant to service older computers and have
them continue to be useful far into the future. Such a notion sits
well with my values. I think of this project as my way of keeping
otherwise usable hardware out of landfills.

Post Syndicated from corbet original https://lwn.net/Articles/959457/

The LWN.net Weekly Edition for February 1, 2024 is available.

Post Syndicated from corbet original https://lwn.net/Articles/960357/

Version 2.39
of the GNU C Library has been released. Changes include integration with
the x86 shadow-stack mechanism, a couple of
new posix_spawn() variants for working with control groups, pidfd_spawn() and
pidfd_spawnp(), the C2X stdbit.h header, the removal
of the libcrypt library, and more. See the release notes
for details.

Post Syndicated from corbet original https://lwn.net/Articles/960344/

Version
24.2 of the LibreOffice office suite is available. Changes include
AutoRecovery enabled by default, styling of comments, better floating-table
support, improved accessibility, and more. See the release
notes for details.

Post Syndicated from corbet original https://lwn.net/Articles/960289/

Qualys has disclosed
a vulnerability in the GNU C Library that can be exploited by a local
attacker for root access. It was introduced in the 2.37 release, and also
backported to 2.36.

For example, we confirmed that Debian 12 and 13, Ubuntu 23.04 and
23.10, and Fedora 37 to 39 are vulnerable to this buffer
overflow. Furthermore, we successfully exploited an up-to-date,
default installation of Fedora 38 (on amd64): a Local Privilege
Escalation, from any unprivileged user to full root. Other
distributions are probably also exploitable.

Vulnerable systems with untrusted users should probably be updated in a
timely manner.

Post Syndicated from corbet original https://lwn.net/Articles/960248/

Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland).

Post Syndicated from corbet original https://lwn.net/Articles/960036/

The eBPF Foundation has published a glossy document called The
State of eBPF; it seems mostly concerned with how a small number of
large companies are using and developing this technology.

No doubt, eBPF will become the new layer in the new cloud native
infrastructure stack, impacting the observability, performance,
reliability, networking, and security of all applications,
supporters say. Platform engineers will cobble together
eBPF-powered infrastructure building blocks to create platforms
that developers then deploy software on, adding business logic to
the mix, and replacing aging Linux kernel internals that cannot
keep up with today’s digital and, increasingly, cloud native world.

Post Syndicated from corbet original https://lwn.net/Articles/960008/

Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml).

Post Syndicated from corbet original https://lwn.net/Articles/959815/

Linus has released 6.8-rc2 for testing.
“So go out and test. It’s safe now. You trust me, right?”

Post Syndicated from corbet original https://lwn.net/Articles/959189/

While the mathematical realm of numbers is infinite, computers are only
able to represent a finite subset of them. That can lead to problems when
arithmetic operations would create numbers that the computer is unable to
store as the intended type. This condition, called “overflow” or
“wraparound” depending on the
context, can be the source of bugs, including unpleasant security
vulnerabilities, so it is worth avoiding. This patch
series from Kees Cook is intended to improve the kernel’s handling of
these situations, but it is running into a bit of resistance.

Post Syndicated from corbet original https://lwn.net/Articles/959069/

The free-software community has managed to build a body of software that is
worth, by most estimates, many billions of dollars; all of this code is
freely available to anybody who wants to use or modify it. It is an
unparalleled example of independent actors working cooperatively on a
common resource. Free software is certainly a success story, but all is
not perfect. One of the community’s greatest strengths — convincing
companies to contribute to this common resource — is also part of one of
its biggest weaknesses.