Post Syndicated from corbet original https://lwn.net/Articles/948870/

User-space developers working with highly threaded applications would often
like to be able to use spinlocks to protect shared data structures from
concurrent access. There is a fundamental problem with user-space
spinlocks, though: there is no way to prevent a thread from being
preempted. Various ways of working around this problem have been explored,
but this
patch from Steven Rostedt questions the premise on which much of that
work is based: what if it were possible to prevent preemption, for a
short period at least?

Post Syndicated from corbet original https://lwn.net/Articles/949078/

For a view into the OpenBSD approach to security, see this message from
Theo de Raadt, where he describes a plan to remove the syscall() system call
(which allows the invocation of any available system call by providing its
number) from the kernel. The purpose, of course, is to make it harder for
an attacker to invoke an arbitrary system call, even if they are able to
run some code on the target system.

I hope I am forcing attack coders into using increasingly more
complicated methods. Same time, it means fewer methods are
available. Other methods make exploitation more fragile. This is
pushing success rates into “low-percent statistical” success. If
we teach more software stacks to “fail hard, don’t try to
recover”, that is an improvement in security.

Post Syndicated from corbet original https://lwn.net/Articles/949057/

Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, redis, samba, and xen), Oracle (python39:3.9, python39-devel:3.9), Slackware (mozilla and xorg), and SUSE (libnbd, open-vm-tools, python, sox, vorbis-tools, and zchunk).

Post Syndicated from corbet original https://lwn.net/Articles/948408/

The C programming language is replete with features that seemed like a good
idea at the time (and perhaps even were good ideas then) that have not aged
well. Most would likely agree that string handling, and the use of
NUL-terminated strings, is one of those. Kernel developers have, for
years, tried to improve the handling of strings in an attempt to slow the
flow of bugs and vulnerabilities that result from mistakes in that area.
Now there is an early discussion on the idea of moving away from
NUL-terminated strings in much of the kernel.

Post Syndicated from corbet original https://lwn.net/Articles/948930/

Security updates have been issued by Debian (firefox-esr and xorg-server), Fedora (firefox, mbedtls, nodejs18, nodejs20, and xen), Gentoo (libinput, unifi, and USBView), Mageia (python-nltk), Oracle (linux-firmware), Red Hat (nginx:1.22), SUSE (chromium, firefox, java-11-openjdk, jetty-minimal, nghttp2, nodejs18, webkit2gtk3, and zlib), and Ubuntu (linux, linux-lowlatency, linux-oracle-5.15, vim, and xorg-server, xwayland).

Post Syndicated from corbet original https://lwn.net/Articles/948210/

The LWN.net Weekly Edition for October 26, 2023 is available.

Post Syndicated from corbet original https://lwn.net/Articles/948037/

The kernel has, for many years, had the ability to control how memory
allocation is performed in systems with multiple NUMA nodes. More
recently, NUMA nodes have also been pressed into service to represent
different classes of memory; those nodes are now organized into tiers
according to their performance characteristics. While memory-allocation
policies can control the placement of pages at the NUMA-node level, the
kernel provides no way to connect those policies with memory tiers. This
patch series from Gregory Price aims to change this situation by
allowing allocations to be placed across tiers in a weighted manner.

Post Syndicated from corbet original https://lwn.net/Articles/948823/

The Python Steering Council has posted a
detailed plan for the addition of “free-threaded” (no global
interpreter lock) support into the Python mainline. It will not be a short
process and does not have a guaranteed successful outcome.

Phase I: Experimental phase, which can start immediately, in which
the free-threaded build is enabled through a build-time
option. This should not be the default install anywhere. At least
one major Python release should include this experimental
free-threaded build, to allow third-party packages to test and do
their own experimentation. In this stage we should make it clear
the build is experimental, not supported for “production use”, and
may be reverted.

Post Syndicated from corbet original https://lwn.net/Articles/948815/

The
6.5.9,
6.1.60,
5.15.137,
5.10.199,
5.4.259,
4.19.297, and
4.14.328
stable kernels have all been released; each contains another set of
important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/948814/

Security updates have been issued by Debian (gst-plugins-bad1.0, openssl, roundcube, and xorg-server), Fedora (dotnet6.0, dotnet7.0, roundcubemail, and wordpress), Mageia (redis), Oracle (dnsmasq, python27:2.7, python3, tomcat, and varnish), Red Hat (python39:3.9, python39-devel:3.9), Slackware (mozilla and vim), SUSE (openssl-3, poppler, ruby2.5, and xen), and Ubuntu (.Net, linux-gcp-5.15, linux-gkeop-5.15, linux-intel-iotg-5.15, linux-starfive-6.2, mysql-5.7, ncurses, and openssl).

Post Syndicated from corbet original https://lwn.net/Articles/948691/

Version
119.0 of the Firefox browser has been released. The list of changes
includes improvements to Firefox
View, some PDF-editing improvements, better cookie protection, encrypted
client hello support, and more.

Post Syndicated from corbet original https://lwn.net/Articles/948688/

Security updates have been issued by Debian (ceph and dbus), Fedora (cachelib, fb303, fbthrift, fizz, folly, matrix-synapse, mcrouter, mvfst, nats-server, nodejs18, proxygen, wangle, watchman, and wdt), Mageia (libcue), Oracle (18, grafana, kernel, nodejs, nodejs:16, nodejs:18, php, php:8.0, and tomcat), Red Hat (python27:2.7, python3, python39:3.9, python39-devel:3.9, toolbox, varnish, and varnish:6), SUSE (fwupdate, gcc13, icu73_2, netty, netty-tcnative, and xen), and Ubuntu (aom, ffmpeg, libvpx, libxpm, linux-aws, linux-gcp-5.4, php7.0, php7.2, ring, and sofia-sip).

Post Syndicated from corbet original https://lwn.net/Articles/948589/

The 2013 election for members of the Linux Foundation Technical Advisory
Board will be held during the upcoming Linux
Plumbers Conference. The call
for nominees has been posted.

The TAB exists to provide advice from the kernel community to the
Linux Foundation; it also serves to facilitate interactions both
within the community and with outside entities. Over the last
year, the TAB has overseen the organization of the Linux Plumbers
Conference, released a kernel contribution maturity model for
organizations, advised on code-of-conduct issues, and more.

Nominations should be sent in by November 13.

Post Syndicated from corbet original https://lwn.net/Articles/948589/

The 2033 election for members of the Linux Foundation Technical Advisory
Board will be held during the upcoming Linux
Plumbers Conference. The call
for nominees has been posted.

The TAB exists to provide advice from the kernel community to the
Linux Foundation; it also serves to facilitate interactions both
within the community and with outside entities. Over the last
year, the TAB has overseen the organization of the Linux Plumbers
Conference, released a kernel contribution maturity model for
organizations, advised on code-of-conduct issues, and more.

Nominations should be sent in by November 13.

Post Syndicated from corbet original https://lwn.net/Articles/947941/

It is probably fair to say that most Linux users spend little time thinking
about the troff typesetting program, despite that application’s
groundbreaking role in computing history. Troff (along with nroff) is
still with us, though, even if they are called groff these days, and every
now and then they make their presence known. A recent groff change created
a bit of a tempest within the Debian community, and has effectively been
reverted there. It all comes down to the question of what, exactly, is the
character used to mark command-line options on Unix systems?

Post Syndicated from corbet original https://lwn.net/Articles/948522/

Security updates have been issued by Debian (krb5, redis, roundcube, ruby-rack, ruby-rmagick, zabbix, and zookeeper), Fedora (ansible-core, chromium, libvpx, mingw-xerces-c, python-asgiref, python-django, and vim), Mageia (cadence, kernel, kernel-linus, libxml2, nodejs, and shadow-utils), Oracle (nghttp2), Slackware (LibRaw), and SUSE (chromium, java-11-openjdk, nodejs18, python-Django, python-urllib3, and suse-module-tools).

Post Syndicated from corbet original https://lwn.net/Articles/948469/

Linus has released 6.6-rc7 for testing.

Anyway, while this is all bigger than I’d have liked it to be, if
the upcoming week is quiet and normal, this is the last rc and next
Sunday will see the final release and then we’ll open the merge
window for 6.7. I simply am not aware of any issues that would be
showstoppers.

Post Syndicated from corbet original https://lwn.net/Articles/948129/

Jeff Xu recently proposed
the addition of a new system call, named mseal(), that would allow
applications to prevent modifications to selected memory mappings. It
would enable the hardening of user-space applications against certain types
of attacks; some other operating systems have this type of feature already.
There is support for adding this type of mechanism to the Linux kernel as
well, but it has become clear that mseal() will not land in the
mainline in anything resembling its current form. Instead, it has become
an example of how not to do kernel development at a number of levels.

Post Syndicated from corbet original https://lwn.net/Articles/948368/

Security updates have been issued by Debian (linux-5.10 and webkit2gtk), Fedora (matrix-synapse and trafficserver), Mageia (chromium-browser-stable, ghostscript, libxpm, and ruby-RedCloth), Oracle (.NET 7.0, curl, dotnet7.0, galera, mariadb, go-toolset, golang, java-1.8.0-openjdk, and python-reportlab), Red Hat (php, php:8.0, tomcat, and varnish), Slackware (httpd), SUSE (bluetuith, grub2, kernel, rxvt-unicode, and suse-module-tools), and Ubuntu (dotnet6, dotnet7, dotnet8, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,
linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop,
linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency,
linux-lowlatency-hwe-5.15,linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,
linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm,
linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2,
linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm,
linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi,
linux-starfive, linux, linux-aws, linux-azure, linux-azure-4.15, linux-gcp,
linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-intel-iotg, linux-oem-6.1, linux-raspi, and mutt).

Post Syndicated from corbet original https://lwn.net/Articles/948297/

The
6.5.8,
6.1.59, and
5.15.136
stable kernel updates have been released; each contains another set of
important fixes.