Post Syndicated from corbet original https://lwn.net/Articles/947409/

Security updates have been issued by Debian (curl, mediawiki, tomcat10, and tomcat9), Fedora (libcaca, oneVPL, oneVPL-intel-gpu, and tracker-miners), Gentoo (curl), Mageia (cups and firefox, thunderbird), Red Hat (curl, kernel, kernel-rt, kpatch-patch, libqb, libssh2, linux-firmware, python-reportlab, tar, and the virt:rhel module), Slackware (curl, libcue, libnotify, nghttp2, and samba), SUSE (conmon, curl, glibc, kernel, php-composer2, python-reportlab, samba, and shadow), and Ubuntu (curl, dotnet6, dotnet7, firefox, libx11, samba, tiff, and webkit2gtk).

Post Syndicated from corbet original https://lwn.net/Articles/947296/

The
6.5.7,
6.1.57,
5.15.135,
5.10.198,
5.4.258,
4.19.296, and
4.14.327
stable kernel updates have all been released; each contains another set of
important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/947236/

The GitHub blog describes
a vulnerability in the libcue library (which is used by the GNOME
desktop) that can be exploited by a remote attacker to run code on a
desktop system if the target can be convinced to click on a malicious link.

The video shows me clicking a link in a webpage, which causes a cue
sheet to be downloaded. Because the file is saved to ~/Downloads,
it is then automatically scanned by tracker-miners. And because it
has a .cue filename extension, tracker-miners uses libcue to parse
the file. The file exploits the vulnerability in libcue to gain
code execution and pop a calculator.

Post Syndicated from corbet original https://lwn.net/Articles/947233/

Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).

Post Syndicated from corbet original https://lwn.net/Articles/946394/

One of the significant features added to the mainline kernel during the 6.6
merge window was multi-grain timestamps, which allow the kernel to
selectively store file modification times with higher resolution without
hurting performance. Unfortunately, this feature also caused some
surprising regressions, and was quickly ushered back out of the kernel as a
result. It is instructive to look at how this feature went wrong, and how
the developers involved plan to move forward from here.

Post Syndicated from corbet original https://lwn.net/Articles/947054/

Linus has released 6.6-rc5 for testing.
“Things are back to normal, and we have a networking pull this
week.”

Post Syndicated from corbet original https://lwn.net/Articles/946851/

Red Hat has announced
that its longstanding “rhsa-announce” mailing list will be shut down on
October 10. That is the list that receives security advisories for
Red Hat Enterprise Linux and a whole slew of related products. Anybody who
was counting on that list for Red Hat security advisories will need to find
an alternative; a few options are listed in the announcement.

Post Syndicated from corbet original https://lwn.net/Articles/946254/

On its surface, the BPF virtual machine resembles many other computer
architectures; it has registers and instructions to perform the usual
operations. But there is a key difference: BPF programs must pass the
kernel’s verifier before they can be run. The verifier imposes a long list
of additional restrictions so that it can prove to itself that any given
program is safe to run; getting past those checks can be a source of
frustration for BPF developers. At the 2023 GNU Tools Cauldron,
José Marchesi looked at the problem of compiling for verified architectures
and how the compiler can generate code that will pass verification.

Post Syndicated from corbet original https://lwn.net/Articles/946732/

Ferrous Systems has announced
that its Ferrocene Rust compiler will be released under the Apache-2.0 and
MIT licenses.

Ferrocene is the main Rust compiler – rustc – but quality managed
and qualified for use in automotive and industrial environments
(currently by ISO 26262 and IEC 61508) by Ferrous Systems. It
operates as a downstream to the Rust project, further increasing
its testing and quality on specific platforms.

The license is free, but this is not being run as an open-source project;
specifically, contributions from the “general public” are not accepted.

Post Syndicated from corbet original https://lwn.net/Articles/946041/

Hardening the Linux kernel is an endless task, with work required on
multiple fronts. Sometimes, that work is not done in the kernel itself;
other tools, including compilers, can have a significant role to play.
At the 2023 GNU Tools
Cauldron, Qing Zhao covered some of the work that has been done in the
GCC compiler to help with the hardening of the kernel — along with work
that still needs to be done.

Post Syndicated from corbet original https://lwn.net/Articles/945834/

The LWN.net Weekly Edition for October 5, 2023 is available.

Post Syndicated from corbet original https://lwn.net/Articles/946497/

OpenSSH 9.5 is out. Significant changes include a transport-level ping
mechanism and keystroke timing obfuscation:

This attempts to hide inter-keystroke timings by sending
interactive traffic at fixed intervals (default: every 20ms) when
there is only a small amount of data being sent. It also sends fake
“chaff” keystrokes for a random interval after the last real
keystroke. These are controlled by a new ssh_config
ObscureKeystrokeTiming keyword.

Post Syndicated from corbet original https://lwn.net/Articles/946496/

Security updates have been issued by Debian (glibc, postgresql-11, and thunderbird), Fedora (openmpi, pmix, prrte, and slurm), Gentoo (glibc and libvpx), Oracle (kernel), Red Hat (kernel), Slackware (libX11 and libXpm), SUSE (firefox, kernel, libeconf, libqb, libraw, libvpx, libX11, libXpm, mdadm, openssl-1_1, poppler, postfix, python311, rubygem-puma, runc, and vim), and Ubuntu (freerdp2, glibc, grub2-signed, grub2-unsigned, libx11, libxpm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, and mozjs102).

Post Syndicated from corbet original https://lwn.net/Articles/946381/

Qualys has posted an
advisory for a vulnerability in the GNU C Library related to the
handling of the GLIBC_TUNABLES environment variable:

We successfully exploited this vulnerability and obtained full root
privileges on the default installations of Fedora 37 and 38, Ubuntu
22.04 and 23.04, Debian 12 and 13; other distributions are probably
also vulnerable and exploitable (one notable exception is Alpine
Linux, which uses musl libc, not the glibc).

Updates from distributors are beginning to appear and should be applied on
any systems with untrusted users.
The curious can see the fix applied to glibc in this
patch series.

Post Syndicated from corbet original https://lwn.net/Articles/946315/

Ars technica reports
on an Arm advisory regarding exploitable vulnerabilities in a number of
its GPU drivers.

The most prevalent platform affected by the vulnerability is
Google’s line of Pixels, which are one of the only Android models
to receive security updates on a timely basis. Google patched
Pixels in its September update against the vulnerability, which is
tracked as CVE-2023-4211.

As the article notes, the story on fixes for other devices is less clear.

Post Syndicated from corbet original https://lwn.net/Articles/946313/

Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird).

Post Syndicated from corbet original https://lwn.net/Articles/945422/

In last week’s episode, a need to preempt
kernel code that is executing long-running instructions led to a deeper
reexamination of how the kernel handles preemption. There are a number of
supported preemption modes, varying from “none” (kernel code is never
preemptible) to realtime (where the kernel is almost always preemptible).
Making better use of the kernel’s preemption machinery looked like a
possible solution to the immediate problem, but it seems that there are
better options in store. In short, kernel developers would like to give
the scheduler complete control over CPU-scheduling decisions.

Post Syndicated from corbet original https://lwn.net/Articles/946208/

For those who are curious about the recently concluded Git Contributor’s
Summit, Taylor Blau has posted an extensive set of notes
from the event. Topics include next-generation backends, libification,
backward compatibility, project management, and more.

Post Syndicated from corbet original https://lwn.net/Articles/946093/

Linus has released 6.6-rc4 for testing.
“There’s nothing particularly odd in here, if you don’t count a week of
no networking pull as being odd. That does result in rc4 being fairly
small, but I suspect we’ll just see a bigger rc5 to compensate.”

Post Syndicated from corbet original https://lwn.net/Articles/946004/

The “Zero Day Initiative” site has posted a number of advisories (1, 2, 3, 4, 5, 6)
describing a number of flaws in the Exim mail server, some of which are
exploitable remotely. These problems, allegedly, were first reported to
the project in June 2022, well over one year ago. There is some
disagreement over the timing of events, with Exim developer Heiko
Schlittermann claiming
that no actual information was received until last May, and an anonymous
ZDI representative disputing
that story.

Either way, the vulnerabilities are now disclosed, but patches are not yet
on offer; Schlittermann said that “Fixes are available in a protected
repository and are ready to be applied by the distribution
maintainers“, so hopefully that situation will change soon.