Post Syndicated from corbet original https://lwn.net/Articles/946004/

The “Zero Day Initiative” site has posted a number of advisories (1, 2, 3, 4, 5, 6)
describing a number of flaws in the Exim mail server, some of which are
exploitable remotely. These problems, allegedly, were first reported to
the project in June 2022, well over one year ago. There is some
disagreement over the timing of events, with Exim developer Heiko
Schlittermann claiming
that no actual information was received until last May, and an anonymous
ZDI representative disputing
that story.

Either way, the vulnerabilities are now disclosed, but patches are not yet
on offer; Schlittermann said that “Fixes are available in a protected
repository and are ready to be applied by the distribution
maintainers“, so hopefully that situation will change soon.

Post Syndicated from corbet original https://lwn.net/Articles/945912/

On September 27, 1983, Richard Stallman announced the
founding of the GNU project. His goal, which seemed wildly optimistic
and unattainable at the time, was to write a complete Unix-like operating
system from the beginning
and make it freely available. Exactly 40 years later, the GNU project
celebrated with a hacker meeting in
Switzerland. Your editor had the good fortune to be able to attend.

Post Syndicated from corbet original https://lwn.net/Articles/945536/

While the CVE process was created in response to real problems, it’s increasingly clear that CVE numbers are
creating problems of their own. At the 2023 GNU Tools Cauldron,
Siddhesh Poyarekar expressed the frustration that toolchain developers have
felt as the result of arguing with security researchers about CVE-number
assignments. In response, the GNU toolchain community is trying to better
characterize what is — and is not — considered to be a security-relevant
bug in its software.

Post Syndicated from corbet original https://lwn.net/Articles/945211/

The LWN.net Weekly Edition for September 28, 2023 is available.

Post Syndicated from corbet original https://lwn.net/Articles/945700/

Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,
linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4).

Post Syndicated from corbet original https://lwn.net/Articles/945608/

Version
118.0 of the Firefox browser has been released. Changes include
improved fingerprinting prevention and automated translation: “Automated
translation of web content is now available to Firefox users! Unlike
cloud-based alternatives, translation is done locally in Firefox, so that
the text being translated does not leave your machine.”

Post Syndicated from corbet original https://lwn.net/Articles/945559/

Security updates have been issued by Debian (exempi, glib2.0, lldpd, and netatalk), Fedora (curl, libppd, and linux-firmware), Oracle (kernel), and SUSE (Cadence, frr, modsecurity, python-CairoSVG, python-GitPython, and tcpreplay).

Post Syndicated from corbet original https://lwn.net/Articles/945320/

The last year or so has seen the posting of a few new filesystem types that
are aimed at supporting container workloads. PuzzleFS, presented at the
2023 Kangrejos gathering by Ariel
Miculas, is another contender in this area, but it has some features of its
own, including a novel compression mechanism and an implementation written
in Rust.

Post Syndicated from corbet original https://lwn.net/Articles/945445/

The third 6.6 kernel prepatch is out for
testing.

Unusually, we have a large chunk of changes in filesystems. Part of
it is the vfs-level revert of some of the timestamp handling that
needs to soak a bit more, and part of it is some xfs fixes. With a
few other filesystem fixes too.

The multi-grain timestamp changes turned
out to cause the occasional regression (timestamps that could appear to go
backward) and were taken back out.

Post Syndicated from corbet original https://lwn.net/Articles/945377/

The
6.5.5,
6.1.55,
5.15.133,
5.10.197,
5.4.257,
4.19.295, and
4.14.326
stable kernel updates have all been released; each contains another set of
important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/944895/

Back in May, André Almeida presented some
work toward the creation of user-space spinlocks using adaptive
spinning. At that time, the work was stalled because there is, in Linux,
currently no way to quickly determine whether a given thread is actually
executing on a CPU. Some progress has since been made on that front; at
the 2023
Open Source Summit Europe, Almeida returned to discuss how that
difficulty might be overcome.

Post Syndicated from corbet original https://lwn.net/Articles/944686/

All that Ankur Arora seemingly wanted to do with this
patch set was to make the process of clearing huge pages on x86
systems go a little faster. What resulted was an extensive discussion on
the difficulties of managing preemption correctly in the kernel. It may be
that some changes will come to the plethora of preemption models that the
kernel currently offers.

Post Syndicated from corbet original https://lwn.net/Articles/944436/

The LWN.net Weekly Edition for September 21, 2023 is available.

Post Syndicated from corbet original https://lwn.net/Articles/945073/

Security updates have been issued by Debian (frr and libyang), Fedora (golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, golang-gopkg-alecthomas-kingpin-2, libpano13, and open-vm-tools), Oracle (firefox, frr, and thunderbird), Red Hat (dmidecode, kernel, kernel-rt, kpatch-patch, libwebp: critical, linux-firmware, mariadb:10.3, ncurses, postgresql:15, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox, open-vm-tools, and thunderbird), SUSE (binutils, bluez, chromium, curl, gcc7, go1.20, go1.21, grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python- cryptography-vectors, python-google-api-core, pyt, gstreamer-plugins-good, kernel, libcares2, libxml2, mdadm, mutt, and python-brotlipy), and Ubuntu (indent, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,
linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15,
linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm,
linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15,
linux-nvidia, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,
linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,
linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2,
linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-ibm,
linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle,
linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.0, linux-oem-6.1, and memcached).

Post Syndicated from corbet original https://lwn.net/Articles/944892/

JDK 21, the reference implementation of the Java 21 language specification,
has
been released. “This release includes fifteen JEPs [1], including
the final versions of Record Patterns (440), Pattern Matching for switch
(441), and Virtual Threads (444)“.

Post Syndicated from corbet original https://lwn.net/Articles/944874/

The
6.5.4,
6.1.54,
5.15.132, and
5.10.195
stable kernel updates have been released; each contains a relatively large
set of important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/944849/

The Free Software Foundation looks
forward to the 40th anniversary of the GNU project, coming soon:

On September 27, 1983, a computer scientist named Richard Stallman
announced the plan to develop a free software Unix-like operating
system called GNU, for “GNU’s not Unix.” GNU is the only operating
system developed specifically for the sake of users’ freedom, and
has remained true to its founding ideals for forty years.

Post Syndicated from corbet original https://lwn.net/Articles/944848/

Security updates have been issued by Debian (chromium, flac, gnome-shell, libwebp, openjdk-11, and xrdp), Fedora (giflib), Oracle (kernel), Red Hat (busybox, dbus, firefox, frr, kpatch-patch, libwebp, open-vm-tools, and thunderbird), Slackware (netatalk), SUSE (flac, gcc12, kernel, libeconf, libwebp, libxml2, and thunderbird), and Ubuntu (binutils, c-ares, libraw, linux-intel-iotg, nodejs, python-django, and vsftpd).

Post Syndicated from corbet original https://lwn.net/Articles/944115/

Processes in a Linux system run within their own virtual address spaces.
Their virtual addresses map to physical pages provided by the hardware, but
the kernel takes pains to hide the physical addresses of those pages;
processes normally have no way of knowing (and no need to know) where their
memory is located in physical memory. As a result, the system calls for
memory management also deal in virtual addresses. Gregory Price is
currently trying to create an exception to this rule with a
proposal for a new system call that would operate on memory using physical
addresses.

Post Syndicated from corbet original https://lwn.net/Articles/944705/

The 6.6-rc2 kernel prepatch is out for
testing.

I think the most notable thing about 6.6-rc2 is simply that it’s
exactly 32 years to the day since the 0.01 release. And that’s a round
number if you are a computer person.

Because other than the random date, I don’t see anything that really
stands out here.