Post Syndicated from daroc original https://lwn.net/Articles/971289/
Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix).
Post Syndicated from daroc original https://lwn.net/Articles/970397/
On April 11, Brandt Bucher posted
PEP 744 (“JIT Compilation”),
which summarizes the current state of Python’s new
copy-and-patch just-in-time (JIT) compiler. The JIT is currently
experimental, but the PEP proposes some criteria for the circumstances under which it
should become a non-experimental part of Python.
The discussion of the PEP hasn’t
reached a conclusion, but
several members of the community have already raised questions
about how the JIT would fit into future iterations of the Python language.
Post Syndicated from daroc original https://lwn.net/Articles/971008/
BleepingComputer
reported on April 20 that some malware was being distributed via GitHub.
Uploading files as part of a comment gives them a URL that appears to be
associated with a repository, even if the comment is never posted.
A GitHub flaw, or possibly a design decision, is being abused by threat actors
to distribute malware using URLs associated with Microsoft repositories, making
the files appear trustworthy.While most of the malware activity has been based around the Microsoft GitHub
URLs, this “flaw” could be abused with any public repository on GitHub, allowing
threat actors to create very convincing lures.
Post Syndicated from daroc original https://lwn.net/Articles/971006/
On April 23, Mozilla
announced that Firefox’s crash reporter has been rewritten in Rust, allowing the
project to address a backlog of issues.
Even though it is important to properly handle main process crashes, the crash
reporter hasn’t received significant development in a while (aside from
development to ensure that crash reports and telemetry continue to reliably be
delivered)! It has long been stuck in a local maximum of “good enough” and
“scary to maintain”: it features 3 individual GUI implementations (for Windows,
GTK+ for Linux, and macOS), glue code abstracting a few things (mostly in C++,
and Objective-C for macOS), a binary blob produced by obsoleted Apple
development tools, and no test suite. Because of this, there is a backlog of
features and improvements which haven’t been acted on.
Post Syndicated from daroc original https://lwn.net/Articles/970186/
For several years, contributors to the Rust project have
been working to improve support for asynchronous
code. The benefits of these efforts are not confined to asynchronous code,
however. Members of the Rust community have been working toward adding explicit
existential types to Rust since 2017. Existential types are not a common feature
of programming languages (something
the RFC acknowledges), so the motivation for their inclusion might be somewhat
obscure.
Post Syndicated from daroc original https://lwn.net/Articles/969379/
Gregory Price recently posted
a patch set that adds support for weighted memory interleaving — allowing a
process’s memory to be distributed between
non-uniform memory access (NUMA)
nodes in a more controlled way.
According to his performance measurements, the patch set could provide a
significant improvement for computers with network-attached memory.
The patch set also
introduces new system calls and paves the way for future extensions
intended to give processes more control over their own memory.
Post Syndicated from daroc original https://lwn.net/Articles/970508/
Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark).
Post Syndicated from daroc original https://lwn.net/Articles/969442/
The LWN.net Weekly Edition for April 18, 2024 is available.
Post Syndicated from daroc original https://lwn.net/Articles/970169/
Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot).
Post Syndicated from daroc original https://lwn.net/Articles/969908/
The recent XZ backdoor has sparked a lot of discussion about how the open-source
community links and packages software. One possible
security improvement being discussed
is changing how
projects like systemd link to dynamic libraries that are only used for
optional functionality: using
dlopen() to load those libraries only
when required. This could
shrink the attack surface exposed by dependencies, but the approach is not
without downsides — most prominently, it makes discovering which dynamic
libraries a program depends on harder.
On April 11, Lennart Poettering proposed one way to eliminate that problem
in a systemd RFC on GitHub.
Post Syndicated from daroc original https://lwn.net/Articles/969185/
Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPF
since mid-2023. In July, Dwivedi posted
the first patch set in this effort, which adds support for basic stack unwinding.
In February 2024, he posted
the second patch set
aimed at letting the kernel release resources held by the BPF program when an
exception occurs. This makes exceptions usable in many more contexts.
Post Syndicated from daroc original https://lwn.net/Articles/969590/
Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).
Post Syndicated from daroc original https://lwn.net/Articles/968375/
The LWN.net Weekly Edition for April 11, 2024 is available.
Post Syndicated from daroc original https://lwn.net/Articles/968600/
On April 3 security researcher Bartek Nowotarski
published the details of a new denial-of-service (DoS)
attack, called a “continuation flood”, against many
HTTP/2-capable web
servers. While the attack is not terribly complex, it affects many independent
implementations of the HTTP/2 protocol, even though multiple
similar vulnerabilities over the years have given implementers plenty of warning.
Post Syndicated from daroc original https://lwn.net/Articles/967016/
There are many mechanisms for deferred work in the Linux kernel. One of them,
workqueues, has seen increasing use as part of
the move away from software interrupts. Alison Chaiken gave a talk
at SCALE
about how they compare to software interrupts, the new challenges they pose for
system administrators, and what tools are available to
kernel developers wishing to diagnose problems with workqueues as they become
increasingly prevalent.
Post Syndicated from daroc original https://lwn.net/Articles/968566/
The Eclipse Foundation, the organization
behind the Eclipse IDE and many other software projects, announced
a collaboration between several different open-source-software foundations to
create a specification describing secure software development best practices.
This work is motivated by the European Union’s Cyber Resilience Act (CRA).
The leading open source communities and foundations have for
years developed and practised secure software development
processes. These are processes that have often defined or set
industry best practices around things such as coordinated
disclosure, peer review, and release processes. These processes
have been documented by each of these communities, albeit
sometimes using different terminology and approaches. We
hypothesise that the cybersecurity process technical
documentation that already exists amongst the open source
communities can provide a useful starting point for developing
the cybersecurity processes required for regulatory compliance.
(Thanks to Martin Michlmayr.)
Post Syndicated from daroc original https://lwn.net/Articles/968561/
Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).
Post Syndicated from daroc original https://lwn.net/Articles/968429/
V8, the JavaScript engine used in Chrome,
announced
that its memory sandbox is no longer experimental.
Chrome 123 could therefore be considered to be a sort of “beta”
release for the sandbox. This blog post uses this opportunity to
discuss the motivation behind the sandbox, show how it prevents
memory corruption in V8 from spreading within the host process, and
ultimately explain why it is a necessary step towards memory safety.
Post Syndicated from daroc original https://lwn.net/Articles/967192/
Versions 5.6.0 and 5.6.1 of the
XZ
compression utility and library
were shipped with a backdoor that targeted
OpenSSH.
Andres Freund
discovered the backdoor by
noticing that failed SSH logins were taking a lot of
CPU time while doing some
micro-benchmarking, and tracking down the backdoor from there. It was introduced
by XZ co-maintainer “Jia Tan” — a probable alias for person or persons unknown.
The backdoor is a sophisticated attack with multiple parts, from the build
system, to link time, to run time.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.