Post Syndicated from daroc original https://lwn.net/Articles/990588/

Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8).

Post Syndicated from daroc original https://lwn.net/Articles/988401/

OpenSnitch is an
“interactive application firewall“. Like other firewalls, it uses a
series of rules to decide what network traffic should be permitted. Unlike
many other firewalls, though, OpenSnitch does not ask the user to create a list of rules
ahead of time. Instead, the list of rules can be built up
incrementally as applications make connections — and the user can peruse both
the rules that have built up over time, and statistics on the connections that
have been attempted.

Post Syndicated from daroc original https://lwn.net/Articles/973231/

On August 13, the US National Institute of Standards and Technology (NIST)

published the final form of its new post-quantum cryptographic standards. One
key-exchange mechanism and two digital-signature schemes are now officially
sanctioned by the institute. Adopting the new standards should be fairly
painless for most developers, but the overhead added by the schemes could pose
challenges for some applications.

Post Syndicated from daroc original https://lwn.net/Articles/986998/

The

Forgejo project has announced that, starting from version 9.0, Forgejo will be released under the GPLv3 license (or a later version). Older versions of the software forge remain MIT-licensed.

A copyleft license makes reusing other copyleft software easier. Recently, we discovered that

some of the dependencies we used were incompatible with the license Forgejo was distributed with, and they had to be removed for now. Choosing copyleft licenses enables us to reuse more work, and saves us precious time to focus on improving Forgejo itself.

Post Syndicated from daroc original https://lwn.net/Articles/986997/

Security updates have been issued by Fedora (community-mysql, iaito, and radare2), Oracle (python3.12-setuptools and tomcat), Red Hat (krb5 and podman), Slackware (ffmpeg), SUSE (apache2, expat, firefox, webkit2gtk3, and xen), and Ubuntu (imagemagick and libxstream-java).

Post Syndicated from daroc original https://lwn.net/Articles/985853/

On July 30, Al Viro sent

a patch set to the linux-fsdevel mailing list with a
comprehensive cover letter explaining his
recent work on ensuring that the kernel’s internal representation of
file descriptors are used correctly in the kernel.
File descriptors are ubiquitous; many system calls
need to handle them. Viro’s review
identified a few existing bugs, and may prevent more in the future. He also had
suggestions for ways to keep uses consistent throughout the kernel.

Post Syndicated from daroc original https://lwn.net/Articles/985346/

Python has had
formatted string literals
(f-strings), a syntactic shorthand for building
strings, since 2015. Recently, Jim Baker, Guido van Rossum, and Paul Everitt have
proposed

PEP 750 (“Tag Strings For Writing Domain-Specific Languages”) which would
generalize and expand that mechanism to provide Python library writers with additional
flexibility. Reactions to the proposed change were somewhat positive, although
there was a good deal of discussion of (and opposition to)
the PEP’s inclusion of lazy evaluation of template parameters.

Post Syndicated from daroc original https://lwn.net/Articles/985980/

Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, python3.11-setuptools, thunderbird, and wget), Red Hat (kernel), SUSE (apptainer, curl, kernel, kernel-firmware, libqt5-qtbase, python-aiosmtpd, and ucode-intel), and Ubuntu (bind9, gnome-shell, libreoffice, and orc).

Post Syndicated from daroc original https://lwn.net/Articles/982868/

Rust is intended to let programmers write safer code.
But compilers are
not omniscient, and writing Rust code that interfaces with hardware (or that
works with memory outside of Rust’s lifetime paradigm) requires, at
some point, the programmer’s assurance that some operations are permissible. Benno Lossin

suggested adding
some more documentation to

the Rust-for-Linux project clarifying the
standards for commenting uses of unsafe in kernel code. There’s general
agreement that such standards are necessary, but less agreement on exactly when
it is appropriate to use unsafe.

Post Syndicated from daroc original https://lwn.net/Articles/984599/

The

PostgreSQL project has

released beta
versions of PostgreSQL 17 containing several interesting security and usability
improvements, alongside the usual performance improvements and bug fixes. If the
release proceeds according to the usual timeline, the full release of version 17
is expected in September or October.
The most important changes are in what PostgreSQL does when a database
supervisor has their credentials revoked, and added
support for incremental database backups.

Post Syndicated from daroc original https://lwn.net/Articles/985484/

Lix, the fork of Nix that LWN covered in July, has made its second release since forking. This one includes substantial changes to the backend code, including removing a dependency on Bison, and getting a change to the Nix language back upstream.

The general theme of Lix 2.91 is to perform another wave of
refactorings and design improvements in preparation for our evolution
plans.

Nevertheless, there are a few exciting user facing changes[.]

Post Syndicated from daroc original https://lwn.net/Articles/984984/

Researchers from Graz University of Technology have
published details of a new attack
on the Linux kernel called SLUBstick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

We assume that an unprivileged user has code execution.
Additionally, we consider the presence of a heap vulnerability
in the Linux kernel. We assume that the Linux kernel
incorporates all defense mechanisms available in version 6.4, the
most recent Linux kernel version when we started our work.
These mechanisms include features such as WˆX, KASLR,
SMAP, and kCFI. We do not assume any microarchitectural
vulnerabilities, e.g., transient execution, fault
injection, or hardware side channels.

Post Syndicated from daroc original https://lwn.net/Articles/984966/

Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, and salt).

Post Syndicated from daroc original https://lwn.net/Articles/984086/

Endless OS is a Linux distribution with a focus on improving access to
educational tools by providing a simple-to-manage, full-featured desktop for
educators and students — one that works offline, with minimal maintenance. The
distribution also aims to be suitable for older devices, in order to promote access to
computers by ensuring those systems remain usable.
In pursuit of those goals, it makes some unusual technical
choices. But what makes the distribution really shine is its curated collection
of software and educational resources.

Post Syndicated from daroc original https://lwn.net/Articles/984733/

Mozilla has announced that Puppeteer, a browser automation and testing library, now has first-class support for Firefox using the
WebDriver BiDi protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web-site tests.

Whilst the features offered by Puppeteer won’t be a surprise,
bringing support to multiple browsers has been a significant
undertaking. The Firefox support is not based on a Firefox-specific
automation protocol, but on WebDriver BiDi, a cross browser protocol
that’s undergoing standardization at the W3C, and currently has
implementation in both Gecko and Chromium. This use of a
cross-browser protocol should make it much easier to support many
different browsers going forward.

Post Syndicated from daroc original https://lwn.net/Articles/983843/

There is ongoing discussion about the ethics and effectiveness of
telemetry following some recent LWN articles that touched on

Thunderbird’s use of opt-out
telemetry and planned metrics in Fedora. The

Internet Security Research Group (ISRG), the nonprofit behind

Let’s Encrypt, has a potential solution to the problem of how to collect and
aggregate telemetry without violating users’ privacy. The scheme is based on a
draft
protocol being standardized with the Internet Engineering Task Force (IETF),
and has an
open-source implementation
available.

Post Syndicated from daroc original https://lwn.net/Articles/984370/

Security updates have been issued by Fedora (chromium), SUSE (docker and patch), and Ubuntu (bind9, gross, linux-azure, linux-azure-4.15, linux-lowlatency-hwe-6.5, and tomcat8, tomcat9).

Post Syndicated from daroc original https://lwn.net/Articles/983340/

A
bootstrappable build is one that builds existing
software from scratch — for example, building GCC without relying on an existing
copy of GCC. In 2023, the Guix project
announced that the project had reduced the size
of the binary bootstrap seed needed to build its operating system to just 357-bytes —
not counting the Linux kernel required to run the build process. Now, the
live-bootstrap project
has gone a step further and removed the need for an existing kernel at all.

Post Syndicated from daroc original https://lwn.net/Articles/983816/

Security updates have been issued by AlmaLinux (java-11-openjdk), Debian (bind9), Fedora (darkhttpd, mod_http2, and python-scrapy), Red Hat (python3.11, rhc-worker-script, and thunderbird), SUSE (assimp, gh, opera, python-Django, and python-nltk), and Ubuntu (edk2, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-nvidia-6.5, linux-oracle, linux-raspi, and lua5.4).

Post Syndicated from daroc original https://lwn.net/Articles/983523/

Security updates have been issued by AlmaLinux (linux-firmware and squid), Debian (bind9), Fedora (kubernetes, thunderbird, and tinyproxy), Oracle (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-container, libreoffice, libuv, libvirt, python3, and runc), Red Hat (freeradius:3.0, httpd, and squid), and SUSE (giflib and python-dnspython).