Post Syndicated from daroc original https://lwn.net/Articles/969442/

The LWN.net Weekly Edition for April 18, 2024 is available.

Post Syndicated from daroc original https://lwn.net/Articles/970086/

The
6.8.7,
6.6.28,
6.1.87, and
5.15.156 stable kernel updates have all been
released.

Post Syndicated from daroc original https://lwn.net/Articles/970169/

Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot).

Post Syndicated from daroc original https://lwn.net/Articles/969908/

The recent XZ backdoor has sparked a lot of discussion about how the open-source
community links and packages software. One possible
security improvement being discussed
is changing how
projects like systemd link to dynamic libraries that are only used for
optional functionality: using

dlopen() to load those libraries only
when required. This could
shrink the attack surface exposed by dependencies, but the approach is not
without downsides — most prominently, it makes discovering which dynamic
libraries a program depends on harder.
On April 11, Lennart Poettering proposed one way to eliminate that problem

in a systemd RFC on GitHub.

Post Syndicated from daroc original https://lwn.net/Articles/969185/

Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPF
since mid-2023. In July, Dwivedi posted

the first patch set in this effort, which adds support for basic stack unwinding.
In February 2024, he posted

the second patch set
aimed at letting the kernel release resources held by the BPF program when an
exception occurs. This makes exceptions usable in many more contexts.

Post Syndicated from daroc original https://lwn.net/Articles/969590/

Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).

Post Syndicated from daroc original https://lwn.net/Articles/968375/

The LWN.net Weekly Edition for April 11, 2024 is available.

Post Syndicated from daroc original https://lwn.net/Articles/968600/

On April 3 security researcher Bartek Nowotarski

published the details of a new denial-of-service (DoS)
attack, called a “continuation flood”, against many
HTTP/2-capable web
servers. While the attack is not terribly complex, it affects many independent
implementations of the HTTP/2 protocol, even though multiple
similar vulnerabilities over the years have given implementers plenty of warning.

Post Syndicated from daroc original https://lwn.net/Articles/967016/

There are many mechanisms for deferred work in the Linux kernel. One of them,

workqueues, has seen increasing use as part of
the move away from software interrupts. Alison Chaiken gave a talk
at SCALE
about how they compare to software interrupts, the new challenges they pose for
system administrators, and what tools are available to
kernel developers wishing to diagnose problems with workqueues as they become
increasingly prevalent.

Post Syndicated from daroc original https://lwn.net/Articles/968566/

The Eclipse Foundation, the organization
behind the Eclipse IDE and many other software projects, announced
a collaboration between several different open-source-software foundations to
create a specification describing secure software development best practices.
This work is motivated by the European Union’s Cyber Resilience Act (CRA).

The leading open source communities and foundations have for
years developed and practised secure software development
processes. These are processes that have often defined or set
industry best practices around things such as coordinated
disclosure, peer review, and release processes. These processes
have been documented by each of these communities, albeit
sometimes using different terminology and approaches. We
hypothesise that the cybersecurity process technical
documentation that already exists amongst the open source
communities can provide a useful starting point for developing
the cybersecurity processes required for regulatory compliance.

(Thanks to Martin Michlmayr.)

Post Syndicated from daroc original https://lwn.net/Articles/968561/

Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

Post Syndicated from daroc original https://lwn.net/Articles/968429/

V8, the JavaScript engine used in Chrome,
announced
that its memory sandbox is no longer experimental.

Chrome 123 could therefore be considered to be a sort of “beta”
release for the sandbox. This blog post uses this opportunity to
discuss the motivation behind the sandbox, show how it prevents
memory corruption in V8 from spreading within the host process, and
ultimately explain why it is a necessary step towards memory safety.

Post Syndicated from daroc original https://lwn.net/Articles/967192/

Versions 5.6.0 and 5.6.1 of the
XZ
compression utility and library
were shipped with a backdoor that targeted
OpenSSH.
Andres Freund

discovered the backdoor by
noticing that failed SSH logins were taking a lot of
CPU time while doing some
micro-benchmarking, and tracking down the backdoor from there. It was introduced
by XZ co-maintainer “Jia Tan” — a probable alias for person or persons unknown.
The backdoor is a sophisticated attack with multiple parts, from the build
system, to link time, to run time.

Post Syndicated from daroc original https://lwn.net/Articles/966618/

At SCALE
this year Dan Schatzberg and Tejun Heo,
both from Meta, gave back-to-back talks about some
of the performance-engineering work that they do there. Schatzberg presented on
the extensible BPF scheduler, which has been
discussed extensively on the kernel mailing list.
Heo presented on IOCost — a control group (cgroup) I/O controller
optimized for solid-state disks (SSDs) — and the benchmark suite that is necessary to
make it work well on different models of disk.

Post Syndicated from daroc original https://lwn.net/Articles/967134/

Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).

Post Syndicated from daroc original https://lwn.net/Articles/965508/

Keith Fiske gave a talk
(with
slides) about the state of partitioning — splitting a large
table into smaller tables for performance reasons — in
PostgreSQL at
SCALE
this year. He spoke about the existing support for partitioning, what work still
needs to be done, and what place existing partitioning tools, like his own

pg_partman, still have as PostgreSQL gains more built-in features.

Post Syndicated from daroc original https://lwn.net/Articles/966118/

The LWN.net Weekly Edition for March 28, 2024 is available.

Post Syndicated from daroc original https://lwn.net/Articles/965516/

Jason Nucciarone and Felipe Reyes gave back-to-back talks
about high-performance computing (HPC) using Ubuntu at
SCALE this
year. Nucciarone talked about ongoing work packaging

Open OnDemand — a web-based HPC cluster interface —
to make high-performance-computing clusters
more user friendly. Reyes presented on using
OpenStack — a cloud-computing platform
— to pass the performance benefits of one’s hardware through
to virtual machines (VMs) running on a cluster.

Post Syndicated from daroc original https://lwn.net/Articles/965631/

The first-ever NixCon
in North America was co-located with
SCALE this year. The
event drew a mix of experienced
Nix users
and people new to the project.
I attended talks that covered using Nix to build Docker images, upcoming changes
to how NixOS performs early booting, and ideas for making the set of services
provided in nixpkgs
more useful for self hosting. (LWN covered the relationship between
Nix, NixOS, and nixpkgs in a
recent article.)
Near the end of the
conference, a collection of Nix contributors gave a “State of the Union”
about the growth of the project and highlighting areas of concern.

Post Syndicated from daroc original https://lwn.net/Articles/966415/

Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).