Post Syndicated from daroc original https://lwn.net/Articles/968375/

The LWN.net Weekly Edition for April 11, 2024 is available.

Post Syndicated from daroc original https://lwn.net/Articles/968600/

On April 3 security researcher Bartek Nowotarski

published the details of a new denial-of-service (DoS)
attack, called a “continuation flood”, against many
HTTP/2-capable web
servers. While the attack is not terribly complex, it affects many independent
implementations of the HTTP/2 protocol, even though multiple
similar vulnerabilities over the years have given implementers plenty of warning.

Post Syndicated from daroc original https://lwn.net/Articles/967016/

There are many mechanisms for deferred work in the Linux kernel. One of them,

workqueues, has seen increasing use as part of
the move away from software interrupts. Alison Chaiken gave a talk
at SCALE
about how they compare to software interrupts, the new challenges they pose for
system administrators, and what tools are available to
kernel developers wishing to diagnose problems with workqueues as they become
increasingly prevalent.

Post Syndicated from daroc original https://lwn.net/Articles/968566/

The Eclipse Foundation, the organization
behind the Eclipse IDE and many other software projects, announced
a collaboration between several different open-source-software foundations to
create a specification describing secure software development best practices.
This work is motivated by the European Union’s Cyber Resilience Act (CRA).

The leading open source communities and foundations have for
years developed and practised secure software development
processes. These are processes that have often defined or set
industry best practices around things such as coordinated
disclosure, peer review, and release processes. These processes
have been documented by each of these communities, albeit
sometimes using different terminology and approaches. We
hypothesise that the cybersecurity process technical
documentation that already exists amongst the open source
communities can provide a useful starting point for developing
the cybersecurity processes required for regulatory compliance.

(Thanks to Martin Michlmayr.)

Post Syndicated from daroc original https://lwn.net/Articles/968561/

Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

Post Syndicated from daroc original https://lwn.net/Articles/968429/

V8, the JavaScript engine used in Chrome,
announced
that its memory sandbox is no longer experimental.

Chrome 123 could therefore be considered to be a sort of “beta”
release for the sandbox. This blog post uses this opportunity to
discuss the motivation behind the sandbox, show how it prevents
memory corruption in V8 from spreading within the host process, and
ultimately explain why it is a necessary step towards memory safety.

Post Syndicated from daroc original https://lwn.net/Articles/967192/

Versions 5.6.0 and 5.6.1 of the
XZ
compression utility and library
were shipped with a backdoor that targeted
OpenSSH.
Andres Freund

discovered the backdoor by
noticing that failed SSH logins were taking a lot of
CPU time while doing some
micro-benchmarking, and tracking down the backdoor from there. It was introduced
by XZ co-maintainer “Jia Tan” — a probable alias for person or persons unknown.
The backdoor is a sophisticated attack with multiple parts, from the build
system, to link time, to run time.

Post Syndicated from daroc original https://lwn.net/Articles/966618/

At SCALE
this year Dan Schatzberg and Tejun Heo,
both from Meta, gave back-to-back talks about some
of the performance-engineering work that they do there. Schatzberg presented on
the extensible BPF scheduler, which has been
discussed extensively on the kernel mailing list.
Heo presented on IOCost — a control group (cgroup) I/O controller
optimized for solid-state disks (SSDs) — and the benchmark suite that is necessary to
make it work well on different models of disk.

Post Syndicated from daroc original https://lwn.net/Articles/967134/

Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).

Post Syndicated from daroc original https://lwn.net/Articles/965508/

Keith Fiske gave a talk
(with
slides) about the state of partitioning — splitting a large
table into smaller tables for performance reasons — in
PostgreSQL at
SCALE
this year. He spoke about the existing support for partitioning, what work still
needs to be done, and what place existing partitioning tools, like his own

pg_partman, still have as PostgreSQL gains more built-in features.

Post Syndicated from daroc original https://lwn.net/Articles/966118/

The LWN.net Weekly Edition for March 28, 2024 is available.

Post Syndicated from daroc original https://lwn.net/Articles/965516/

Jason Nucciarone and Felipe Reyes gave back-to-back talks
about high-performance computing (HPC) using Ubuntu at
SCALE this
year. Nucciarone talked about ongoing work packaging

Open OnDemand — a web-based HPC cluster interface —
to make high-performance-computing clusters
more user friendly. Reyes presented on using
OpenStack — a cloud-computing platform
— to pass the performance benefits of one’s hardware through
to virtual machines (VMs) running on a cluster.

Post Syndicated from daroc original https://lwn.net/Articles/965631/

The first-ever NixCon
in North America was co-located with
SCALE this year. The
event drew a mix of experienced
Nix users
and people new to the project.
I attended talks that covered using Nix to build Docker images, upcoming changes
to how NixOS performs early booting, and ideas for making the set of services
provided in nixpkgs
more useful for self hosting. (LWN covered the relationship between
Nix, NixOS, and nixpkgs in a
recent article.)
Near the end of the
conference, a collection of Nix contributors gave a “State of the Union”
about the growth of the project and highlighting areas of concern.

Post Syndicated from daroc original https://lwn.net/Articles/966415/

Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).

Post Syndicated from daroc original https://lwn.net/Articles/964735/

Cranelift is an Apache-2.0-licensed
code-generation backend being developed as part
of the Wasmtime runtime for
WebAssembly.
In October 2023, the Rust project made Cranelift available as an optional
component in its nightly toolchain.
Users can now use Cranelift as the code-generation backend for debug builds of
projects written in Rust,
making it an opportune time to look at what makes Cranelift different.
Cranelift is designed to compete with existing compilers by generating
code more quickly than they can, thanks to a stripped-down design that prioritizes
only the most important optimizations.

Post Syndicated from daroc original https://lwn.net/Articles/965147/

Herb Sutter, chair of the ISO C++ standards committee,

writes about the current problems with writing secure C++,
and his personal opinion on next steps to address this while maintaining
backward compatibility.

If there were 90-98% fewer C++ type/bounds/initialization/lifetime
vulnerabilities we wouldn’t be having this discussion. All languages have CVEs,
C++ just has more (and C still more); so far in 2024,

Rust has 6 CVEs, and

C and C++ combined have 61 CVEs. So zero isn’t the goal; something like a 90%
reduction is necessary, and a 98% reduction is sufficient, to achieve security
parity with the levels of language safety provided by MSLs [memory-safe languages]… and has the strong
benefit that I believe it can be achieved with perfect backward link
compatibility (i.e., without changing C++’s object model, and its lifetime
model which does not depend on universal tracing garbage collection and is not
limited to tree-based data structures) which is essential to our being able to
adopt the improvements in existing C++ projects as easily as we can adopt other
new editions of C++. — After that, we can pursue additional improvements to
other buckets, such as thread safety and overflow safety.

Post Syndicated from daroc original https://lwn.net/Articles/964392/

Serialization is the process of transforming Python objects into a sequence of
bytes which can be used to recreate a copy of the object later — or on another
machine.

pickle is Python’s native serialization module. It can store complex Python
objects,
making it an appealing prospect for moving data without having to write
custom serialization code. For example, pickle is an integral component of
several file
formats used for machine learning. However, using pickle to deserialize
untrusted files is a major security risk, because doing so can invoke arbitrary
Python functions. Consequently, the machine-learning community is working to address the
security issues caused by widespread use of pickle.

Post Syndicated from daroc original https://lwn.net/Articles/964832/

Security updates have been issued by Debian (fontforge), Fedora (chromium, iwd, libell, and thunderbird), Oracle (buildah, kernel, skopeo, and tomcat), Red Hat (opencryptoki), Slackware (ghostscript), SUSE (go1.21, go1.22, google-oauth-java-client, jetty-minimal, openssl-1_0_0, python310, sudo, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (libhtmlcleaner-java, linux, linux-azure, linux-azure-5.15, linux-azure-fde,
linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,
linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,
linux-lowlatency-hwe-5.15, linux-nvidia, linux-azure, linux-azure-6.5, linux-hwe-6.5, mqtt-client, ncurses, and puma).

Post Syndicated from daroc original https://lwn.net/Articles/964377/

QUIC is a UDP-based transport protocol that forms the foundation of
HTTP/3.
It was initially developed at Google in 2012, and became an
IETF standard in
2021. Work on the protocol did not stop with its standardization, however. The
QUIC working group
published several follow-up standards. Now, it is working on
four more extensions to QUIC intended to patch over various shortcomings in the
current protocol — although progress has not been quick.

Post Syndicated from daroc original https://lwn.net/Articles/963512/

It has long been possible to run multiple Python interpreters in the same
process — via the C API, but not within the language itself.
Eric Snow has been working to make this ability
available in the language for many years.
Now, Snow has published
PEP 734 (“Multiple Interpreters
in the Stdlib”), the latest work in his
quest, and
submitted
it to the Python steering council for a decision.
If the PEP is approved, users will have
an additional option for writing performant parallel Python code.