Security updates have been issued by Debian (intel-microcode, keystone, php-horde-image, and xen), Fedora (rsyslog), openSUSE (apache2, clamav, kernel, php7, qemu, samba, and Security), Oracle (mariadb and qemu-kvm), Red Hat (docker, mariadb, and qemu-kvm), Scientific Linux (mariadb and qemu-kvm), SUSE (GraphicsMagick, kernel, kgraft, mutt, perl-Archive-Zip, python, and xen), and Ubuntu (postgresql-10, postgresql-9.3, postgresql-9.5, procps, and webkit2gtk).
WebAssembly GC [garbage collection] is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly.”
The Debian project is celebrating the 25th anniversary of its founding by Ian Murdock on August 16, 1993. The “Bits from Debian” blog had this to say: “Today, the Debian project is a large and thriving organization with countless self-organized teams comprised of volunteers. While it often looks chaotic from the outside, the project is sustained by its two main organizational documents: the Debian Social Contract, which provides a vision of improving society, and the Debian Free Software Guidelines, which provide an indication of what software is considered usable. They are supplemented by the project’s Constitution which lays down the project structure, and the Code of Conduct, which sets the tone for interactions within the project.
Every day over the last 25 years, people have sent bug reports and patches, uploaded packages, updated translations, created artwork, organized events about Debian, updated the website, taught others how to use Debian, and created hundreds of derivatives.” Happy birthday to the project from all of us here at LWN.
Greg Kroah-Hartman has released a new batch of stable kernels: 4.18.1, 4.17.15, 4.14.63, 4.9.120, and 4.4.148. These include the fixes for the L1 terminal fault vulnerability and a few
other fixes here and there. Users should upgrade.
Security updates have been issued by Debian (fuse), Fedora (cri-o, gdm, kernel-headers, postgresql, units, and wpa_supplicant), Mageia (iceaepe, kernel-linus, kernel-tmb, and libtomcrypt), openSUSE (aubio, libheimdal, nemo-extensions, and python-Django1), Red Hat (flash-plugin), SUSE (apache2, kernel, php7, qemu, samba, and ucode-intel), and Ubuntu (gnupg).
Social networks are typically walled gardens; users of a service can
interact with other users and their content, but cannot see or interact
with data stored in competing services. Beyond that, though, these walled
gardens have generally made it difficult or impossible to decide to switch
to a competitor—all of the user’s data is locked into a particular site. Over
time, that has been changing to some extent, but a new project has the
potential to make it straightforward to switch to a new service without
losing everything. The Data
Transfer Project (DTP) is a collaborative project between several internet
heavyweights that wants to “create an open-source, service-to-service
data portability platform“.
A kernel bug that allows a remote denial of service via crafted packets was
fixed recently and the resulting patch
was merged on July 23. But an announcement of the flaw
(which is CVE-2018-5390)
was not released until August 6—a two-week window where users
were left in the dark. It was not just the patch that might have alerted
attackers; the flaw was publicized in other ways, as well,
before the announcement, which has led to some discussion of embargo
policies on the oss-security mailing list. Within free-software circles,
embargoes are generally seen as a necessary evil, but delaying the
disclosure of an already-public bug does not sit well.
Security updates have been issued by Fedora (exiv2, kernel-headers, kernel-tools, libgit2, and thunderbird-enigmail), openSUSE (blueman, cups, gdk-pixbuf, libcdio, libraw, libsoup, libtirpc, mysql-community-server, python-mitmproxy, sssd, and virtualbox), Red Hat (cobbler), SUSE (ceph, firefox, NetworkManager-vpnc, openssh, and wireshark), and Ubuntu (openjdk-7 and openjdk-8).
Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (kamailio and wpa), Fedora (kernel-headers, kernel-tools, moodle, and vim-syntastic), and openSUSE (clamav, enigmail, and java-11-openjdk).
The Speck cipher
is geared toward good performance in software, which makes it attractive
for smaller, often embedded, systems with underpowered CPUs that lack
hardware crypto acceleration. But it also
comes from the US National Security Agency (NSA), which worries lots of
people outside the US—and, in truth, a fair number of US citizens as well.
The NSA has earned a reputation for promulgating various types of
cryptographic algorithms with dubious properties. While the technical
arguments against Speck, which is a fairly simple and straightforward
algorithm with little room for backdoors, have not been all that
compelling, the political arguments are potent—to the point where it is
being dropped by the main
proponent for including it in the kernel.
The O’Reilly Open Source Conference (OSCON) returned to Portland, Oregon
in July for its
20th meeting. Previously, we covered some retrospectives and community-management talks
that were a big part of the conference. Of course, OSCON is also a
technology conference, and there were lots of talks on various open-source
software platforms and tools.
Subscribers can read on for the second part of an OSCON report by guest author
Software patents account for more
than half of all utility patents granted in the US over the past few
many companies see these patents as a way to fortune and growth, even while
software patents are hated by many people working in the free and
open-source movements. The field of patenting has now joined the onward
march of artificial intelligence. This was the topic of a talk at OSCON
2018 by Van Lindberg, an intellectual-property lawyer, board member and
general counsel for the Python Software Foundation, and author of the book
Property and Open Source. The disruption presented by deep
learning ranges from modest enhancements that have already been
exploited—making searches for prior art easier—to harbingers of
automatic patent generation in the future.
Security updates have been issued by Debian (busybox and mutt), Fedora (bibutils and wireshark), openSUSE (glibc and rsyslog), Slackware (blueman), SUSE (cups, ovmf, and polkit), and Ubuntu (bouncycastle, libmspack, and python-django).
Memory allocation for applications is a bit of a balancing act between
various factors including CPU performance, memory efficiency, and how the
memory is actually being allocated and
deallocated by the application. Different programs may have diverse needs,
but it is often
the kind of workload that the application is expected to handle that
determines which memory allocator performs best. That argues for a
diversity of memory allocators (and allocation strategies) but, on the
other hand, that
complicates things for Linux distributions. As a result, Fedora is
discussing ways to
rein in the spread of allocators used by its packages.
A PEP that has been around for a while, without being either accepted or
rejected, was reintroduced recently on the python-ideas mailing list.
(“None-aware operators”) would provide some syntactic sugar, in the form of
new operators, to handle cases where variables
might be the special None value. It is a feature
that other languages support, but has generally raised concerns about being
“un-Pythonic” over the years. At this point, though, the Python project
still needs to figure out how it will be
governed—and how PEPs can be accepted or rejected.
The O’Reilly Open Source
Conference (OSCON) returned to Portland, Oregon this July
for the 20th convocation of this venerable gathering. While some of the
program focused on retrospectives, there were also talks and tutorials on
multiple technical topics and open-source community management. To give you
a feel for the whole conference, we will explore it in a
two-part article. This installment will cover a retrospective of open
source and some presentations on releasing projects as open source at your
organization. A second article will include a few of the technical
topics at the conference.
Over on the Freedom to Tinker blog, Vitaly Shmatikov reports on some research he and others have been doing on machine-learning models—and what can be hidden inside them.
“Federated learning, where models are crowd-sourced from hundreds or even millions of users, is an even juicier target. In a recent paper [PDF], we show that a single malicious participant in federated learning can completely replace the joint model with another one that has the same accuracy but also incorporates backdoor functionality. For example, it can intentionally misclassify images with certain features or suggest adversary-chosen words to complete certain sentences.
When training ML [machine learning] models, it is not enough to ask if the model has learned its task well. Creators of ML models must ask what else their models have learned. Are they memorizing and leaking their training data? Are they discovering privacy-violating features that have nothing to do with their learning tasks? Are they hiding backdoor functionality? We need least-privilege ML models that learn only what they need for their task – and nothing more.”