All posts by jake

[$] Mozilla Rally: trading privacy for the “public good”

Post Syndicated from jake original https://lwn.net/Articles/861379/rss

A new project from Mozilla, which is meant to help researchers collect
browsing data, but only with the informed consent of the browser-user, is taking a lot of
heat, perhaps in part because the company can never seem to do anything
right, at least in the
eyes of some. Mozilla Rally was
announced
on June 25 as joint venture between the company and researchers at
Princeton University “to enable crowdsourced science for public
good
“. The idea is that users can volunteer to give academic studies access to
the same kinds of browser data that is being tracked in some browsers
today. Whether the privacy safeguards are strong
enough—and if there is sufficient reason for users to sign up—remains to be seen.

An EPYC escape: Case-study of a KVM breakout (Project Zero blog)

Post Syndicated from jake original https://lwn.net/Articles/861330/rss

Over at the Project Zero blog, Felix Wilhelm posted a lengthy account of a vulnerability he found in the Linux kernel’s KVM (Kernel-based virtual machine) subsystem:

In this blog post I describe a vulnerability in KVM’s AMD-specific code and discuss how this bug can be turned into a full virtual machine escape. To the best of my knowledge, this is the first public writeup of a KVM guest-to-host breakout that does not rely on bugs in user space components such as QEMU. The discussed bug was assigned CVE-2021-29657, affects kernel versions v5.10-rc1 to v5.12-rc6 and was patched at the end of March 2021. As the bug only became exploitable in v5.10 and was discovered roughly 5 months later, most real world deployments of KVM should not be affected. I still think the issue is an interesting case study in the work required to build a stable guest-to-host escape against KVM and hope that this writeup can strengthen the case that hypervisor compromises are not only theoretical issues.

[$] An unpleasant surprise for My Book Live owners

Post Syndicated from jake original https://lwn.net/Articles/861235/rss

Embedded devices need regular software updates in order to even be
minimally safe on today’s internet. Products that have reached their “end
of life”, thus are no longer being updated, are essentially ticking time
bombs—it is only a matter of time before they are vulnerable to
attack. That situation played out in June for owners of Western
Digital (WD) My Book Live network-attached storage (NAS) devices; what was
meant to be a disk for home users
accessible via the internet turned into a black hole when a remote
command-execution flaw was used to delete all of the data stored there. Or
so it seemed at first.

Take control over your data with Rally, a novel privacy-first data sharing platform (Mozilla blog)

Post Syndicated from jake original https://lwn.net/Articles/861004/rss

Over on the Mozilla blog, the company has announced a new platform, Mozilla Rally, that “puts users in control of their data and empowers them to contribute their browsing data to crowdfund projects for a better Internet and a better society“. Rally comes out of work that Mozilla did with Professor Jonathan Mayer’s research group at Princeton University .

Your data is valuable. But for too long, online services have pilfered, swapped, and exploited your data without your awareness. Privacy violations and filter bubbles are all consequences of a surveillance data economy. But what if, instead of companies taking your data without giving you a say, you could select who gets access to your data and put it to work for public good?

[…] By leveraging the scale of web browsers – a piece of software used by billions of people around the world – Rally has the potential to help address societal problems we could not solve before. Our goal is to demonstrate that there is a case for an equitable market for data, one where every party is treated fairly, and we welcome mission-aligned organizations that want to join us on this journey.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/848416/rss

Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/848223/rss

Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography).

[$] Alternative syntax for Python’s lambda

Post Syndicated from jake original https://lwn.net/Articles/847960/rss

The Python lambda
keyword, which can be used to create small, anonymous functions,
comes from the world of functional
programming
, but is perhaps not the most beloved of Python features.
In part, that may be because it is somewhat clunky to use, especially in
comparison to the shorthand notation offered by other languages, such as
JavaScript. That has led to some discussions on possible changes to lambda in Python
mailing lists since mid-February.

[$] PipeWire: The Linux audio/video bus

Post Syndicated from jake original https://lwn.net/Articles/847412/rss

For more than a decade, PulseAudio
has been serving the Linux desktop as its predominant audio
mixing and routing daemon — and its audio API. Unfortunately,
PulseAudio’s internal architecture does not fit the growing
sandboxed-applications use case, even though there have been attempts to amend that. PipeWire, a new daemon created (in part)
out of these attempts, will replace
PulseAudio
in the upcoming Fedora 34 release. It is a coming
transition that deserves a look.

Mageia 8 has been released

Post Syndicated from jake original https://lwn.net/Articles/847625/rss

The Mageia distribution has announced
the release of Mageia 8. It comes with the usual array of new
packages, including a 5.10.16 kernel, Plasma 5.20.4,
GNOME 3.38, Firefox 78, Chromium 88, LibreOffice 7.0.4.2, and more.
ARM support has continued to develop, with both AArch64 and ARMv7
now having all packages built and being close to primary architectures
now. Support for Wi-Fi installation in the classical installer using WPA2
encryption has been added, as well as improved support for newer
filesystems allowing installations on F2FS. Support for NILFS, XFS, exFAT
and Windows 10 NTFS has been improved to allow for better partition
management. The Live installer has also had significant development. Boot
times have been greatly reduced with the use of Zstd compression and
improved hardware detection and the support for installing updates as a
final step of the installation has been added. Zstd compression has also
been applied to the rescue mode, allowing for faster startup, support for
encrypted LVM/LUKS has also been added.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/847581/rss

Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).

Security updates for Thursday

Post Syndicated from jake original https://lwn.net/Articles/847390/rss

Security updates have been issued by Arch Linux (ansible-base, keycloak, mumble, and postgresql), Debian (firefox-esr and nodejs), Fedora (dotnet3.1, dotnet5.0, keylime, php-horde-Horde-Text-Filter, radare2, scap-security-guide, and wireshark), openSUSE (postgresql, postgresql13 and python-djangorestframework), Red Hat (Ansible, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (php7, postgresql-jdbc, python-cryptography, rpmlint, and webkit2gtk3), and Ubuntu (dnsmasq, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux-oem-5.10, linux-oem-5.6, screen, and xterm).

[$] A pair of Python vulnerabilities

Post Syndicated from jake original https://lwn.net/Articles/846847/rss

Two separate vulnerabilities led to the fast-tracked release
of Python 3.9.2 and 3.8.8 on February 19, though source-only
releases
of 3.7.10 and 3.6.13 came a few days earlier. The
vulnerabilities may be problematic for some Python users and
workloads; one could potentially lead to remote code execution. The other
is, arguably, not exactly a flaw in the Python standard library—it simply
also follows an older standard—but it can lead to web cache
poisoning
attacks.

[$] NumPy 1.20 has been released

Post Syndicated from jake original https://lwn.net/Articles/847039/rss

NumPy is a Python library that adds
an array data type to the language, along with providing operators
appropriate to working on arrays and matrices. By wrapping fast Fortran and
C numerical routines, NumPy allows Python
programmers to write performant code in what is normally a relatively slow
language. NumPy 1.20.0 was
announced
on January 30, in what its developers describe as the largest
release in the history of the project. That makes for a good opportunity to
show a little bit about what NumPy is, how to use it, and to describe what’s new in the
release.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/846787/rss

Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro).

[$] What goes into default Debian?

Post Syndicated from jake original https://lwn.net/Articles/846405/rss

The venerable locate
file-finding utility has long been available for Linux systems, though its
origins are in the BSD world. It is a generally useful tool, but does have
a cost beyond just the disk space it occupies in the filesystem; there is a
periodic daemon (updatedb)
that runs to keep the file-name database up to date. As a recent
debian-devel discussion shows, though, people have differing ideas of
just how important the tool is—and whether it should be part of the default installation of Debian.

[$] Malware in open-source web extensions

Post Syndicated from jake original https://lwn.net/Articles/846272/rss

On February 4, millions of browser tabs were
suddenly terminated. Not everyone was surprised; the dozen people who spent the last
four months waiting for this tragedy to occur watched in relief as the
first
in a rapid stream of GitHub
comments
began pouring in. The Great Suspender, a Chrome
extension that suspended inactive tabs,
with around two-million users, had been forcibly uninstalled because it contained
malware. This was a serious problem for users, in part due to the difficulty in
recovering the lost tabs, but the extension’s malevolence had been
painfully obvious to anyone who cared to investigate it.

Security updates for Friday

Post Syndicated from jake original https://lwn.net/Articles/845999/rss

Security updates have been issued by Arch Linux (ansible, chromium, cups, docker, firefox, gitlab, glibc, helm, lib32-glibc, minio, nextcloud, opendoas, opera, php, php7, privoxy, python-django, python-jinja, python2-jinja, thunderbird, vivaldi, and wireshark-cli), Fedora (jasper, linux-firmware, php, python-cryptography, spice-vdagent, subversion, and thunderbird), Mageia (gssproxy and phpldapadmin), openSUSE (chromium, containerd, docker, docker-runc,, librepo, nextcloud, and privoxy), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, kernel, openvswitch, and wpa_supplicant), and Ubuntu (wpa).