Post Syndicated from jzb original https://lwn.net/Articles/1023793/
Security updates have been issued by AlmaLinux (git, krb5, perl-CPAN, and rsync), Debian (tcpdf), Fedora (libmodsecurity, lua-http, microcode_ctl, and nextcloud), Red Hat (osbuild-composer), SUSE (389-ds, avahi, ca-certificates-mozilla, docker, expat, freetype2, glib2, gnuplot, gnutls, golang-github-teddysun-v2ray-plugin, golang-github-v2fly-v2ray-core, govulncheck-vulndb, helm, iperf, kernel, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, krb5, libarchive, libsoup, libsoup2, libtasn1, libX11, libxml2, libxslt, orc, podman, python-Jinja2, python-requests, python3-setuptools, python310, python311, python39, rubygem-rack, sslh, SUSE Manager Client Tools, SUSE Manager Client Tools and Salt Bundle, ucode-intel, util-linux, and wget), and Ubuntu (libvpx, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia-tegra, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-aws-fips, linux-gcp-fips, linux-azure-fde, linux-fips, and linux-intel-iot-realtime, linux-realtime).
Post Syndicated from jzb original https://lwn.net/Articles/1023516/
Version
3.22.0 of the Alpine Linux distribution has been released. Notable
changes in this release include the removal of the X11 session for KDE
Plasma, a switch to systemd-efistub, and experimental support
for user
services with the OpenRC
init system. See the release
notes for a detailed list of changes.
Post Syndicated from jzb original https://lwn.net/Articles/1023088/
Software patents and workarounds for them are, once again,
causing headaches for open-source projects and users. This time
around, Fedora users have been vulnerable to a serious flaw in the OpenH264 library for
months—not for want of a fix, but because of the Rube
Goldberg machine methodology of distributing the library to Fedora
users. The software is open source under a two-clause BSD license; the RPMs are built and
signed by Fedora, but the final product is distributed by Cisco, so
the company can pick up the tab for license fees. Unfortunately, a
breakdown in the process of handing RPMs to Cisco for distribution has
left Fedora users vulnerable, and inaction on Fedora’s part has left
users unaware that they are at risk.
Post Syndicated from jzb original https://lwn.net/Articles/1022399/
Mozilla has decided to throw in
the towel on Pocket, a social-bookmarking
service that it acquired in 2017. This has left many users scrambling
for a replacement for Pocket before its shutdown in July. One possible
option is wallabag, a
self-hostable, MIT-licensed project for saving web content for later
reading. It can import saved data from services like Pocket, share
content on the web, export to various formats, and more. Even better,
it puts users in control of their data long-term.
Post Syndicated from jzb original https://lwn.net/Articles/1023093/
The SUSE Security Team has published a detailed
report about security vulnerabilities it discovered in the Kea DHCP server suite from the Internet Systems Consortium
(ISC).
Since SUSE is also going to ship Kea DHCP in its products, we
performed a routine review of its code base. Even before checking the
network security of Kea, we stumbled over a range of local security
issues, among them a local root exploit which is possible in many
default installations of Kea on Linux and BSD distributions. […]This report is based on Kea release 2.6.1. Any source code
references in this report relate to this version. Many systems still
ship older releases of Kea, but we believe they are all affected as
well by the issues described in this report.
The report details seven security issues including
local-privilege-escalation
and arbitrary file overwrite
vulnerabilities. Security fixes for the vulnerabilities have been
published in all of the currently supported release series of Kea: 2.4.2,
2.6.3,
and the 2.7.9
development release were all released on May 28. Kea has assigned CVE-2025-32801,
CVE-2025-32802,
and CVE-2025-32803 to the vulnerabilities. Note that some of the CVEs
cover multiple security flaws.
Post Syndicated from jzb original https://lwn.net/Articles/1021837/
The GNU C Library
(glibc) is the core C library for most Linux distributions, so it is a
crucial part of the open-source ecosystem—and an attractive
target for any attackers looking to carry out supply-chain
attacks. With that being the case, securing the project’s
infrastructure using industry best practices and improving the
security of its development practices are a frequent topic among glibc
developers. A recent discussion suggests that improvements are not
happening as quickly as some would like.
Post Syndicated from jzb original https://lwn.net/Articles/1022888/
Canonical’s Launchpad
software-collaboration platform that is used for Ubuntu development
will be shutting down its hosted mailing lists at
the end of October. The announcement
recommends Discourse or Launchpad Answers as
alternatives. Ubuntu’s mailing
lists are unaffected by the change.
Post Syndicated from jzb original https://lwn.net/Articles/1021357/
The increasing sophistication of attackers has organizations
realizing that perimeter-based security models are inadequate. Many
are planning to transition their internal networks to a zero-trust
architecture. This requires every communication on the network to
be encrypted, authenticated, and authorized. This can be achieved in
applications and services by using modern communication
protocols. However, the world still depends on Domain Name System
(DNS) services where encryption, while possible, is far from being the
industry standard. To address this we, as part of a working group at
Red Hat, worked on fully integrating encrypted DNS for Linux
systems—not only while the system is running but also during the
installation and boot process, including support for a custom
certificate chain in the initial ramdisk. This integration is now
available in CentOS Stream 9, 10, and the upcoming
Fedora 43 release.
Post Syndicated from jzb original https://lwn.net/Articles/1022853/
Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools).
Post Syndicated from jzb original https://lwn.net/Articles/1022243/
The Fedora Council has ruled on the Fedora Engineering Steering
Council’s (FESCo) decision last year to revoke Peter Robinson’s
provenpackager status. In a statement
published to the fedora-devel-announce mailing list, the council has
announced that it has overturned FESCo’s decision:
FESCo didn’t have a specific policy for dealing with a request to remove
Proven Packager rights. In addition, the FESCo process was handled entirely
in private. The contributor didn’t receive a formal notification or warning
from FESCo, and felt blindsided by the official decision when and how it was
announced. The Fedora Council would like to extend our sincerest apology on
behalf of the Fedora Project to them.
LWN covered the
story in December 2024.
Post Syndicated from jzb original https://lwn.net/Articles/1022040/
Shawn Webb has published a status
report on work to provide basic support in FreeBSD for userland components
written in Rust.
We introduced a new BSD makefile, located at share/mk/bsd.rust.mk,
that enables building a Rust application during buildworld. As of this
writing, we only support building and installing Rust
applications. Supporting library crates is planned (we would like to
be able to build/install library crates that expose an FFI, like for
C/C++ compatibility). Normal library crates build and install just
fine. Support for cdylib Rust library crates specifically is what’s
missing, but is desired and planned.We do NOT currently support Rust in the kernel. Kernel support
requires more work that we deemed out-of-scope for this initial
proof-of-concept/work-in-progress patchset. We also do NOT support
building multiple programs in the same BSD Makefile (like with
bsd.progs.mk), though that is also a desired feature.
LWN covered a
discussion about including Rust in the FreeBSD base system in August
2024.
Post Syndicated from jzb original https://lwn.net/Articles/1022030/
Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16).
Post Syndicated from jzb original https://lwn.net/Articles/1020968/
Despite careful planning and months of warning, Debian developer Mo
Zhou has acknowledged that the project needs more time to grapple with
the questions around AI models and the Debian Free Software Guidelines
(DFSG). For now, he has withdrawn his proposed General Resolution (GR)
that would have required the original training data for AI models to
be released in order to be considered DFSG-compliant—though the
debates on the topic continue.
Post Syndicated from jzb original https://lwn.net/Articles/1021827/
Red Hat has announced
the release of Red Hat Enterprise Linux (RHEL) 10. A blog post
accompanying the release provides details on some of the more notable
features, such as encrypted DNS, a developer preview of RHEL 10
for RISC-V,
and image
mode for RHEL using bootc.
Image mode for RHEL lets you deploy your OS as a bootc image to your
hardware, virtual machine or cloud, and then layer your app on top of
it. That’s a far less complex operation than traditional packaged
deployments, and it gives developers and image maintainers a common
experience and total control over their environment.
RHEL 10 includes the 6.12.0 kernel, GCC 14.2, GNU
Binutils 2.41, GNU C Library (glibc) 2.39, Python 3.12,
Perl 5.40, and more. See the release
notes for a full list of changes. LWN covered
CentOS Stream 10 in December, which provided an early look
at what would be in the RHEL 10 release.
Post Syndicated from jzb original https://lwn.net/Articles/1021745/
Roland Shoemaker has published a blog post about a
recent security audit of the cryptography packages shipped as part of
the Go standard library. The audit, performed by the Trail of Bits security firm,
uncovered one low-severity vulnerability in the legacy Go+BoringCrypto
integration, as well as a handful of informational findings.
During the review, there were a number of questions about our
cgo-based Go+BoringCrypto integration, which provides a FIPS 140-2
compliant cryptography mode for internal usage at Google. The
Go+BoringCrypto code is not supported by the Go team for external use,
but has been critical for Google’s internal usage of Go.The Trail of Bits team found one vulnerability and one non-security relevant bug,
both of which were results of the manual memory management required to
interact with a C library. Since the Go team does not support usage of
this code outside of Google, we have chosen not to issue a CVE or Go
vulnerability database entry for this issue, but we fixed it in the Go 1.25 development
tree.
The entire report is available
as a PDF for those who enjoy a little light security reading.
Post Syndicated from jzb original https://lwn.net/Articles/1021484/
The Asahi Linux
project, which supports Linux on Apple Silicon Macs, has published a
progress report ahead of the 6.15 kernel’s release.
We are pleased to announce that our graphics driver userspace API
(uAPI) has been merged into the Linux kernel. This major milestone
allows us to finally enable OpenGL, OpenCL and Vulkan support for
Apple Silicon in upstream Mesa. This is the only time a graphics
driver’s uAPI has been merged into the kernel independent of the
driver itself, which was kindly allowed by the kernel graphics
subsystem (DRM) maintainers to facilitate upstream Mesa enablement
while the required Rust abstractions make their way upstream. We are
grateful for this one-off exception, made possible with close
collaboration with the kernel community.
Post Syndicated from jzb original https://lwn.net/Articles/1021482/
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup).
Post Syndicated from jzb original https://lwn.net/Articles/1021400/
To commemorate the tenth anniversary of the 1.0 release
of the Rust language,
version
1.87.0 was announced live today at the 10 Years of Rust
celebration in Utrecht, Netherlands. Notable changes
include the addition of anonymous pipes to the standard library and
the ability for inline assembly (asm!) to jump to labeled
blocks within Rust code.
Post Syndicated from jzb original https://lwn.net/Articles/1021354/
The Tor project has announced
the oniux utility which provides Tor network isolation, using Linux
namespaces, for third-party applications.
Namespaces are a powerful feature that gives us the ability to
isolate Tor network access of an arbitrary application. We put each
application in a network namespace that doesn’t provide access to
system-wide network interfaces (such as eth0), and instead provides a
custom network interface onion0.This allows us to isolate an arbitrary application over Tor in the
most secure way possible software-wise, namely by relying on a
security primitive offered by the operating system kernel. Unlike
SOCKS, the application cannot accidentally leak data by failing to
make some connection via the configured SOCKS, which may happen due to
a mistake by the developer.
The Tor project cautions that oniux is considered experimental as
the software it depends on, such as Arti and
onionmasq,
are still new.