Security updates have been issued by Debian (libav), Gentoo (chromium, firefox, libreoffice, mysql, and ruby), SUSE (kernel), and Ubuntu (bind9).
The Linux kernel currently supports two separate network packet-filtering
mechanisms: iptables and nftables. For the last few years, it has been
generally assumed that nftables would eventually replace the older iptables
implementation; few people expected that the kernel developers would,
instead, add a third packet filter. But that would appear to be what is
happening with the newly announced bpfilter
mechanism. Bpfilter may eventually replace both iptables and nftables, but
there are a lot of questions that will need to be answered first.
fifth version of the patch series adding
the boot-constraint subsystem is
under review on the linux-kernel mailing list. The purpose of this subsystem is to
honor the constraints put on devices by the
bootloader before those devices are
handed over to the operating system (OS) — Linux in our case. If these
constraints are violated, devices may fail to work properly once the kernel
starts reconfiguring the hardware; by tracking and enforcing those
constraints, instead, we can ensure that hardware continues to work
properly until the kernel is fully operational.
Security updates have been issued by Debian (quagga), Mageia (freetype2, kernel-linus, and kernel-tmb), openSUSE (chromium, GraphicsMagick, mupdf, openssl-steam, and xen), Slackware (irssi), SUSE (glibc and quagga), and Ubuntu (quagga).
For as long as the kernel has included tracepoints, developers have argued
over whether those tracepoints are part of the kernel’s ABI. Tracepoint
changes have had to be reverted in the past because they broke existing
user-space programs that had come to depend on them; meanwhile, fears of
setting internal code in stone have made it difficult to add tracepoints to
a number of kernel subsystems. Now, a new tracing functionality is being
proposed as a way to circumvent all of those problems.
Linux Journal takes a look at the newly announced LinuxBoot project. LWN covered a related talk back in November. “Modern firmware generally consists of two main parts: hardware initialization (early stages) and OS loading (late stages). These parts may be divided further depending on the implementation, but the overall flow is similar across boot firmware. The late stages have gained many capabilities over the years and often have an environment with drivers, utilities, a shell, a graphical menu (sometimes with 3D animations) and much more. Runtime components may remain resident and active after firmware exits. Firmware, which used to fit in an 8 KiB ROM, now contains an OS used to boot another OS and doesn’t always stop running after the OS boots. LinuxBoot replaces the late stages with a Linux kernel and initramfs, which are used to load and execute the next stage, whatever it may be and wherever it may come from. The Linux kernel included in LinuxBoot is called the ‘boot kernel’ to distinguish it from the ‘target kernel’ that is to be booted and may be something other than Linux.”
Mark Wielaard writes
about the recently discovered relicensing of the dtrace dynamic tracing
subsystem under the GPL. “Thank you Oracle for making everyone’s
life easier by waving your magic relicensing wand!
Now there is lots of hard work to do to actually properly integrate this. And I am sure there are a lot of technical hurdles when trying to get this upstreamed into the mainline kernel. But that is just hard work. Which we can now start collaborating on in earnest.”
While there is a lot of software distributed under the terms of the GNU
General Public License, there is relatively little enforcement of the terms
of that license and, it seems, even less discussion of enforcement in
organizers of linux.conf.au have never shied away from such topics, though,
so Karen Sandler’s enforcement update during the linux.conf.au 2018 Kernel
fit right in. The picture she painted includes a number of challenges for
the GPL and the communities based on it, but there are some bright spots as
Security updates have been issued by Arch Linux (go, go-pie, and plasma-workspace), Debian (audacity, exim4, libreoffice, librsvg, ruby-omniauth, tomcat-native, and uwsgi), Fedora (tomcat-native), Gentoo (virtualbox), Mageia (kernel), openSUSE (freetype2, ghostscript, jhead, and libxml2), and SUSE (freetype2 and kernel).
Linus has released 4.16-rc1 and closed the
merge window for this development cycle. “I don’t want to jinx
anything, but things certainly look a lot better than with 4.15. We have no
(known) nasty surprises pending, and there were no huge issues during the
merge window. Fingers crossed that this stays fairly calm and sane.”
In ACMQueue magazine, Bridget Kromhout writes about containers and why they are not the solution to every problem. The article is subtitled:
“Complex socio-technical systems are hard;
film at 11.”
“Don’t get me wrong—containers are delightful! But let’s be real: we’re unlikely to solve the vast majority of problems in a given organization via the judicious application of kernel features. If you have contention between your ops team and your dev team(s)—and maybe they’re all facing off with some ill-considered DevOps silo inexplicably stuck between them—then cgroups and namespaces won’t have a prayer of solving that.
Development teams love the idea of shipping their dependencies bundled with their apps, imagining limitless portability. Someone in security is weeping for the unpatched CVEs, but feature velocity is so desirable that security’s pleas go unheard. Platform operators are happy (well, less surly) knowing they can upgrade the underlying infrastructure without affecting the dependencies for any applications, until they realize the heavyweight app containers shipping a full operating system aren’t being maintained at all.”
Security updates have been issued by Arch Linux (clamav), Debian (mailman, mpv, and simplesamlphp), Fedora (tomcat-native), openSUSE (docker, docker-runc, containerd,, kernel, mupdf, and python-mistune), Red Hat (kernel), and Ubuntu (mailman and postgresql-9.3, postgresql-9.5, postgresql-9.6).
This is the third article of a series discussing various methods of
reducing the size of the Linux kernel to make it suitable for small
environments. The first article
provided a short rationale for this topic, and covered link-time
garbage collection. The
second article covered link-time
optimization (LTO) and compared its results to link-time garbage
collection. In this article we’ll explore ways to make LTO more
effective at optimizing kernel code away, as well as more assertive
strategies to achieve our goal.
Security updates have been issued by Debian (django-anymail, libtasn1-6, and postgresql-9.1), Fedora (w3m), Mageia (389-ds-base, gcc, libtasn1, and p7zip), openSUSE (flatpak, ImageMagick, libjpeg-turbo, libsndfile, mariadb, plasma5-workspace, pound, and spice-vdagent), Oracle (kernel), Red Hat (flash-plugin), SUSE (docker, docker-runc, containerd, golang-github-docker-libnetwork and kernel), and Ubuntu (libvirt, miniupnpc, and QEMU).