Post Syndicated from corbet original https://lwn.net/Articles/970328/

The LWN.net Weekly Edition for April 25, 2024 is available.

Post Syndicated from corbet original https://lwn.net/Articles/971007/

Version 9.0 of
the QEMU emulator has been released. “This release contains 2700+
commits from 220 authors.” The list of improvements is long; see the
announcement and the
changelog for details.

Post Syndicated from corbet original https://lwn.net/Articles/970893/

The Fedora 40 distribution has been
released. See the “what’s new” pages for Fedora
Workstation and Fedora
KDE to learn more about the desktop spins, along with this LWN article, for more information.

Post Syndicated from corbet original https://lwn.net/Articles/970216/

The Rust programming language, it is hoped, will bring a new level of
safety to the Linux kernel. At the moment, though, there are still a
number of impediments to getting useful Rust code into the kernel. In the
Embedded Open Source Summit track of the Open
Source Summit North America, Fabien Parent provided an overview of his
work aimed at improving the infrastructure needed to write the device
drivers needed by embedded systems in Rust; there is still some work to be
done.

Post Syndicated from corbet original https://lwn.net/Articles/970889/

Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid).

Post Syndicated from corbet original https://lwn.net/Articles/970835/

The Open Home Foundation has announced
its existence as a home and support resource for free home-automation
projects.

We created the Open Home Foundation to fight for the fundamental
principles of privacy, choice, and sustainability for smart
homes. And every person who lives in one.

Ahead of today, we’ve transferred over 240 projects, standards,
drivers, and libraries—Home Assistant, ESPHome, Zigpy, Piper,
Improv Wi-Fi, Wyoming, and so many more—to the Open Home
Foundation. This is all about looking into the future. We’ve done
this to create a bulwark against surveillance capitalism, the risk
of buyout, and open-source projects becoming abandonware. To an
extent, this protection extends even against our future selves—so
that smart home users can continue to benefit for years, if not
decades. No matter what comes.

Post Syndicated from corbet original https://lwn.net/Articles/970702/

Peter Hutterer announces
udev-hid-bpf, a tool to facilitate the loading of BPF programs that
make human-input devices work correctly.

eBPF was originally written for network packet filters but as of
kernel v6.3 and thanks to Benjamin, we have BPF in the HID
subsystem. HID actually lends itself really well to BPF because,
well, we have a byte array and to fix our devices we need to do
complicated things like “toggle that bit to zero” or “swap those
two values”.

See this article for more information on
the BPF-HID mechanism.

Post Syndicated from corbet original https://lwn.net/Articles/970667/

Linus has released 6.9-rc5 for testing.

But if you ignore those oddities, it all looks pretty normal and
things appear fairly calm. Which is just as well, since the first
part of the week I was on a quick trip to Seattle, and the second
part of the week I’ve been doing a passable imitation of the
Fontana di Trevi, except my medium is mucus.

Post Syndicated from corbet original https://lwn.net/Articles/969923/

Kernel developers, like conscientious developers for many projects, will
often include checks in the code for conditions that are never expected to
occur, but which would indicate a serious problem should that expectation
turn out to be incorrect. For years, developers have been encouraged (to
put it politely) to avoid using assertions that crash the machine for such
conditions unless there is truly no alternative. Increasingly, though, use
of the kernel’s WARN_ON() family of macros, which developers were
told to use instead, is also being discouraged.

Post Syndicated from corbet original https://lwn.net/Articles/970045/

Version
0.81 of the PuTTY SSH client is out with a fix for CVE-2024-31497;
some users will want to update and generate new keys:

PuTTY 0.81, released today, fixes a critical vulnerability
CVE-2024-31497 in the use of 521-bit ECDSA keys
(ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private
key with any previous version of PuTTY, consider the private key
compromised: remove the public key from authorized_keys files, and
generate a new key pair.

However, this only affects that one algorithm and key size. No
other size of ECDSA key is affected, and no other key type is
affected.

Post Syndicated from corbet original https://lwn.net/Articles/970036/

Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).

Post Syndicated from corbet original https://lwn.net/Articles/969919/

The Open Source Security Foundation and the OpenJS Foundation have jointly
posted a
warning about XZ-like social-engineering attacks after OpenJS was
seemingly targeted.

The OpenJS Foundation Cross Project Council received a suspicious
series of emails with similar messages, bearing different names and
overlapping GitHub-associated emails. These emails implored OpenJS
to take action to update one of its popular JavaScript projects to
“address any critical vulnerabilities,” yet cited no specifics. The
email author(s) wanted OpenJS to designate them as a new maintainer
of the project despite having little prior involvement.

Post Syndicated from corbet original https://lwn.net/Articles/969791/

The 6.9-rc4 kernel prepatch is out for
testing. “Nothing particularly unusual going on this week – some new hw
mitigations may stand out, but after a decade of this I can’t really call
it ‘unusual’ any more, can I?“

Post Syndicated from corbet original https://lwn.net/Articles/969732/

The
6.8.6,
6.6.27,
6.1.86,
5.15.155,
5.10.215,
5.4.274, and
4.19.312
stable kernel updates have all been released; each contains a relatively
large number of important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/969383/

The kernel project merges dozens of drivers with every development cycle,
and almost every one of those drivers is entirely uncontroversial.
Occasionally, though, a driver submission raises wider questions, leading
to lengthy discussion and, perhaps, opposition. That is currently the case
with two separate drivers, both with ties to the networking subsystem. One
of them is hung up on questions of whether (and how) all device
functionality should be made available to user space, while the other has
run into turbulence because it drives a device that is unobtainable outside
of a single company.

Post Syndicated from corbet original https://lwn.net/Articles/969591/

Dirk Mueller has posted a
lengthy analysis of the XZ backdoor on the openSUSE News site, with a
focus on openSUSE’s response.

Debian, as well as the other affected distributions like openSUSE
are carrying a significant amount of downstream-only patches to
essential open-source projects, like in this case OpenSSH. With
hindsight, that should be another Heartbleed-level learning for the
work of the distributions. These patches built the essential steps
to embed the backdoor, and do not have the scrutiny that they
likely would have received by the respective upstream
maintainers. Whether you trust Linus Law or not, it was not even
given a chance to chime in here. Upstream did not fail on the
users, distributions failed on upstream and their users here.

Post Syndicated from corbet original https://lwn.net/Articles/969062/

The Earliest Virtual Deadline First (EEVDF)
scheduler was merged as an option for the 6.6 kernel. It represents a
major change to how CPU scheduling is done on Linux systems, but the EEVDF
front has been relatively quiet since then. Now, though, scheduler
developer Peter Zijlstra has returned from a long absence to post a patch
series intended to finish the EEVDF work. Beyond some fixes, this work
includes a significant behavioral change and a new feature intended to help
latency-sensitive tasks.

Post Syndicated from corbet original https://lwn.net/Articles/969468/

Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).

Post Syndicated from corbet original https://lwn.net/Articles/969210/

The mainline kernel has just received a set of commits mitigating the
latest x86 hardware vulnerability, known as “branch history injection”.
From this commit:

Branch History Injection (BHI) attacks may allow a malicious
application to influence indirect branch prediction in kernel by
poisoning the branch history. eIBRS isolates indirect branch
targets in ring0. The BHB can still influence the choice of
indirect branch predictor entry, and although branch predictor
entries are isolated between modes when eIBRS is enabled, the BHB
itself is not isolated between modes.

See this commit for
documentation on the command-line parameter that controls this mitigation.
There are stable kernel releases (6.8.5,
6.6.26,
6.1.85,
and 5.15.154)
in the works that also contain the mitigations.

Post Syndicated from corbet original https://lwn.net/Articles/969031/

On February 20, Linaro held the initial
get-together for what is intended to be a regular Linux Kernel Forum for
the Arm-focused kernel community. This gathering aims to convene
approximately a few weeks prior to the merge window opening and prior to
the release of the current kernel version under development. Topics
covered in the first gathering include preparing 64-bit Arm kernels for
low-end embedded systems, memory errors and Compute Express
Link (CXL), devlink objectives, and scheduler integration.