Post Syndicated from corbet original https://lwn.net/Articles/969923/

Kernel developers, like conscientious developers for many projects, will
often include checks in the code for conditions that are never expected to
occur, but which would indicate a serious problem should that expectation
turn out to be incorrect. For years, developers have been encouraged (to
put it politely) to avoid using assertions that crash the machine for such
conditions unless there is truly no alternative. Increasingly, though, use
of the kernel’s WARN_ON() family of macros, which developers were
told to use instead, is also being discouraged.

Post Syndicated from corbet original https://lwn.net/Articles/970045/

Version
0.81 of the PuTTY SSH client is out with a fix for CVE-2024-31497;
some users will want to update and generate new keys:

PuTTY 0.81, released today, fixes a critical vulnerability
CVE-2024-31497 in the use of 521-bit ECDSA keys
(ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private
key with any previous version of PuTTY, consider the private key
compromised: remove the public key from authorized_keys files, and
generate a new key pair.

However, this only affects that one algorithm and key size. No
other size of ECDSA key is affected, and no other key type is
affected.

Post Syndicated from corbet original https://lwn.net/Articles/970036/

Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).

Post Syndicated from corbet original https://lwn.net/Articles/969919/

The Open Source Security Foundation and the OpenJS Foundation have jointly
posted a
warning about XZ-like social-engineering attacks after OpenJS was
seemingly targeted.

The OpenJS Foundation Cross Project Council received a suspicious
series of emails with similar messages, bearing different names and
overlapping GitHub-associated emails. These emails implored OpenJS
to take action to update one of its popular JavaScript projects to
“address any critical vulnerabilities,” yet cited no specifics. The
email author(s) wanted OpenJS to designate them as a new maintainer
of the project despite having little prior involvement.

Post Syndicated from corbet original https://lwn.net/Articles/969791/

The 6.9-rc4 kernel prepatch is out for
testing. “Nothing particularly unusual going on this week – some new hw
mitigations may stand out, but after a decade of this I can’t really call
it ‘unusual’ any more, can I?“

Post Syndicated from corbet original https://lwn.net/Articles/969732/

The
6.8.6,
6.6.27,
6.1.86,
5.15.155,
5.10.215,
5.4.274, and
4.19.312
stable kernel updates have all been released; each contains a relatively
large number of important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/969383/

The kernel project merges dozens of drivers with every development cycle,
and almost every one of those drivers is entirely uncontroversial.
Occasionally, though, a driver submission raises wider questions, leading
to lengthy discussion and, perhaps, opposition. That is currently the case
with two separate drivers, both with ties to the networking subsystem. One
of them is hung up on questions of whether (and how) all device
functionality should be made available to user space, while the other has
run into turbulence because it drives a device that is unobtainable outside
of a single company.

Post Syndicated from corbet original https://lwn.net/Articles/969591/

Dirk Mueller has posted a
lengthy analysis of the XZ backdoor on the openSUSE News site, with a
focus on openSUSE’s response.

Debian, as well as the other affected distributions like openSUSE
are carrying a significant amount of downstream-only patches to
essential open-source projects, like in this case OpenSSH. With
hindsight, that should be another Heartbleed-level learning for the
work of the distributions. These patches built the essential steps
to embed the backdoor, and do not have the scrutiny that they
likely would have received by the respective upstream
maintainers. Whether you trust Linus Law or not, it was not even
given a chance to chime in here. Upstream did not fail on the
users, distributions failed on upstream and their users here.

Post Syndicated from corbet original https://lwn.net/Articles/969062/

The Earliest Virtual Deadline First (EEVDF)
scheduler was merged as an option for the 6.6 kernel. It represents a
major change to how CPU scheduling is done on Linux systems, but the EEVDF
front has been relatively quiet since then. Now, though, scheduler
developer Peter Zijlstra has returned from a long absence to post a patch
series intended to finish the EEVDF work. Beyond some fixes, this work
includes a significant behavioral change and a new feature intended to help
latency-sensitive tasks.

Post Syndicated from corbet original https://lwn.net/Articles/969468/

Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).

Post Syndicated from corbet original https://lwn.net/Articles/969210/

The mainline kernel has just received a set of commits mitigating the
latest x86 hardware vulnerability, known as “branch history injection”.
From this commit:

Branch History Injection (BHI) attacks may allow a malicious
application to influence indirect branch prediction in kernel by
poisoning the branch history. eIBRS isolates indirect branch
targets in ring0. The BHB can still influence the choice of
indirect branch predictor entry, and although branch predictor
entries are isolated between modes when eIBRS is enabled, the BHB
itself is not isolated between modes.

See this commit for
documentation on the command-line parameter that controls this mitigation.
There are stable kernel releases (6.8.5,
6.6.26,
6.1.85,
and 5.15.154)
in the works that also contain the mitigations.

Post Syndicated from corbet original https://lwn.net/Articles/969031/

On February 20, Linaro held the initial
get-together for what is intended to be a regular Linux Kernel Forum for
the Arm-focused kernel community. This gathering aims to convene
approximately a few weeks prior to the merge window opening and prior to
the release of the current kernel version under development. Topics
covered in the first gathering include preparing 64-bit Arm kernels for
low-end embedded systems, memory errors and Compute Express
Link (CXL), devlink objectives, and scheduler integration.

Post Syndicated from corbet original https://lwn.net/Articles/969172/

Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released.
Changes include a number of additions to its QUIC protocol support, some
year-2038 improvements for 32-bit systems, and a lot of cryptographic
features with descriptions like “Added a new EVP_DigestSqueeze()
API. This allows SHAKE to squeeze multiple times with different output
sizes.” See the release
notes for details.

Post Syndicated from corbet original https://lwn.net/Articles/969141/

Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).

Post Syndicated from corbet original https://lwn.net/Articles/969027/

The Google Open Source Blog is carrying an
announcement for a new JPEG library called “Jpegli”. There are a
number of advantages claimed, including:

Jpegli can be encoded with 10+ bits per component. Traditional JPEG
coding solutions offer only 8 bit per component dynamics causing
visible banding artifacts in slow gradients. Jpegli’s 10+ bits
coding happens in the original 8-bit formalism and the resulting
images are fully interoperable with 8-bit viewers. 10+ bit dynamics
are available as an API extension and application code changes are
needed to benefit from it.

The library is BSD-licensed.

Post Syndicated from corbet original https://lwn.net/Articles/968300/

Sometimes the smallest patches create the biggest discussions. A case in
point would be the process by which the PostgreSQL community — not a group
normally prone to extended, strongly worded megathreads — resolved the question of
whether to merge a brief patch adding a new configuration parameter.
Sometimes, a proposal that looks like a security patch is not, in
fact, intended to be a security patch, but getting that point across can be
difficult.

Post Syndicated from corbet original https://lwn.net/Articles/968937/

The 6.9-rc3 kernel prepatch is out for
testing.

Ok, so this rc3 looks a bit different than the usual ones, because
there’s a large series to bcachefs to do filesystem repair after
corruption. Not normally something we’d see in an rc kernel, but
hey, if you had a corrupted bcachefs filesystem you’d probably want
this, and if you thought bcachefs was stable already, I have a
bridge to sell you. Special deal only for you, real cheap.

Post Syndicated from corbet original https://lwn.net/Articles/968584/

OpenBSD 7.5 has been released. The list of changes and improvements is, as
usual, long; it includes the pinsyscalls() functionality covered
here in January.

Post Syndicated from corbet original https://lwn.net/Articles/968565/

Version 7.0 of the
FFmpeg audio/video toolkit is out. “The most noteworthy changes for
most users are a native VVC decoder (currently experimental, until more
fuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool“.
There’s also the usual list of new formats and codecs, and a few deprecated
features have been removed.

Post Syndicated from corbet original https://lwn.net/Articles/968421/

Version
6.0 LTS of the Incus container management system has been released.
“This is a major milestone for Incus as it marks our first release with
extended support, suitable for use in production environments where monthly
feature releases aren’t suitable.” Changes include swap limits for
containers, a new shell completion mechanism, support for the creation of
VLAN interfaces, improved live migration, and more.