LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
When a veteran kernel developer introduces a severe security hole into the kernel, it can be instructive to look at how the vulnerability came about. Among other things, it can point the finger at an API that lends itself toward the creation of such problems. And, as it turns out, the knowledge that the API is dangerous at the outset and marking it as such may not be enough to prevent problems.
The 4.13.7 stable kernel update has been released; it contains a fix for an unpleasant local vulnerability that affects only 4.13 kernels.
Mozilla's manifesto commits the organization to a number of principles, including support for individual privacy and an individual's right to control how they experience the Internet. As a result, when Mozilla recently stated its intent to remove the "text only" option from its mailing lists — for the purpose of tracking whether recipients are reading its emails — the reaction was, to put it lightly, not entirely positive. The text-only option has been saved, but the motivation behind this change is indicative of the challenges facing independent senders of email.
Security updates have been issued by Arch Linux (botan, flyspray, go, go-pie, pcre2, thunderbird, and wireshark-cli), Fedora (chromium and mingw-poppler), Red Hat (Red Hat JBoss BPM Suite 6.4.6 and Red Hat JBoss BRMS 6.4.6), SUSE (git and kernel), and Ubuntu (libffi and xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).
The LWN.net Weekly Edition for October 12, 2017 is available.
Inside this week's LWN.net Weekly Edition
Greg Kroah-Hartman has announced the release of the 4.13.6, 4.9.55, 4.4.92, and 3.18.75 stable kernels. As usual, they contain fixes throughout the tree, so users should upgrade.
Update: Kroah-Hartman released 4.9.56: "It fixes a networking bug in 4.9.55. Don't use 4.9.55, it's busted, sorry about that, I should have held off and gotten more testing on it, my fault :("
Two separate talks, at two different venues, give us a look into the kinds of testing that the Intel graphics team is doing. Daniel Vetter had a short presentation as part of the Testing and Fuzzing microconference at the Linux Plumbers Conference (LPC). His colleague, Martin Peres, gave a somewhat longer talk, complete with demos, at the X.Org Developers Conference (XDC). The picture they paint is a pleasing one: there is lots of testing going on there. But there are problems as well; that amount of testing runs afoul of bugs elsewhere in the kernel, which makes the job harder.
Security updates have been issued by CentOS (httpd and thunderbird), Debian (nss), Fedora (git), openSUSE (krb5, libvirt, samba, and thunderbird), Oracle (httpd and thunderbird), Red Hat (httpd, rh-mysql57-mysql, and thunderbird), Scientific Linux (httpd and thunderbird), and Ubuntu (ceph).
While the 4.14 development cycle has not been the busiest ever (12,500 changesets merged as of this writing, slightly more than 4.13 at this stage of the cycle), it has been seen as a rougher experience than its predecessors. There are all kinds of reasons why one cycle might be smoother than another, but it is not unreasonable to wonder whether the fact that 4.14 is a long-term support (LTS) release has affected how this cycle has gone. Indeed, when he released 4.14-rc3, Linus Torvalds complained that this cycle was more painful than most, and suggested that the long-term support status may be a part of the problem. A couple of recent pulls into the mainline highlight the pressures that, increasingly, apply to LTS releases.
Security updates have been issued by Arch Linux (lame, salt, and xorg-server), Debian (ffmpeg, imagemagick, libxfont, wordpress, and xen), Fedora (ImageMagick, rubygem-rmagick, and tor), Oracle (kernel), SUSE (kernel, SLES 12 Docker image, SLES 12-SP1 Docker image, and SLES 12-SP2 Docker image), and Ubuntu (curl, glance, horizon, kernel, keystone, libxfont, libxfont1, libxfont2, libxml2, linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-gcp, linux-hwe, linux-lts-xenial, nova, openvswitch, swift, and thunderbird).
The GNU Privacy Guard (GnuPG) is one of the fundamental tools that allows a distributed group to have trust in its communications. Werner Koch, lead developer of GnuPG, spoke about it at Kernel Recipes: what's in the new 2.2 version, when older versions will reach their end of life, and how development will proceed going forward. He also spoke at some length on the issue of best-practice key management and how GnuPG is evolving to assist. Subscribers can click below for a report on the talk by guest author Tom Yates.
KDE Plasma 5.11 has been released. "Plasma 5.11 brings a redesigned settings app, improved notifications, a more powerful task manager. Plasma 5.11 is the first release to contain the new “Vault”, a system to allow the user to encrypt and open sets of documents in a secure and user-friendly way, making Plasma an excellent choice for people dealing with private and confidential information."
The kernel's timer interface has been around for a long time, and its API shows it. Beyond a lack of conformance with current in-kernel interface patterns, the timer API is not as efficient as it could be and stands in the way of ongoing kernel-hardening efforts. A late addition to the 4.14 kernel paves the way toward a wholesale change of this API to address these problems.
Purism has reached its crowdfunding goal to create the Librem 5, an encrypted, open smartphone ecosystem that gives users complete device control. "Reaching the $1.5 million milestone weeks ahead of schedule enables Purism to accelerate the production of the physical product. The company plans to move into hardware production as soon as possible to assemble a developer kit as well as initiate building the base software platform, which will be publicly available and open to the developer community." LWN looked at the privacy features planned for the phone in an article for this week's edition.
What kind of cell phone would emerge from a concerted effort to design privacy in from the beginning, using free software as much as possible? Some answers are provided by a crowdfunding campaign launched in August by Purism SPC, which has used two such campaigns successfully in the past to build a business around secure laptops. The Librem 5, with a five-inch screen and radio chip for communicating with cell phone companies, represents Purism's hope to bring the same privacy-enhancing vision to the mobile space, which is much more demanding in its threats, technology components, and user experience.
Security updates have been issued by Fedora (WebCalendar), openSUSE (mpg123 and openjpeg2), Red Hat (kernel), and SUSE (firefox, nss).
An attacker who seeks to compromise a running kernel by overwriting kernel data structures or forcing a jump to specific kernel code must, in either case, have some idea of where the target objects are in memory. Techniques like kernel address-space layout randomization have been created in the hope of denying that knowledge, but that effort is wasted if the kernel leaks information about where it has been placed in memory. Developers have been plugging pointer leaks for years but, as a recent discussion shows, there is still some disagreement over the best way to prevent attackers from learning about the kernel's address-space layout.
The next election for members of the Linux Foundation's Technical Advisory Board will be held on October 25 at the Kernel Summit in Prague. The call has gone out for candidates to fill the five available seats. "The Linux Foundation Technical Advisory Board (TAB) serves as the interface between the kernel development community and the Foundation. The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. The board has ten members, one of whom sits on the LF board of directors."
The LWN.net Weekly Edition for October 5, 2017 is available.
Inside this week's LWN.net Weekly Edition
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds