lwn.net

Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).

Sasha Levin has announced the release of the 6.8.2, 6.7.11, 6.6.23, 6.1.83, 5.15.153, 5.10.214, 5.4.273, and 4.19.311 stable kernels. Each contains a long list of important fixes throughout the kernel tree.

The GNOME project announced GNOME 46 (code-named "Kathmandu") on March 20. The release has quite a few updates and improvements across user applications, developer tools, and under the hood. One thing stood out while looking over this release—a major emphasis on Flatpaks as the way to acquire and update GNOME software.

Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).

The first-ever NixCon in North America was co-located with SCALE this year. The event drew a mix of experienced Nix users and people new to the project. I attended talks that covered using Nix to build Docker images, upcoming changes to how NixOS performs early booting, and ideas for making the set of services provided in nixpkgs more useful for self hosting. (LWN covered the relationship between Nix, NixOS, and nixpkgs in a recent article.) Near the end of the conference, a collection of Nix contributors gave a "State of the Union" about the growth of the project and highlighting areas of concern.

The 6.9-rc1 kernel prepatch was released on March 24, closing the merge window for this development cycle. By that time, 12,435 non-merge changesets had been merged into the mainline, making for a less-busy merge window than the last couple of kernel releases (but similar to the 12,492 seen for 6.5). Well over 7,000 of those changes were merged after the first-half merge-window summary was written, meaning that the latter part of the merge window brought many more interesting changes.

Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf).

Version 29.3 of the Emacs editor has been released:

Emacs 29.3 is an emergency bugfix release; it includes no new features except a small number of changes intended to resolve security vulnerabilities uncovered in Emacs 29.2.

Those vulnerabilities mostly have to do with executing untrusted Lisp code; see the NEWS file for a bit more information.

The 6.9-rc1 kernel prepatch is out for testing. Linus Torvalds described some rather large updates to the core kernel code that are coming for 6.9: The timer subsystem had a fairly big rewrite, to have per-cpu timer wheels to improve performance of timers, which can be a big deal particularly for networking. The other fairly notable core update is to the workqueue subsystem, where one notable addition is for BH workqueue support. That's notable mainly because it means we finally have a way away from tasklets. The tasklet interface has basically been deprecated for a long while, but we've never really had any good alternatives (with threaded interrupt handlers being one suggested use-case, but not realistic in many cases).

Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).

While a programming error in the kernel may be subject to direct exploitation, usually a more roundabout approach is required to take advantage of a security bug. One popular approach for those wishing to take advantage of vulnerabilities is heap spraying, and it has often been employed to compromise the kernel. In the future, though, heap-spraying attacks may be a bit harder to pull off, thanks to the "dedicated bucket allocator" proposed by Kees Cook.

Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi).

Version 1.77.0 of the Rust language has been released. Changes include support for NUL-terminated C-string literals, the ability for async functions to call themselves recursively, the stabilization of the offset_of!() macro, and more.

Verson 5.39.9 of the Perl language has been released. Changes this time include a new "medium-precedence" logical exclusive-or operator, a number of updated modules, and more; see this page for details.

The Redis in-memory database system has had its license changed to either the Redis Source Available License or the Server Side Public License (covered here in 2018); neither license qualifies as free software.

Under the new license, cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge. For example, cloud service providers will be able to deliver Redis 7.4 only after agreeing to licensing terms with Redis, the maintainers of the Redis code.

Distributors like Fedora are already looking at removing Redis as a consequence. (Thanks to Emmanuel Seyman).

Danilo Krummrich has announced the existence of the "Nova" project within Red Hat.

We just started to work on Nova, a Rust-based GSP-only driver for Nvidia GPUs. Nova, in the long term, is intended to serve as the successor of Nouveau for GSP-firmware-based GPUs.

With Nova we see the chance to significantly decrease the complexity of the driver compared to Nouveau for mainly two reasons. First, Nouveau's historic architecture, especially around nvif/nvkm, is rather complicated and inflexible and requires major rework to solve certain problems (such as locking hierarchy in VMM / MMU code for VM_BIND currently being solved with a workaround) and second, with a GSP-only driver there is no need to maintain compatibility with pre-GSP code.

Besides that, we also want to take the chance to contribute to the Rust efforts in the kernel and benefit from from more memory safety offered by the Rust programming language.

Given that the effort has just begun, it will be a while before this driver shows up in a distribution release.

The LWN.net Weekly Edition for March 21, 2024 is available.

Version 46 of the GNOME desktop has been released. "GNOME 46 is code-named 'Kathmandu', in recognition of the amazing work done by the organizers of GNOME.Asia 2023." Significant changes include a new global search feature, enhancements to the Files app, improved remote login support, and more.

Cockpit is an interesting project for web-based Linux administration that has received relatively little attention over the years. Part of that may be due to the project's strategy of minor releases roughly every two weeks, rather than larger releases with many new features. While the strategy has done little to garner headlines, it has delivered a useful and extensible tool to observe, manage, and troubleshoot Linux servers.

The Python project has announced three security releases, 3.10.14, 3.9.19, and 3.8.19. In addition to the security fixes, these releases are notable for two reasons; they are the first to make use of GitHub Actions to perform public builds instead of building artifacts "on a local computer of one of the release managers", and the first since Python became a CVE Numbering Authority (CNA).

Python release team member Łukasz Langa said that being a CNA means Python is able to "ensure the quality of the vulnerability reports is high, and that the severity estimates are accurate." It also allows Python to coordinate CVE announcements with the patched versions of Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 is an issue with Python's tempfile.TemporaryDirectory class which could be exploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.