Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 2 hours 21 min ago

[$] LWN.net Weekly Edition for January 24, 2019

Thursday 24th of January 2019 12:53:28 AM
The LWN.net Weekly Edition for January 24, 2019 is available.

Cox: Our Software Dependency Problem

Wednesday 23rd of January 2019 08:06:36 PM
Here is an extensive look at handling software dependencies from Russ Cox. "Dependency managers have scaled this open-source code reuse model down: now, developers can share code at the granularity of individual functions of tens of lines. This is a major technical accomplishment. There are myriad available packages, and writing code can involve such a large number of them, but the commercial, legal, and reputational support mechanisms for trusting the code have not carried over. We are trusting more code with less justification for doing so."

[$] A DNS flag day

Wednesday 23rd of January 2019 07:58:17 PM

A flag day for DNS is coming on February 1; it may have escaped notice even though it has been planned for nearly a year. Some DNS servers will simply be marked as "dead" by much of the rest of the internet on or after that day, which means that domain owners need to ensure their DNS records will still be available after that point. A longstanding workaround for non-compliant servers will be dropped—mostly for better performance but also in support of DNS extensions, some of which can help alleviate security problems.

[$] The RCU API, 2019 edition

Wednesday 23rd of January 2019 06:40:32 PM

Read-copy update (RCU) is a synchronization mechanism that was added to the Linux kernel in October 2002. RCU is most frequently described as a replacement for reader-writer locking, but has also been used in a number of other ways. RCU is notable in that readers do not directly synchronize with updaters, which makes RCU read paths extremely fast; that also permits RCU readers to accomplish useful work even when running concurrently with updaters. Although the basic idea behind RCU has not changed in decades following its introduction into DYNIX/ptx, the API has evolved significantly over the five years since the 2014 edition of the RCU API, to say nothing of the nine years since the 2010 edition of the RCU API.

Justicz: Remote Code Execution in apt/apt-get

Wednesday 23rd of January 2019 06:15:03 PM
Max Justicz describes a vulnerability in apt-get and how to prevent it. "I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package. The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update."

Wine 4.0 released

Wednesday 23rd of January 2019 06:06:41 PM
Version 4.0 of the Wine Windows compatibility layer is out. "This release represents a year of development effort and over 6,000 individual changes" New features include initial Direct3D 12 support, a Vulkan graphics driver, support for high-DPI displays (but only on Android) and more; see the release notes for details.

Stable kernel updates

Wednesday 23rd of January 2019 04:05:35 PM
Stable kernels 4.20.4, 4.19.17, 4.14.95, and 4.9.152 have been released. They all contain important fixes and users should upgrade.

Security updates for Wednesday

Wednesday 23rd of January 2019 03:59:55 PM
Security updates have been issued by Debian (libjpeg-turbo and systemd), Fedora (matrix-synapse, mingw-libjpeg-turbo, and mingw-libvorbis), Mageia (libcaca, libmp4v2, libxml2, pdns-recursor, perl-Email-Address, php-pear-HTML_QuickForm, podofo, and wavpack), openSUSE (webkit2gtk3), Red Hat (qemu-kvm-rhev), Scientific Linux (perl), Slackware (httpd), and Ubuntu (ntp).

Security updates for Tuesday

Tuesday 22nd of January 2019 03:57:55 PM
Security updates have been issued by Debian (apt and aria2), Fedora (kernel-headers, kernel-tools, and openssh), openSUSE (webkit2gtk3), Oracle (perl), Red Hat (perl), SUSE (freerdp, python-urllib3, systemd, and wireshark), and Ubuntu (apt, poppler, and tiff).

[$] Persistent memory for transient data

Monday 21st of January 2019 07:54:24 PM
Arguably, the most notable characteristic of persistent memory is that it is persistent: it retains its contents over power cycles. One other important aspect of these persistent-memory arrays that, we are told, will soon be everywhere, is their sheer size and low cost; persistent memory is a relatively inexpensive way to attach large amounts of memory to a system. Large, cheap memory arrays seem likely to be attractive to users who may not care about persistence and who can live with slower access speeds. Supporting such users is the objective of a pair of patch sets that have been circulating in recent months.

Kernel prepatch 5.0-rc3

Monday 21st of January 2019 06:54:28 PM
The 5.0-rc3 kernel prepatch has been released. "This rc is a bit bigger than usual. Partly because I missed a networking pull request for rc2, and as a result rc3 now contains _two_ networking pull updates. But part of it may also just be that it took a while for people to find and then fix bugs after the holiday season."

Security updates for Monday

Monday 21st of January 2019 03:54:22 PM
Security updates have been issued by Fedora (gitolite3, gvfs, php, radare2, and syslog-ng), Mageia (libssh, php, python-django16, and rdesktop), openSUSE (podofo), and SUSE (libraw, openssh, PackageKit, and wireshark).

[$] A proposed API for full-memory encryption

Friday 18th of January 2019 04:30:41 PM
Hardware memory encryption is, or will soon be, available on multiple generic CPUs. In its absence, data is stored — and passes between the memory chips and the processor — in the clear. Attackers may be able to access it by using hardware probes or by directly accessing the chips, which is especially problematic with persistent memory. One new memory-encryption offering is Intel's Multi-Key Total Memory Encryption (MKTME) [PDF]; AMD's equivalent is called Secure Encrypted Virtualization (SEV). The implementation of support for this feature is in progress for the Linux kernel. Recently, Alison Schofield proposed a user-space API for MKTME, provoking a long discussion on how memory encryption should be exposed to the user, if at all.

Security updates for Friday

Friday 18th of January 2019 03:55:44 PM
Security updates have been issued by Debian (drupal7), Fedora (electrum and perl-Email-Address), Mageia (gthumb), openSUSE (gitolite, kernel, krb5, libunwind, LibVNCServer, live555, mutt, wget, and zeromq), SUSE (krb5, mariadb, nodejs4, nodejs8, soundtouch, and zeromq), and Ubuntu (irssi).

[$] Defending against page-cache attacks

Thursday 17th of January 2019 05:04:41 PM
The kernel's page cache works to improve performance by minimizing disk I/O and increasing the sharing of physical memory. But, like other performance-enhancing techniques that involve resources shared across security boundaries, the page cache can be abused as a way to extract information that should be kept secret. A recent paper [PDF] by Daniel Gruss and colleagues showed how the page cache can be targeted for a number of different attacks, leading to an abrupt change in how the mincore() system call works at the end of the 5.0 merge window. But subsequent discussion has made it clear that mincore() is just the tip of the iceberg; it is unclear what will really need to be done to protect a system against page-cache attacks or what the performance cost might be.

Stable kernel updates

Thursday 17th of January 2019 04:09:02 PM
Stable kernels 4.20.3, 4.19.16, 4.14.94, 4.9.151, and 4.4.171 have been released. They all contain important fixes and users should upgrade.

Security updates for Thursday

Thursday 17th of January 2019 04:01:46 PM
Security updates have been issued by CentOS (libvncserver), Debian (sssd), Fedora (kernel and kernel-headers), Red Hat (ansible, openvswitch, pyOpenSSL, python-django, and redis), and Ubuntu (policykit-1).

[$] LWN.net Weekly Edition for January 17, 2019

Thursday 17th of January 2019 02:32:39 AM
The LWN.net Weekly Edition for January 17, 2019 is available.

[$] Adiantum: encryption for the low end

Wednesday 16th of January 2019 08:59:56 PM
Low-end devices bound for developing countries, such as those running the Android Go edition, lack encryption support because the hardware doesn't provide any cryptographic acceleration. That means users in developing countries have no protection for the data on their phones. Google would like to change that situation. The company worked on adding the Speck cipher to the kernel, but decided against using it because of opposition due to Speck's origins at the US National Security Agency (NSA). As a replacement, the Adiantum encryption mode was developed; it has been merged for Linux 5.0.

Security updates for Wednesday

Wednesday 16th of January 2019 03:55:54 PM
Security updates have been issued by Debian (systemd and wireshark), Fedora (openssh, php-horde-Horde-Form, and unrtf), Mageia (aria2, libvncserver, x11vnc, and nss), Oracle (kernel and libvncserver), Scientific Linux (libvncserver), SUSE (kernel, soundtouch, webkit2gtk3, and wget), and Ubuntu (libcaca and policykit-1).