Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 10 min 40 sec ago

Security updates for Tuesday

3 hours 10 min ago
Security updates have been issued by Debian (apt and aria2), Fedora (kernel-headers, kernel-tools, and openssh), openSUSE (webkit2gtk3), Oracle (perl), Red Hat (perl), SUSE (freerdp, python-urllib3, systemd, and wireshark), and Ubuntu (apt, poppler, and tiff).

[$] Persistent memory for transient data

Monday 21st of January 2019 07:54:24 PM
Arguably, the most notable characteristic of persistent memory is that it is persistent: it retains its contents over power cycles. One other important aspect of these persistent-memory arrays that, we are told, will soon be everywhere, is their sheer size and low cost; persistent memory is a relatively inexpensive way to attach large amounts of memory to a system. Large, cheap memory arrays seem likely to be attractive to users who may not care about persistence and who can live with slower access speeds. Supporting such users is the objective of a pair of patch sets that have been circulating in recent months.

Kernel prepatch 5.0-rc3

Monday 21st of January 2019 06:54:28 PM
The 5.0-rc3 kernel prepatch has been released. "This rc is a bit bigger than usual. Partly because I missed a networking pull request for rc2, and as a result rc3 now contains _two_ networking pull updates. But part of it may also just be that it took a while for people to find and then fix bugs after the holiday season."

Security updates for Monday

Monday 21st of January 2019 03:54:22 PM
Security updates have been issued by Fedora (gitolite3, gvfs, php, radare2, and syslog-ng), Mageia (libssh, php, python-django16, and rdesktop), openSUSE (podofo), and SUSE (libraw, openssh, PackageKit, and wireshark).

[$] A proposed API for full-memory encryption

Friday 18th of January 2019 04:30:41 PM
Hardware memory encryption is, or will soon be, available on multiple generic CPUs. In its absence, data is stored — and passes between the memory chips and the processor — in the clear. Attackers may be able to access it by using hardware probes or by directly accessing the chips, which is especially problematic with persistent memory. One new memory-encryption offering is Intel's Multi-Key Total Memory Encryption (MKTME) [PDF]; AMD's equivalent is called Secure Encrypted Virtualization (SEV). The implementation of support for this feature is in progress for the Linux kernel. Recently, Alison Schofield proposed a user-space API for MKTME, provoking a long discussion on how memory encryption should be exposed to the user, if at all.

Security updates for Friday

Friday 18th of January 2019 03:55:44 PM
Security updates have been issued by Debian (drupal7), Fedora (electrum and perl-Email-Address), Mageia (gthumb), openSUSE (gitolite, kernel, krb5, libunwind, LibVNCServer, live555, mutt, wget, and zeromq), SUSE (krb5, mariadb, nodejs4, nodejs8, soundtouch, and zeromq), and Ubuntu (irssi).

[$] Defending against page-cache attacks

Thursday 17th of January 2019 05:04:41 PM
The kernel's page cache works to improve performance by minimizing disk I/O and increasing the sharing of physical memory. But, like other performance-enhancing techniques that involve resources shared across security boundaries, the page cache can be abused as a way to extract information that should be kept secret. A recent paper [PDF] by Daniel Gruss and colleagues showed how the page cache can be targeted for a number of different attacks, leading to an abrupt change in how the mincore() system call works at the end of the 5.0 merge window. But subsequent discussion has made it clear that mincore() is just the tip of the iceberg; it is unclear what will really need to be done to protect a system against page-cache attacks or what the performance cost might be.

Stable kernel updates

Thursday 17th of January 2019 04:09:02 PM
Stable kernels 4.20.3, 4.19.16, 4.14.94, 4.9.151, and 4.4.171 have been released. They all contain important fixes and users should upgrade.

Security updates for Thursday

Thursday 17th of January 2019 04:01:46 PM
Security updates have been issued by CentOS (libvncserver), Debian (sssd), Fedora (kernel and kernel-headers), Red Hat (ansible, openvswitch, pyOpenSSL, python-django, and redis), and Ubuntu (policykit-1).

[$] LWN.net Weekly Edition for January 17, 2019

Thursday 17th of January 2019 02:32:39 AM
The LWN.net Weekly Edition for January 17, 2019 is available.

[$] Adiantum: encryption for the low end

Wednesday 16th of January 2019 08:59:56 PM
Low-end devices bound for developing countries, such as those running the Android Go edition, lack encryption support because the hardware doesn't provide any cryptographic acceleration. That means users in developing countries have no protection for the data on their phones. Google would like to change that situation. The company worked on adding the Speck cipher to the kernel, but decided against using it because of opposition due to Speck's origins at the US National Security Agency (NSA). As a replacement, the Adiantum encryption mode was developed; it has been merged for Linux 5.0.

Security updates for Wednesday

Wednesday 16th of January 2019 03:55:54 PM
Security updates have been issued by Debian (systemd and wireshark), Fedora (openssh, php-horde-Horde-Form, and unrtf), Mageia (aria2, libvncserver, x11vnc, and nss), Oracle (kernel and libvncserver), Scientific Linux (libvncserver), SUSE (kernel, soundtouch, webkit2gtk3, and wget), and Ubuntu (libcaca and policykit-1).

[$] Ringing in a new asynchronous I/O API

Tuesday 15th of January 2019 11:09:37 PM
While the kernel has had support for asynchronous I/O (AIO) since the 2.5 development cycle, it has also had people complaining about AIO for about that long. The current interface is seen as difficult to use and inefficient; additionally, some types of I/O are better supported than others. That situation may be about to change with the introduction of a proposed new interface from Jens Axboe called "io_uring". As might be expected from the name, io_uring introduces just what the kernel needed more than anything else: yet another ring buffer.

Google Summer of Code mentor projects sought

Tuesday 15th of January 2019 11:07:32 PM
It is that time of year again: Google is looking for mentor projects for the 2019 Summer of Code. "GSoC is a global program that draws university student developers from around the world to contribute to open source. Each student spends three months working on a coding project, with the support of volunteer mentors, for participating open source organizations from late May to August. Last year 1,264 students worked with 206 open source organizations." The application deadline is February 6.

[$] Fedora, UUIDs, and user tracking

Tuesday 15th of January 2019 05:23:38 PM

"User tracking" is generally contentious in free-software communities—even if the "tracking" is not really intended to do so. It is often distributions that have the most interest in counting their users, but Linux users tend to be more privacy conscious than users of more mainstream desktop operating systems. The Fedora project recently discussed how to count its users and ways to preserve their privacy while doing so.

Security updates for Tuesday

Tuesday 15th of January 2019 04:17:50 PM
Security updates have been issued by Arch Linux (irssi and systemd), CentOS (systemd), Debian (xen and zeromq3), Fedora (gnutls, kernel, kernel-headers, kernel-tools, and nbdkit), Oracle (libvncserver and systemd), Red Hat (libvncserver), and Ubuntu (haproxy, libarchive, and php-pear).

An ancient OpenSSH vulnerability

Tuesday 15th of January 2019 03:35:31 PM
An advisory from Harry Sintonen describes several vulnerabilities in the scp clients shipped with OpenSSH, PuTTY, and others. "Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output." The outcome is that a hostile (or compromised) server can overwrite arbitrary files on the client side. There do not yet appear to be patches available to address these problems.

Security updates for Monday

Monday 14th of January 2019 04:43:24 PM
Security updates have been issued by Arch Linux (python-django and python2-django), Debian (sqlite3, systemd, and vlc), Fedora (mingw-nettle and polkit), Mageia (graphicsmagick, python-django, spice-vdagent, and to), openSUSE (aria2, discount, gpg2, GraphicsMagick, gthumb, haproxy, irssi, java-1_7_0-openjdk, java-1_8_0-openjdk, libgit2, LibVNCServer, and sssd), Red Hat (systemd), Scientific Linux (systemd), Slackware (irssi and zsh), SUSE (LibVNCServer and sssd), and Ubuntu (gnome-bluetooth and systemd).

Kernel prepatch 5.0-rc2

Monday 14th of January 2019 12:00:21 AM
The second 5.0 prepatch is out for testing. "So the merge window had somewhat unusual timing with the holidays, and I was afraid that would affect stragglers in rc2, but honestly, that doesn't seem to have happened much. rc2 looks pretty normal."

Neary: How Should I Run My Community Elections?

Tuesday 8th of January 2019 12:50:10 AM
On the Red Hat community blog, Dave Neary writes about community governance and, in particular, how to choose who gets a vote, who can run, and how to decide a winner when electing a leader or council. He summarizes a number of different options that he has encountered with an eye toward avoiding the deep rat-hole conversations that picking a way to run elections can engender. "Defining the activity metric and minimum bar for what qualifies as participation can become contentious, mainly because where you draw the line will be arbitrary, and will omit people who you want to include, or include people who you want to omit. For example, if you set the bar at the minimum contribution level of one commit to the project, you omit all whose contributions are significant but not code related. The typical fear is ballot stuffing or cohort effects — where large companies will dominate the representative bodies by having a large voting bloc, or where friends of candidates (or people with a certain agenda) will pass the low bar to become voters just to vote for their candidate."