Welcome to LWN.net [LWN.net] (2024)

[Development] Posted Jun 12, 2024 17:17 UTC (Wed) by jzb

The co*ckpit project hasannouncedthe first release of co*ckpitFiles, a plugin for co*ckpit that allows file management on your servervia a web browser:

co*ckpit Files was initially started by Google Summer of Code (GSoC)student Mahmoud Hamdyand is now under active development by the co*ckpit team. The goal isto replace the functionality of the co*ckpit-navigatorplugin from 45Drives and include automated testing per commit, astandard PatternFly-based interface, and consistency with the rest ofco*ckpit.

Development builds for Fedora are available via aCopr repository, and packages are expected for Arch, Debian, andFedora. LWN covered theco*ckpit project in March.

Comments (none posted)

[Distributions] Posted Jun 12, 2024 15:54 UTC (Wed) by jzb

CentOS Linux7 was firstreleased in July2014, and is due to go end-of-life (EOL) on June30.By now, anyone who pays attention to such things is aware that Red Hat pulled the plug onCentOSLinux in late2020 to be replaced by CentOS Streaminstead. CentOSLinux8support was wounddown at the end of 2021 rather than in 2029 as originally stated.CentOS Linux7 was allowed to serve out itsfull lifespan—but that EOL is approaching rapidly andthere's no direct upgrade path. Users and organizations looking for a lifeline might want to considerAlmaLinux's ELevateutility, which allows CentOS users to migrate to alternate enterpriseLinux (EL) operating systems.

Full Story (comments: 1)

[Development] Posted Jun 12, 2024 14:48 UTC (Wed) by jzb

The Python SoftwareFoundation (PSF) has announcedthat nominations are open for the PSF Board election through June25:

Who runs for the board? People who care about the Python community,who want to see it flourish and grow, and also have a few hours amonth to attend regular meetings, serve on committees, participate inconversations, and promote the Python community.

The PSF has a video aboutserving on the board for those who might be interested. PSF memberscan nominate themselves or another member. Candidateswill be announced on June 27. Voting begins on July 2 and will end onJuly 16.

Comments (none posted)

[Security] Posted Jun 12, 2024 13:49 UTC (Wed) by corbet

The mseal() system call allows aprocess to prevent any future changes to portions of its address space(thus "sealing" them); it was patterned after the mimmutable() system call in OpenBSD.mseal() generated a lot of discussion, but it was finally mergedfor the upcoming 6.10 kernel release. While mseal() was initiallyaimed at securing the Chrome browser, the hope was that it would be usefulelsewhere; as a step toward realizing that hope, Adhemerval Zanella hasposted apatch series adding support for — and use of — mseal() to theGNU C library (glibc).

Full Story (comments: 5)

[Development] Posted Jun 12, 2024 13:35 UTC (Wed) by corbet

Systemd 256 has been released. As usual, the list of changes is long; seethis article for an overview, or theannouncement for all the details.

Full Story (comments: 6)

[Kernel] Posted Jun 12, 2024 13:04 UTC (Wed) by jzb

Greg Kroah-Hartman has announced another round of stable kernelupdates: 6.9.4, 6.6.33, and 6.1.93 have been released. Each containsanother set of important fixes, users of these kernels are advised toupgrade right away.

Comments (1 posted)

[Distributions] Posted Jun 12, 2024 12:57 UTC (Wed) by corbet

The openSUSELeap 15.6 release is available; this is intended to be the lastLeap15.x release before Leap16 comes out."Leap 15.6 is projected to receive maintenance and security updatesuntil the end of 2025 to ensure sufficient overlap with the nextrelease". Changes include the addition of the co*ckpit server-management tool, a6.4 kernel, GNOME45, and many other upgrades. This release alsoremoves a long list of unmaintained Python packages. See therelease notes for details.

Comments (none posted)

[Security] Posted Jun 12, 2024 12:48 UTC (Wed) by jzb

Security updates have been issued by AlmaLinux (booth), Debian (cyrus-imapd and vlc), Fedora (firefox, libarchive, php, and singularity-ce), Oracle (ipa and ruby:3.3), Red Hat (389-ds-base, buildah, c-ares, co*ckpit, containernetworking-plugins, fence-agents, gdk-pixbuf2, gvisor-tap-vsock, kernel, kernel-rt, kpatch-patch, libreoffice, podman, protobuf-c, python-idna, rpm-ostree, ruby, and tomcat), Slackware (cups and mozilla), SUSE (bind, cups, iperf, kernel, nano, and poppler), and Ubuntu (libapache-mod-jk, linux-aws, linux-aws-5.15, linux-aws, linux-oracle, linux-intel-iotg-5.15, linux-nvidia, and mysql-8.0).

Full Story (comments: none)

[Kernel] Posted Jun 11, 2024 21:49 UTC (Tue) by corbet

The extensible scheduler class("sched_ext") framework allows the writing of CPU schedulers as a set ofBPF programs. It has been somewhatcontroversial, and its merging into the kernel has been blocked despitea clear level of interest from users.Linus Torvalds has now letit be known that he has made a decision and, overriding the schedulermaintainer, will merge sched_ext for the 6.11 release.

I honestly see no reason to delay this any more. This wholepatchset was the major (private) discussion at last year's kernelmaintainer summit, and I don't find any value in having the samediscussion (whether off-list or as an actual event) at the upcomingmaintainer summit one year later, so to make any kind of saneprogress, my current plan is to merge this for 6.11.

Comments (10 posted)

[Kernel] Posted Jun 11, 2024 18:39 UTC (Tue) by daroc

BPF is in a unique position in terms of security. It runs in a privilegedcontext, within the kernel, and can have access to many sensitive details of thekernel's operation. At the same time, unlike kernel modules, BPF programs aren't signed.Additionally, the mechanisms behind BPF present challenges to implementingsigning or other security features. Three nearly back-to-back sessions at the2024Linux Storage,Filesystem, Memory Management, and BPF Summitaddressed some of the potential security problems.

Full Story (comments: 9)

[Development] Posted Jun 11, 2024 16:07 UTC (Tue) by corbet

Version127.0 of the Firefox browser is out. Changes include support for DNSprefetching and the ability to close duplicate tabs in a window. Thebrowser will now try to upgrade images and videos with HTTP URLs that arefound in an HTTPS page to HTTPS as well; if that fails, the non-HTTPSresources will simply fail to load.

Update: thisMozilla Security Blog post describes the HTTPS-related changes indetail.

Comments (22 posted)

[Kernel] Posted Jun 11, 2024 14:28 UTC (Tue) by jake

VFS maintainer Christian Brauner led a discussion about the possibility ofselectively dropping the contents of the page cache for a filesystem in asession at the2024 Linux Storage,Filesystem, Memory Management, and BPF Summit. As he described in histopicproposal, the use case that started him down this path comes fromGNOME, which wants to be able to safely suspend access to an encrypted homedirectory. While it is known to kerneldevelopers, it is surprising to others that reads from encryptedfilesystems that have been suspended will succeed if the data to be readstill exists in the page cache.

Full Story (comments: 21)

[Security] Posted Jun 11, 2024 13:11 UTC (Tue) by corbet

Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff).

Full Story (comments: none)

[Kernel] Posted Jun 10, 2024 15:11 UTC (Mon) by corbet

P4, short for "ProgrammingProtocol-independent Packet Processors", is a programming language aimed atnetworking devices; it is useful for the configuration of firewalls andcomplicated routing architectures. Since a lot of advanced networking isdone with Linux systems, it stands to reason that there would be value insupporting P4 and, indeed, animplementation of P4 in the kernel's traffic-control subsystem wasfirst posted by Jamal Hadi Salim at the beginning of 2023. After nearly18months, though, this feature has not been merged, and the chancesof that happening would appear to be getting worse.

Full Story (comments: 44)

[Development] Posted Jun 10, 2024 15:08 UTC (Mon) by corbet

Version 5.40.0 of the Perl language has been released. "Perl 5.40.0represents approximately 11 months of development since Perl 5.38.0 andcontains approximately 160,000 lines of changes across 1,500 files from 75authors". Significant changes include a new __CLASS__keyword, a :reader attribute for field variables, a new"^^" logical-XOR operator (because two of those were not enough),moving "try/catch" out of the experimental category, and more; seethispage for lots of details.

Full Story (comments: 21)

[Security] Posted Jun 10, 2024 14:45 UTC (Mon) by jake

Security updates have been issued by Fedora (galera and mariadb10.11), Mageia (0-plugins-base and plasma-workspace), Oracle (ruby:3.1 and ruby:3.3), Red Hat (bind, bind-dyndb-ldap, and dhcp), SUSE (apache2, glib2, libvirt, openssl-1_1, openssl-3, opera, python-Jinja2, python-requests, and squid), and Ubuntu (linux, linux-gcp, linux-gcp-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-xilinx-zynqmp, linux, linux-gcp, linux-gcp-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-raspi, linux, linux-ibm, linux-lowlatency, linux-raspi, linux-aws, linux-gcp, linux-azure, linux-azure-6.5, linux-starfive, linux-starfive-6.5, and linux-gke, linux-ibm, linux-intel-iotg, linux-oracle).

Full Story (comments: none)

[Kernel] Posted Jun 10, 2024 3:04 UTC (Mon) by corbet

The 6.10-rc3 kernel prepatch is out."So things look good, the water is warm, please jump right in and keeptesting,"

Comments (none posted)

[Development] Posted Jun 7, 2024 18:27 UTC (Fri) by jzb

Ladybird is an open-sourceproject aimed at building an independent web browser, rather thanyet another browser based on Chrome. It is written in C++ and licensed under atwo-clause BSD license. The effort began as part of the SerenityOS project, butdeveloper Andreas Kling announcedon June3 that he was "forking" Ladybird as a separate project and stepping away fromSerenityOS to focus his attention on the browser completely. Ladybirdis not ready to replace Firefox or Chrome for regular use, but it is showinggreat promise.

Full Story (comments: 37)

[Security] Posted Jun 7, 2024 17:27 UTC (Fri) by daroc

According to CrowdStrike, avulnerability in the Linux kernel's nftables codethat was discovered earlier thisyear is being actively exploited in the wild. The vulnerability allows forlocal privilege escalation. Most distributions have already released a fix.

As noted by the exploit developer, leveraging this POC is dependent on thekernel's unprivileged user namespaces feature accessing nf_tables. This accessis enabled by default on Debian, Ubuntu and kernel capture-the-flag (CTF)distributions. An attacker can then trigger the double-free vulnerability, scanthe physical memory for the kernel base address, bypass kernel address-spacelayout randomization (KASLR) and access the modprobe_path kernel variable withread/write privileges. After overwriting the modprobe_path, the exploit drops aroot shell.

Comments (4 posted)