LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
By the end of the 4.13 merge window, 11,258 non-merge changesets had been pulled into the mainline repository — about 3,600 since the first half of this series was written. That is nowhere near the 12,920 changesets that landed during the 4.12 merge window, but it still makes for a typically busy development cycle. What follows is a summary of the more interesting changes found in those last 3,600+ changesets.
Security updates have been issued by Arch Linux (apache, evince, and mosquitto), Debian (apache2, evince, heimdal, and knot), Fedora (c-ares, cacti, evince, GraphicsMagick, httpd, jabberd, libgcrypt, openvas-cli, openvas-gsa, openvas-libraries, openvas-manager, openvas-scanner, poppler, qt5-qtwebengine, qt5-qtwebkit, spatialite-tools, and sqlite), openSUSE (gnutls, ncurses, qemu, and xorg-x11-server), Slackware (mariadb and samba), SUSE (cryptctl), and Ubuntu (heimdal and samba).
It has been nearly one month since the Stack Clash vulnerability was disclosed and some hardening measures were rushed into the 4.12 kernel release. Since then, a fair amount of work has gone into fixing problems caused by those measures and porting the result back to stable kernel releases. Now, it seems, the kernel developers are considering taking a different approach entirely.
Version 6 of the Mageia distribution is available. "Though Mageia 6’s development was much longer than anticipated, we took the time to polish it and ensure that it will be our greatest release so far." Highlights include KDE Plasma 5, the DNF package manager as an alternative to urpmi, and an experimental ARM port. Details can be found in the release notes.
The LWN.net Weekly Edition for July 13, 2017 is available.
Inside this week's LWN.net Weekly Edition
Linus has released 4.13-rc1 and closed the merge window for this cycle. "Once again, the diffstat is absolutely dominated by some AMD gpu header files, but if you ignore that, things look pretty regular, with about two thirds drivers and one third "rest" (architecture, core kernel, core networking, tooling)."
A less than two-month-old project for OpenBSD, kernel address space randomized link (KARL), has turned the kernel into an object that is randomized on every boot. Instead of the code being stored in the same location for every boot of a given kernel, each boot will be unique. Unlike Linux's kernel address space layout randomization (KASLR), which randomizes the base address for all of the kernel code on each boot, KARL individually randomizes the object files that get linked into the binary. That means that a single information leak of a function address from the kernel does not leak information about the location of all other functions.
The much anticipated release of Fedora 26 was made on July 11. As usual, it came with a wide array of updated packages, everything from the kernel through programming languages to desktops, but there are also internal tools and installation mechanisms that have changed as well. Beyond that, the new Python Classroom Lab is aimed at teachers and instructors to make it easier to get a full-featured Python (of various flavors and with lots of extras) in several different easily installable forms. Though it was delayed by more than a month from its original planned release date—something the project embraces at some level—Fedora 26 looks like it was worth waiting for.
The Drupal Association has issued a lengthy statement on why Larry Garfield has been removed from his management roles in the Drupal project. "Larry's subsequent blog posts harmed the community and had a material impact on the Drupal Association, including membership cancellations from those who believed we doxed, bullied, and discriminated against Larry as well as significant staff disruption. Due to the harm caused, the Drupal Association is removing Larry Garfield from leadership roles that we are responsible for, effective today." See this article for background information.
Validating user input is a long-established security best practice, but there can be differences of opinion about what should be done when that validation fails. A recently reported bug in systemd has fostered a discussion on that topic; along the way there has also been discussion about how much validation systemd should actually be doing and how much should be left up to the underlying distribution. The controversy all revolves around usernames that systemd does not accept, but that some distributions (and POSIX) find to be perfectly acceptable.
Security updates have been issued by Debian (bind9, heimdal, samba, and xorg-server), Fedora (cacti, evince, expat, globus-ftp-client, globus-gass-cache-program, globus-gass-copy, globus-gram-client, globus-gram-job-manager, globus-gram-job-manager-condor, globus-gridftp-server, globus-gssapi-gsi, globus-io, globus-net-manager, globus-xio, globus-xio-gsi-driver, globus-xio-pipe-driver, globus-xio-udt-driver, jabberd, myproxy, perl-DBD-MySQL, and php), openSUSE (libcares2), SUSE (xorg-x11-server), and Ubuntu (evince and nginx).
The Git source-code management system is widely known for its flexibility and for the distributed development model that it supports. Its reputation for ease of use is ... less well established. There should, thus, be an opening for front-end systems that can make Git easier to use. One of the most comprehensive Git front ends, Magit, works within the Emacs editor and has a wide following. But Magit has run into some turbulence within the Emacs development community that is blocking its wider distribution.
Security updates have been issued by Arch Linux (irssi), CentOS (httpd and kernel), Debian (nginx), Fedora (perl-DBD-MySQL and qt5-qtwebengine), Mageia (apache-mod_fcgid, cairo, jbig2dec, nodejs, and sudo), openSUSE (libreoffice, spice, and systemd), Red Hat (python-django-horizon), and SUSE (kernel and xorg-x11-server).
The 4.13 merge window is in progress, and, as usual, LWN is watching the commit stream. Click below (subscribers only) for the first report on what has been merged for the 4.13 release. It appears that this will be another busy development cycle.
There are many ways to attempt to subvert an operating-system kernel. One particularly effective way, if it can be arranged, is to attack the operations that copy data between user-space and kernel-space memory. If the kernel can be fooled into copying too much data back to user space, the result can be an information-disclosure vulnerability. Errors in the other direction can be even worse, overwriting kernel memory with attacker-controlled data. The kernel has gained some defenses against this sort of attack in recent development cycles, but there is more work yet to be merged.
Security updates have been issued by Arch Linux (flashplugin, lib32-flashplugin, lib32-gnutls, libdwarf, nginx, nginx-mainline, and tor), Debian (spice and undertow), Fedora (bind, bind-dyndb-ldap, chromium-native_client, dnsperf, expat, flatpak, GraphicsMagick, httpd, jetty, libdb, libsndfile, mingw-LibRaw, mosquitto, php-horde-Horde-Image, qt5-qtwebengine, xen, and yara), Oracle (httpd and kernel), Red Hat (flash-plugin, httpd, and kernel), Scientific Linux (httpd and kernel), and SUSE (spice).
The LWN.net Weekly Edition for July 6, 2017 is available.
Inside this week's LWN.net Weekly Edition
The Power Management and Energy-awareness microconference has been accepted for this year's Linux Plumber's Conference, which runs September 13-15 in Los Angeles, CA. "The agenda this year will focus on a range of topics including CPUfreq core improvements and schedutil governor extensions, how to best use scheduler signals to balance energy consumption and performance and user space interfaces to control capacity and utilization estimates. We'll also discuss selective throttling in thermally constrained systems, runtime PM for ACPI, CPU cluster idling and the possibility to implement resume from hibernation in a bootloader."
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds