LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
People searching for a hardened Linux distribution have a wide range to choose from: they can use one of the security-focused offerings, or they can, with sufficient expertise, simply apply hardening patches and build everything to their taste. Such systems, of which Qubes OS is a good example, usually concentrate on the user's privacy. Recently, the French cybersecurity agency (ANSSI) released the source code for CLIP OS, its hardened operating system based on Linux. CLIP OS has been in development for more than ten years and, while sharing many elements with other hardened Linux distributions, this one is targeted to different needs: the focus is on providing maximum isolation between confidentiality levels and different users of the same system. As an illustration: the administrator is not able to access other users' data.
Security updates have been issued by Arch Linux (xorg-server), Debian (graphicsmagick, libmspack, paramiko, ruby2.1, teeworlds, and tiff), Fedora (lldpad), Mageia (bitcoin, blueman, busybox, dhcp, exempi, firefox, kernel, kernel-linus, kernel-tmb, lilypond, ruby, and x11-server), openSUSE (audiofile, clamav, hostapd, ImageMagick, lcms2, libgit2, mercurial, net-snmp, and wpa_supplicant), SUSE (audiofile, binutils, kdelibs3, lcms2, mysql, openssh, and xen), and Ubuntu (mysql-5.5 and xorg-server, xorg-server-hwe-16.04).
The kernel, in theory, puts strict limits on which functions and data structures are available to loadable kernel modules; only those that have been explicitly exported with EXPORT_SYMBOL() or EXPORT_SYMBOL_GPL() are accessible. In the case of EXPORT_SYMBOL_GPL(), only modules that declare a GPL-compatible license will be able to see the symbol. There have been questions about when EXPORT_SYMBOL_GPL() should be used for almost as long as it has existed. The latest attempt to answer those questions was a session run by Greg Kroah-Hartman at the 2018 Kernel Maintainers Summit; that session offered little in the way of general guidance, but it did address one specific case.
Bloomberg is reporting that IBM has agreed to acquire Red Hat for over $33 billion. "International Business Machines Corp. will pay $190 a share in cash for Raleigh, North Carolina-based Red Hat, according to a statement from the companies Sunday, confirming an earlier Bloomberg News report. That’s a 63 percent premium over Red Hat’s closing price of $116.68 per share on Friday."
The kernel supports a wide range of hardware. Or, at least, the kernel contains drivers for a lot of hardware, but the hardware for which many of those drivers was written is old and, perhaps, no longer in actual use. Some of those drivers would certainly no longer work even if the hardware could be found. These drivers provide no value, but they are still an ongoing maintenance burden; it would be better to simply remove them from the kernel. But identifying which drivers can go is not as easy as one might think. Arnd Bergmann led an inconclusive session on this topic at the 2018 Kernel Maintainers Summit.
Security updates have been issued by Arch Linux (firefox), CentOS (firefox), Debian (389-ds-base, openjdk-8, thunderbird, and xorg-server), Fedora (firefox), openSUSE (GraphicsMagick, jhead, mysql-community-server, ntp, postgresql96, python-cryptography, rust, tomcat, webkit2gtk3, and zziplib), Scientific Linux (firefox), and SUSE (clamav, firefox, ImageMagick, libgit2, net-snmp, smt, wpa_supplicant, and xorg-x11-server).
Linus Torvalds has returned as the keeper of the mainline kernel repository, and the merge window for the next release which, depending on his mood, could be called either 4.20 or 5.0, is well underway. As of this writing, 5,735 non-merge changesets have been pulled for this release; experience suggests that we are thus at roughly the halfway point.
It turn out that the X.org server, versions 1.19.0 and after, contain an easily exploitable privilege escalation vulnerability. Anybody who is running a system that has X installed setuid root, and which has untrusted users on it, will want to install the update. "X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid."
Jiri Kosina kicked off a session on hardware vulnerabilities at the 2018 Kernel Maintainers Summit by noting that there are few complaints about how the kernel community deals with security issues in general. That does not hold for Meltdown and Spectre which, he said, had been "completely mishandled". The subsequent handling of the L1TF vulnerability suggests that some lessons have been learned, but there is still plenty of room for improvement in how hardware vulnerabilities are handled in general.
Cosmin Truta reports the death of Glenn Randers-Pehrson. "Glenn is one of the original designers of the PNG format, and a co-founder of the PNG Development Group, back in the mid-90's. He took good care of the PNG Specification, as a contributing author for PNG version 1.0, and as the main editor for all of the subsequent editions through PNG 1.1 and 1.2, until the current W3C/ISO/IEC standard PNG Specification, Second Edition. In addition, all of the related Specifications, i.e., the registered PNG extensions, and the companion MNG Specification version 1.0 and JNG Specification version 1.0, had Glenn at the front as the main editor and moderator-in-chief." (Thanks to Paul Wise)
The LWN.net Weekly Edition for October 25, 2018 is available.
Inside this week's LWN.net Weekly Edition
Security updates have been issued by Debian (389-ds-base, clamav, firefox-esr, and mosquitto), openSUSE (Chromium and firefox), Oracle (firefox and kernel), Red Hat (chromium-browser, firefox, java-1.6.0-sun, java-1.7.0-oracle, and java-1.8.0-oracle), SUSE (dom4j, exempi, mercurial, ntp, python-cryptography, tiff, tomcat, and webkit2gtk3), and Ubuntu (audiofile and firefox).
The Python language project has been officially "leaderless" since the mid-July announcement that Guido van Rossum was stepping down. He is, of course, the founder of the language and had served for more than two decades as its Benevolent Dictator for Life (BDFL). But he did not appoint a successor and left it up to the project's core developers to come up with a new governance structure. In the three months since, a great deal of work has gone into that effort, which has to bootstrap itself since there was not even any mechanism to choose how to select a new governance model.
Security updates have been issued by Fedora (hesiod, lighttpd, and opencc), openSUSE (apache-pdfbox, net-snmp, pam_pkcs11, rpm, tiff, udisks2, and wireshark), SUSE (dhcp, ghostscript-library, ImageMagick, libraw, net-snmp, ntp, postgresql96, rust, tiff, xen, and zziplib), and Ubuntu (mysql-5.5, mysql-5.7).
The kernel community tries to never change the user-space API in ways that will break applications, but it explicitly allows any internal API to be changed at any time if a solid technical reason to do so exists. But that doesn't mean that such changes are easy to do. At the 2018 Kernel Maintainers Summit, Kees Cook led a discussion on the challenges he has encountered when trying to effect large-scale API changes and what might be done to make such changes go more smoothly.
Ars technica takes a look at the Enhanced Tracking Protection (ETP) feature in Firefox 63. "Firefox has long had the ability to block all third-party cookies, but this is a crude solution, and many sites will break if all third-party cookies are prohibited. The new EPT option works as a more selective block on tracking cookies; third-party cookies still work in general, but those that are known to belong to tracking companies are blocked. For the most part, sites will retain their full functionality, just without undermining privacy at the same time. At least for now, however, Mozilla is defaulting this feature to off, so the company can get a better idea of the impact it has on the Web. In testing, the company has found the occasional site that breaks when tracking cookies are blocked. Over the next few months, Firefox developers will get a better picture of just how much breaks, and, if it's not too severe, the plan is to block trackers by default starting in early 2019." The article also mentions a second privacy-related feature; the offer of a subscription to the ProtonVPN service.
The Firefox 63 release notes contain other details.
Improving the quality of stable kernel releases is a perennial subject at the Kernel and Maintainers Summit events, and this year was no exception. This session, led by Fedora kernel maintainer Laura Abbott, discussed a range of ideas but found no silver bullets. There is, it seems, not much that can be done to create better stable kernels except to perform more and better testing.
Security updates have been issued by CentOS (java-1.8.0-openjdk), Fedora (mosquitto), openSUSE (binutils, clamav, exiv2, fuse, haproxy, singularity, and zziplib), Slackware (firefox), SUSE (apache-pdfbox, net-snmp, pam_pkcs11, postgresql94, rpm, tiff, and wireshark), and Ubuntu (kernel, libssh, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, net-snmp, paramiko, requests, and texlive-bin).
The 2018 Kernel Maintainers Summit convened in Edinburgh, UK on October 22 with a number of things to discuss, but the top subject on most minds was the recently (and hastily) adopted code of conduct. Linus Torvalds made his reentry into the kernel community with a discussion of how we got to the current state of affairs, and the assembled maintainers had a relatively good-natured discussion on how this situation came about and where things can be expected to go from here.
The Linux Foundation's Technical Advisory Board is chosen by a vote at the Kernel Summit each year; this year, that will happen during the Linux Plumbers Conference in November. The call for nominations to the board has gone out; it remains open until the voting happens. "The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. We're also working with kernel maintainers to help refine the new code of conduct, and serving as the initial point of contact for code of conduct issues."
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds