LWN.net News from the source
The 4.13.7 stable kernel update has been released; it contains a fix for an unpleasant local vulnerability that affects only 4.13 kernels.
When a veteran kernel developer introduces a severe security hole into the kernel, it can be instructive to look at how the vulnerability came about. Among other things, it can point the finger at an API that lends itself toward the creation of such problems. And, as it turns out, the knowledge that the API is dangerous at the outset and marking it as such may not be enough to prevent problems.
Security updates have been issued by Arch Linux (botan, flyspray, go, go-pie, pcre2, thunderbird, and wireshark-cli), Fedora (chromium and mingw-poppler), Red Hat (Red Hat JBoss BPM Suite 6.4.6 and Red Hat JBoss BRMS 6.4.6), SUSE (git and kernel), and Ubuntu (libffi and xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).
Mozilla's manifesto commits the organization to a number of principles, including support for individual privacy and an individual's right to control how they experience the Internet. As a result, when Mozilla recently stated its intent to remove the "text only" option from its mailing lists — for the purpose of tracking whether recipients are reading its emails — the reaction was, to put it lightly, not entirely positive. The text-only option has been saved, but the motivation behind this change is indicative of the challenges facing independent senders of email.
Greg Kroah-Hartman has announced the release of the 4.13.6, 4.9.55, 4.4.92, and 3.18.75 stable kernels. As usual, they contain fixes throughout the tree, so users should upgrade.
Update: Kroah-Hartman released 4.9.56: "It fixes a networking bug in 4.9.55. Don't use 4.9.55, it's busted, sorry about that, I should have held off and gotten more testing on it, my fault :("
Security updates have been issued by CentOS (httpd and thunderbird), Debian (nss), Fedora (git), openSUSE (krb5, libvirt, samba, and thunderbird), Oracle (httpd and thunderbird), Red Hat (httpd, rh-mysql57-mysql, and thunderbird), Scientific Linux (httpd and thunderbird), and Ubuntu (ceph).
The LWN.net Weekly Edition for October 12, 2017 is available.
Inside this week's LWN.net Weekly Edition
Two separate talks, at two different venues, give us a look into the kinds of testing that the Intel graphics team is doing. Daniel Vetter had a short presentation as part of the Testing and Fuzzing microconference at the Linux Plumbers Conference (LPC). His colleague, Martin Peres, gave a somewhat longer talk, complete with demos, at the X.Org Developers Conference (XDC). The picture they paint is a pleasing one: there is lots of testing going on there. But there are problems as well; that amount of testing runs afoul of bugs elsewhere in the kernel, which makes the job harder.
Security updates have been issued by Arch Linux (lame, salt, and xorg-server), Debian (ffmpeg, imagemagick, libxfont, wordpress, and xen), Fedora (ImageMagick, rubygem-rmagick, and tor), Oracle (kernel), SUSE (kernel, SLES 12 Docker image, SLES 12-SP1 Docker image, and SLES 12-SP2 Docker image), and Ubuntu (curl, glance, horizon, kernel, keystone, libxfont, libxfont1, libxfont2, libxml2, linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-gcp, linux-hwe, linux-lts-xenial, nova, openvswitch, swift, and thunderbird).
KDE Plasma 5.11 has been released. "Plasma 5.11 brings a redesigned settings app, improved notifications, a more powerful task manager. Plasma 5.11 is the first release to contain the new “Vault”, a system to allow the user to encrypt and open sets of documents in a secure and user-friendly way, making Plasma an excellent choice for people dealing with private and confidential information."
While the 4.14 development cycle has not been the busiest ever (12,500 changesets merged as of this writing, slightly more than 4.13 at this stage of the cycle), it has been seen as a rougher experience than its predecessors. There are all kinds of reasons why one cycle might be smoother than another, but it is not unreasonable to wonder whether the fact that 4.14 is a long-term support (LTS) release has affected how this cycle has gone. Indeed, when he released 4.14-rc3, Linus Torvalds complained that this cycle was more painful than most, and suggested that the long-term support status may be a part of the problem. A couple of recent pulls into the mainline highlight the pressures that, increasingly, apply to LTS releases.
Purism has reached its crowdfunding goal to create the Librem 5, an encrypted, open smartphone ecosystem that gives users complete device control. "Reaching the $1.5 million milestone weeks ahead of schedule enables Purism to accelerate the production of the physical product. The company plans to move into hardware production as soon as possible to assemble a developer kit as well as initiate building the base software platform, which will be publicly available and open to the developer community." LWN looked at the privacy features planned for the phone in an article for this week's edition.
The GNU Privacy Guard (GnuPG) is one of the fundamental tools that allows a distributed group to have trust in its communications. Werner Koch, lead developer of GnuPG, spoke about it at Kernel Recipes: what's in the new 2.2 version, when older versions will reach their end of life, and how development will proceed going forward. He also spoke at some length on the issue of best-practice key management and how GnuPG is evolving to assist. Subscribers can click below for a report on the talk by guest author Tom Yates.
Security updates have been issued by Fedora (WebCalendar), openSUSE (mpg123 and openjpeg2), Red Hat (kernel), and SUSE (firefox, nss).
The kernel's timer interface has been around for a long time, and its API shows it. Beyond a lack of conformance with current in-kernel interface patterns, the timer API is not as efficient as it could be and stands in the way of ongoing kernel-hardening efforts. A late addition to the 4.14 kernel paves the way toward a wholesale change of this API to address these problems.
The next election for members of the Linux Foundation's Technical Advisory Board will be held on October 25 at the Kernel Summit in Prague. The call has gone out for candidates to fill the five available seats. "The Linux Foundation Technical Advisory Board (TAB) serves as the interface between the kernel development community and the Foundation. The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. The board has ten members, one of whom sits on the LF board of directors."
Stable kernels 4.9.54, 4.4.91, and 3.18.74 have been released. They all contain important fixes and users should upgrade.
Security updates have been issued by CentOS (kernel and postgresql), Debian (botan1.10, curl, dnsmasq, libxfont, nautilus, qemu, qemu-kvm, sam2p, and tor), Fedora (dnsmasq, libmspack, and samba), Gentoo (file, icu, libpcre2, munin, ocaml, pacemaker, postgresql, rubygems, and sudo), Mageia (clamav, dnsmasq, flightgear, libidn, and x11-server), openSUSE (libvirt), Oracle (kernel), SUSE (portus), and Ubuntu (poppler).
The 4.14-rc4 kernel prepatch is out for testing. "So I do have some hope that things are approaching normal. I'd expect that to continue, and things start calming down."
The Debian 9.2 point release is available; it includes fixes for a long list of problems. "As a special case for this point release, those using the 'apt-get' tool to perform the upgrade will need to ensure that the 'dist-upgrade' command is used, in order to update to the latest kernel packages."
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds