Brief items

Security quote of the week

— Bruce Schneier is puzzled by the xHelper Android malware

Comments (none posted)

Kernel release status

The current development kernel is 5.4-rc7, released on November 10. Linus said: "Nothing looks _bad_, but there is too much of it. So I'm leaning towards an rc8 being likely next weekend due to that, but I won't make a final decision yet. We'll see."

Stable updates: 5.3.10, 4.19.83, 4.14.153, 4.9.200, and 4.4.200 were released on November 10, followed by 5.3.11, 4.19.84, 4.14.154, 4.9.201, and 4.4.201 on November 12. The second includes the mitigations for the latest round of Intel hardware vulnerabilities.

Comments (none posted)

This week's hardware vulnerabilities

A set of patches has just been pushed into the mainline repository (and stable updates) for yet another set of hardware vulnerabilities. "TSX async abort" (or TAA) exposes information through the usual side channels by way of internal buffers used with the transactional memory (TSX) instructions. Mitigation is done by disabling TSX or by clearing the relevant buffers when switching between kernel and user mode. Given that this is not the first problem with TSX, disabling it entirely is recommended; a microcode update may be needed to do so, though. This commit contains documentation on this vulnerability and its mitigation.

There are also fixes for another vulnerability: it seems that accessing a memory address immediately after the size of the page containing it was changed (from a regular to a huge page, for example) can cause the processor to lock up. This behavior is considered undesirable by many. The vulnerability only exists for pages marked as executable; the mitigation is to force all executable pages to be the regular, 4K page size.

Comments (20 posted)

openSUSE votes not to change its name

The openSUSE project has been considering a name change as part of its move into a separate foundation since (at least) June. A long and somewhat controversial vote of project members has just come to an end, and the result is conclusive: 225-42 against the name change.

Full Story (comments: 4)

Announcing the Bytecode Alliance

The Bytecode Alliance is an industry partnership with the aim of forging WebAssembly’s outside-the-browser future by collaborating on implementing standards and proposing new ones. The newly formed alliance has "a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations". The alliance is currently working on a standalone WebAssembly runtime, two use-case specific runtimes, runtime components, and language tooling.

Comments (26 posted)

Rust 1.39.0 released

Version 1.39.0 of the Rust language is available. The biggest new feature appears to be the async/await mechanism, which is described in this blog post: "So, what is async await? Async-await is a way to write functions that can 'pause', return control to the runtime, and then pick up from where they left off. Typically those pauses are to wait for I/O, but there can be any number of uses."

Comments (30 posted)

FSF: New Respects Your Freedom website

The Free Software Foundation's Respects Your Freedom program provides a certification for hardware that supports your freedom. A new website listing certified products has been launched. "In 2012, when we announced the first certification, we hosted information about the program and retailers as a simple page on the Free Software Foundation (FSF) Web site. With only one retailer selling one device, this was certainly satisfactory. As the program grew, we added each new device chronologically to that page, highlighting the newest certifications. We are now in a place where eight different retailers have gained nearly fifty certifications [...]. With so many devices available, across so many different device categories, it was getting more difficult for users to find what they were looking for in just a plain chronological list."

Comments (20 posted)