Brief items
Security
Fuzzing 100+ open source projects with OSS-Fuzz - lessons learned (ADA Logics blog)
On the ADA Logics blog, David Korczynski and Adam Korczynski write about their work integrating 115 open-source projects with Google's OSS-Fuzz project for doing continuous fuzz testing. They describe the process of integrating a project into OSS-Fuzz, and discuss their findings, which include more than 2000 bugs (500+ security relevant), of which 1300+ have been fixed at this point:Throughout the process we integrated projects written in C, C++, Python, Go and Rust and the types of bugs we found across the projects are a reflection of the language the project was written in. Typically, for managed languages the bugs are within the umbrella term of uncaught exceptions and denial of service bugs, whereas in native languages the bugs are mostly split between assert violations, NULL-dereferences, heap-out-of-bounds, stack-out-of-bounds, stack overflows, integer arithmetic, memory leaks, out-of-memory and timeout bugs.
Security quotes of the week
The story here, for those who may have forgotten 2015 (it was a long time ago!) is that the NSA inserted a backdoor into a major encryption standard and then leaned on manufacturers to install it.— from a Matthew Green Twitter thread[...] In practice this would simply mean hacking into a major firewall manufacturer’s poorly-secured source code repository, changing 32 bytes of data, and then waiting for the windfall when a huge number of VPN connections suddenly became easy to decrypt. And that’s what happened.
[...] Fortunately we learned a lot from this. Everyone involved was fired and no longer works in the field of consumer-facing cryptography.
I’m kidding! Nobody was fired, it was hushed up, and everyone involved got a big promotion or lateral transfer to lucrative jobs in industry.
Now, as with anything in content moderation (and perhaps in politics), it is often difficult to judge who is a good faith actor who might just be massively ignorant or confused, and who is just a bad faith actor looking to abuse the system. And that is a real concern -- and there can be problems when legitimately ignorant people who mean well are dismissed or judged as bad faith trolls. And, of course, there is a legitimate concern about what happens when good faith individuals are dismissed as being in bad faith without considering what they say. But at some point people need to recognize that you can't seriously bother debating with those acting in bad faith. They're not there to be convinced. They're not there to consider actual points.— Mike MasnickThey're just trying to be attention-getting assholes and they win just by the very process of engaging with them as if they have something worth saying.
Kernel development
Kernel release status
The 5.15 merge window remains open; it can be expected to close on September 12. Linus Torvalds recently summarized this merge window this way:
This has not been a particularly huge merge window in number of commits, but there's actually been an unusually large number of these kinds of odd things where I go "that's just not right".So I've been a bit testy with people (sorry about that), and I'm getting to the point where I just am not feeling very generous to stuff that wasn't all prim and proper and ready by the merge window.
Stable updates: the 5.14.1, 5.13.14, 5.10.62, 5.4.144, 4.19.206, 4.14.246, 4.9.282, and 4.4.283 updates all came out on September 3, followed by 5.14.2, 5.13.15, and 5.10.63 on September 8.
Quote of the week
So unfortunately this is the compromise: if you decide to do private development, not inform anyone about your plans, and not join in any common discussion, then it is your responsibility to deal with any changes or conflicts that happen whilst you are developing privately.— Daniel StoneThe only way we can successfully have support in the same ecosystem for AMD, Arm, Broadcom, Intel, NVIDIA, Qualcomm, and VeriSilicon, is that we are all working together openly. If community development had to stop because each of these vendors had been doing internal development for several months without even informing the community of their plans, any kind of shared development is clearly impossible.
Distributions
OpenWrt 21.02.0 released
Version 21.02.0 of the OpenWrt router distribution is out. "It incorporates over 5800 commits since branching the previous OpenWrt 19.07 release and has been under development for about one and a half year". Significant changes include WPA3 support by default, TLS support in opkg and in the LuCi interface, initial Distributed Switch Architecture support, new hardware support, and more. See the release notes for more information.
Distribution quote of the week
Over the years I've arrived at the conclusion that maintaining binary compatibility at all costs collects too much confusing damage. Instead, we've built an software ecosystem where ABI changes are expected and carry minimal consequence.— Theo de Raadt
Development
Firefox 92.0 and Firefox ESR
Firefox 92.0 has been released. In this version Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers, support full-range color levels for video playback on many systems, and more.Firefox 78.14.0 ESR and Firefox 91.1.0 have also been released. ESR78 will reach end-of-life in November.
OpenSSL 3.0.0 released
Version 3.0 of the OpenSSL TLS library has been released; the large version-number jump (from 1.1.1) reflects a new versioning scheme.
Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings. We have put together a migration guide to describe the major differences in OpenSSL 3.0 compared to previous releases.
OpenSSL has also been relicensed to Apache 2.0, which should end the era of "special exceptions" needed to use OpenSSL in GPL-licensed applications. See this blog entry and the changelog for more information.
Page editor: Jake Edge
Next page:
Announcements>>