Brief items
Security
OpenSSH 9.2 released
OpenSSH 9.2 has been released. It includes a number of security fixes, including one for a pre-authentication double-free vulnerability that the project does not believe is exploitable. Other new features include support for channel-inactivity timeouts, better control over sftp protocol parameters, and more.The Atlantic Council on open-source policy
The Atlantic Council (described by Wikipedia as "an American think tank in the field of international affairs") has published a lengthy report on the problem of security in open-source software and what might be done about it.
OSS is really not much different from proprietary software: all code can be developed more securely, and the security risks OSS faces are common across most digital systems. For OSS the differences come in the relationships between open-source consumers—from government to the private sector to end users—and the projects they rely on. The lack of clear transactional relationships and the deeply influential role of the diverse, ever-changing contributor community are a challenge for policy and industry to navigate and support sufficiently. The result is an ecosystem that has both enabled digital innovation and often suffered from overburdened developers and under-resourced communities and projects.
Security quote of the week
<-- begin documentation text -->— Robert Haas suggests a PostgreSQL documentation warning
Pretty much don't ever use logical replication. In any normal configuration, it lets every user on your system escalate to superuser whenever they want. [...] That's obviously pretty impractical, so you probably shouldn't use logical replication at all until we get around to fixing this. You might wonder why we implemented a feature that can't be used in any kind of normal way without completely and totally breaking your system security -- but don't ask us, we don't know, either!
<-- end documentation text -->
Kernel development
Kernel release status
The current development kernel is 6.2-rc7, released on February 5. Linus said:
So the 6.2 rc releases are continuing to be fairly small and controlled, to the point where normally I'd just say that this is the last rc. But since I've stated multiple times that I'll do an rc8 due to the holiday start of the release, that's what I'll do.
Stable updates: the 6.1.10, 5.15.92, 5.10.167, 5.4.231, 4.19.272, and 4.14.305 stable kernel updates were released on February 6. The 6.1.11 and 5.15.93 updates are in the review process; they are due on February 9.
Rustproofing Linux (nccgroup)
The nccgroup blog is carrying a four-part series by Domen Puncer Kugler on how vulnerabilities can make their way into device drivers written in Rust.
In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer.
Quote of the week
But this apparently really a pain allocation negotiation, isn't it? Intel and other companies want to make $$$$$ with [confidential computing].— Ted Ts'oIn order to make $$$$$, you need to push the costs onto various different players in the ecosystem. This is cleverly disguised as taking current perfectly acceptable design paradigm when the trust boundary is in the traditional location, and causing all of the assumptions which you have broken as "bugs" that must be fixed by upstream developers.
Distributions
Distributions quote of the week
Whilst the text of Melville's epic tale of the monomaniacal quest of Ahab on the whaling ship Pequod is in the public domain (and thus Debian's distribution of it does not constitute a copyright violation), I suspect its inclusion in the binary package is a bug.— Chris Lamb
Development
GNU C Library 2.37 released
Version 2.37 of the GNU C Library has been released. This looks like a relatively low-key release, with the one "major new feature" described as:
The getent tool now supports the --no-addrconfig option. The output of getent with --no-addrconfig may contain addresses of families not configured on the current host i.e. as-if you had not passed AI_ADDRCONFIG to getaddrinfo calls.
There is also a security fix for CVE-2022-39046:
When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
There is more information in the release notes.
The Document Foundation announces LibreOffice 7.5 Community
Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, and lots more. Check out the release notes for further information.LibreOffice 7.5 Community's new features have been developed by 144 contributors: 63% of code commits are from the 47 developers employed by three companies sitting in TDF's Advisory Board - Collabora, Red Hat and allotropia - or other organizations, 12% are from 6 developers at The Document Foundation, and the remaining 25% are from 91 individual volunteers.Other 112 volunteers - representing hundreds of other people providing translations - have committed localizations in 158 languages. LibreOffice 7.5 Community is released in 120 different language versions, more than any other free or proprietary software, and as such can be used in the native language (L1) by over 5.4 billion people worldwide. In addition, over 2.3 billion people speak one of those 120 languages as their second language (L2).
Ekstrand: Exploring Rust for Vulkan drivers, part 1
Faith Ekstrand begins an exploration of using the Rust language to write Vulkan graphics drivers.
Whenever a Vulkan object is created or destroyed, the parent object is passed to both the create and destroy functions. This ensures that the lifetime of the child object is contained within the lifetime of the parent object. In Rust terms, this means it's safe for the child object to contain a non-mutable reference to the parent object. Vulkan also defines which entrypoint parameters must be externally synchronized by the client. Externally synchronized objects follow the same rules as mutable references in Rust.
Development quote of the week
I believe that the choice between invasive tracking and doing nothing at all is a false dichotomy, and it’s harming open source. Not having basic information about how their software is used and how well it is performing puts open-source developers at a disadvantage compared to commercial software developers. Not having this information makes it more difficult to understand what’s important and what isn’t working, making prioritization that much harder. Not having clear prioritization in turn exacerbates the pre-existing problems with maintainer burnout.— Russ Cox
Page editor: Jake Edge
Next page:
Announcements>>