Brief items
Security
Another OpenSSH remote code execution vulnerability
Alexander "Solar Designer" Peslyak has disclosed another OpenSSH vulnerability that can be exploited for remote code execution, but only on distributions that have applied a patch to add auditing support. Specifically, RHEL 9 and derivatives are affected, as are Fedora 36 and 37 (but not later releases).
The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.
Security quote of the week
I consider it an ethical obligation as someone who works in security to object whenever people make these types of absolute statements about security properties. Security is almost always a trade off. You can usually get more security by trading off functionality, up to the obvious end point of securing a computer by turning it off. The best point to occupy on that trade-off curve is a hard question that always involves more factors than only security.
Kernel development
Kernel release status
The current development kernel is 6.10-rc7, released on July 7. Linus said:
Things remain calm, although I do suspect that part of it is that it's been the July 4th week in the US, and a lot of Europe is starting to go away on summer vacation.But hey, let's not look a gift horse too closely in the mouth. Maybe it's really just that 6.10 is shaping up well. Right? RIGHT?
Stable updates: 6.9.8, 6.6.37, 6.1.97, 5.15.162, 5.10.221, 5.4.279, and 4.19.317 were released on July 5. 6.6.38 followed abruptly on July 9; it
reverts some BPF changes with patches that do not appear in the mainline
(in this form, at least). "All powerpc and arm64 users of the 6.6
kernel series must upgrade. Everyone else probably should as well to be
safe.
"
The 6.9.9, 6.6.39, and 6.1.98 updates are in the review process; they are due on July 11.
Quote of the week
Similarly, trying to make sure that software will work in the year 292 Billion AD might not be all something that most people would consider high priority. After all, it's.... unlikely... that the x86_64 architecture will still be what we will be using 290 billion years from now. So if we need recompile the kernel sometime in the next 100 billion years for some new CPU architecture, and if it's unlikely that hard drives brought brand new are likely to be still in operation a decade or two from now --- there is plenty of time to evolve the on-disk format before a billion years go by, let alone 100 billion or 200 billion years.— Ted Ts'o
Distributions
Fix for Fedora Atomic Desktop and Fedora IoT boot failure
Fedora Atomic Desktop and Fedora IoT systems installed before Fedora 40 may fail to boot after an update if secure boot is enabled. Fedora Magazine has a post by Timothée Ravier about the problem, how users can work around it, and what the project is doing to avoid the similar problems in the future:
On Fedora Atomic Desktops and Fedora IoT systems, the components that are part of the boot chain (Shim, GRUB) are not (yet) automatically updated alongside the rest of the system. Thus, if you have installed a Fedora Atomic Desktop or a Fedora IoT system before Fedora 40, it uses an old versions of the Shim and bootloader binaries to boot your system.
When Secure Boot is enabled, the EFI firmware loads Shim first. Shim is signed by the Microsoft Third Party Certificate Authority so that it can be verified on most hardware out of the box. The Shim binary includes the Fedora certificates used to verify binaries signed by Fedora. Then Shim loads GRUB, which in turn loads the Linux kernel. Both are signed by Fedora.
Until recently, the kernel binaries where signed two times, with an older key and a newer one. With the 6.9 kernel update, the kernel is no longer signed with the old key. If GRUB or Shim is old enough and does not know about the new key, the signature verification fails.
Brown: Fixing a 6-year-old bug in Ubuntu MATE and Xubuntu
Doug Brown documents
the long journey to fixing a bug in the GDebi utility for
installing Debian packages. He first encountered the bug in
Ubuntu MATE 18.04: "at the time I just ignored this
issue. I didn't want to deal with it. I went off to the trusty Linux
terminal and installed Chrome that way instead
".
Two and a half years ago, I committed to doing more open-source contributions in my free time and was finally irritated enough about this problem to look into it. I searched around for more info. Lo and behold, lots of people were also affected and there was already an issue from 2019 on Ubuntu's bug tracker about it.
[...] As is commonly the case in software development, the difficult part of this fix had nothing to do with the code itself. All of my effort was spent figuring out Ubuntu's patch submission processes and advocating for my merge request. Nobody else seemed to be interested in doing the work to actually fix this bug that has been plaguing Ubuntu MATE and Xubuntu, not to mention some Debian users, for over 6 years. After dealing with the long process of getting my merge request approved, I think I'm starting to understand why!
Brown notes that the fix is now packaged for the upcoming Ubuntu 24.10 release, and should be backported to 22.04 and 24.04 eventually.
Distribution quote of the week
The purpose of a default is to have something that does the right thing, reliably, for users who do not have specialized requirements and do not necessarily know the necessary information to make decisions like "which network management framework do I want?" yet.
Development
Esfahbod: State of Text Rendering 2024
On his blog, Behdad Esfahbod has published a lengthy and detailed look at the state of open-source text rendering. It looks at the libraries available, application support, future directions, and gives a summary analysis of the ecosystem.In broad strokes, OpenType added support for color fonts, variable fonts, and the Universal Shaping Engine. The Free & Open Source stack supports all of these advances at the lower level, but application UI support has been slower to arrive. The Open Source text stack also gained enormous market-share when Android and Google Chrome fully embraced it.Looking forward, there is a Rust migration of the text stack underway, which will unify font compilation and consumption under a safe programming language. Incremental Font Transfer will enable streaming fonts to web browsers. And my proposed Wasm-fonts will enable more expressive fonts.
Firefox 128.0 released
Version 128.0 of the Firefox browser has been released. Changes this time include the ability to translate highlighted phrases from the context menu, display of recent searches on opening the address bar (US/Canada only), a streamlined dialog for clearing user data, and more.GDB 15.1 released
Version 15.1 of the GNU debugger has been released. Changes include a number of enhancements to GDB's Python support, some Debugger Adapter Protocol additions, some new GDBserver options, and more.Development quotes of the week
What I noticed overall is that there is a sort of moral contract with users that increases both trust and feature delivery: by being extremely careful not to break old LTS releases, we definitely have a part of the user base, the one most sensitive to bugs, that is perfectly secured by running slow-moving releases. These ones almost never face a regression, and if one ever happens due to a problematic fix, we have no problem instantly emitting another version with only this issue fixed. This allows us to be a bit more aggressive on recent versions. The latest stable that is not LTS can move a little bit and receive a few occasional backports for harmless popular features. This way the share of the population which values features more than stability tests new features early and shares interesting feedback that allows to improve these features before they're widely adopted. And in parallel sensitive users almost never face a breakage. This means that the pressure on the development team caused by bug reports usually is extremely low: bugs being worked on generally do not affect users in a critical way.
In retrospect, it seems clear that open source was not so much the goal itself as a means to an end, which is freedom: freedom to fix broken things, freedom from people who thought they could clutch the source code tightly and wield our ignorance of it as a weapon to force us all to pay for and run Windows Vista.— Poul-Henning KampBut the FOSS movement has won what it wanted, and no matter how much oldsters dream about their glorious days as young revolutionaries, it is not coming back; the frustrations and anger of IT in 2024 are entirely different from those of 1991.
One very big difference is that more people have realized that source code is a liability rather than an asset. For some, that realization came creeping along the path from young teenage FOSS activists in the late 1990s to CIOs of BigCorp today. For most of us, I expect, it was the increasingly crushing workload of maintaining legacy code bases. But the thing that will convince anyone is that one single server still runs OS version N-4, because we have not yet found out why it stops working when we attempt to upgrade it.
But we can figure it out, and we will figure it out—because we have the source code. We have all 562,227 lines of Perl5 source code for it.
Page editor: Daroc Alden
Next page:
Announcements>>