|
|
Subscribe / Log in / New account

Brief items

Security

0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)

The Oligo Security blog discloses a web-browser vulnerability that has been named "0.0.0.0 day". In short, browsers will allow JavaScript code to open connections to the all-zeroes IPv4 address; the result is that any port that is open on the local host can be accessed by a remote site. "When services use localhost, they assume a constrained environment. This assumption, which can (as in the case of this vulnerability) be faulty, results in insecure server implementations."

Comments (98 posted)

Kernel development

Kernel release status

The current development kernel is 6.11-rc3, released on August 11. "Nothing particularly strange or interesting going on, things look normal".

Stable updates: 6.10.4, 6.6.45, and 6.1.104 were released on August 11, followed by 6.10.5, 6.6.46, and 6.1.105 on August 14.

Comments (none posted)

New attack against the SLUB allocator

Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

We assume that an unprivileged user has code execution. Additionally, we consider the presence of a heap vulnerability in the Linux kernel. We assume that the Linux kernel incorporates all defense mechanisms available in version 6.4, the most recent Linux kernel version when we started our work. These mechanisms include features such as WˆX, KASLR, SMAP, and kCFI. We do not assume any microarchitectural vulnerabilities, e.g., transient execution, fault injection, or hardware side channels.

Comments (7 posted)

Distributions

A new kernel-version policy for Ubuntu

The Canonical Kernel Team has announced a new policy regarding the version of the kernel that will ship with each Ubuntu release; the result will generally be the shipping of newer releases.

To provide users with the absolute latest in features and hardware support, Ubuntu will now ship the absolute latest available version of the upstream Linux kernel at the specified Ubuntu release freeze date, even if upstream is still in Release Candidate (RC) status.

The post goes on to acknowledge that "there are issues with this approach"; there are a lot of policy details that will apply depending on just how raw the shipped kernel is.

Comments (46 posted)

Development

Incus 6.4 released

Version 6.4 of the Incus container manager is out.

This release builds upon the recently added OCI support from Incus 6.3, making it even easier to run application containers. It also adds a number of useful new features for clustered and larger environments with more control on the virtual CPU used when live migrating VMs and finer grained resource constraints within projects.

See this announcement for details.

Full Story (comments: none)

Lix makes its second release

Lix, the fork of Nix that LWN covered in July, has made its second release since forking. This one includes substantial changes to the backend code, including removing a dependency on Bison, and getting a change to the Nix language back upstream.

The general theme of Lix 2.91 is to perform another wave of refactorings and design improvements in preparation for our evolution plans.

Nevertheless, there are a few exciting user facing changes[.]

Comments (none posted)

Magit 4.0 released

Version 4.0 of the Magit text-based Git user interface for Emacs has been released. Changes since the 3.3.0 release include the addition of context menus, a makeover for the menu-bar menu, new menu commands, and many other new features and bug fixes. See the release notes for full details.

Comments (10 posted)

Rust Project goals for 2024

The Rust project has developed a set of goals for the latter half of 2024.

Rust for Linux. The experimental support for Rust development in the Linux kernel is a watershed moment for Rust, demonstrating to the world that Rust is indeed capable of targeting all manner of low-level systems applications. And yet today that support rests on a number of unstable features, blocking the effort from ever going beyond experimental status. For 2024H2 we will work to close the largest gaps that block support.

Other goals include completing the 2024 Rust Edition and improving the language's async support.

Comments (47 posted)

Page editor: Daroc Alden
Next page: Announcements>>


Copyright © 2024, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds