LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
업데이트: 1시간 36분 지남
화, 2024/04/16 - 11:00오후
Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).
화, 2024/04/16 - 1:48오전
The Open Source Security Foundation and the OpenJS Foundation have jointly
posted
a
warning about XZ-like social-engineering attacks after OpenJS was
seemingly targeted.
The OpenJS Foundation Cross Project Council received a suspicious
series of emails with similar messages, bearing different names and
overlapping GitHub-associated emails. These emails implored OpenJS
to take action to update one of its popular JavaScript projects to
"address any critical vulnerabilities," yet cited no specifics. The
email author(s) wanted OpenJS to designate them as a new maintainer
of the project despite having little prior involvement.
월, 2024/04/15 - 11:56오후
Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPF
since mid-2023. In July, Dwivedi posted
the first patch set in this effort, which adds support for basic stack unwinding.
In February 2024, he posted
the second patch set
aimed at letting the kernel release resources held by the BPF program when an
exception occurs. This makes exceptions usable in many more contexts.
월, 2024/04/15 - 10:42오후
Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard).
월, 2024/04/15 - 6:18오전
The
6.9-rc4 kernel prepatch is out for
testing. "Nothing particularly unusual going on this week - some new hw
mitigations may stand out, but after a decade of this I can't really call
it 'unusual' any more, can I?"
금, 2024/04/12 - 11:29오후
The kernel project merges dozens of drivers with every development cycle,
and almost every one of those drivers is entirely uncontroversial.
Occasionally, though, a driver submission raises wider questions, leading
to lengthy discussion and, perhaps, opposition. That is currently the case
with two separate drivers, both with ties to the networking subsystem. One
of them is hung up on questions of whether (and how) all device
functionality should be made available to user space, while the other has
run into turbulence because it drives a device that is unobtainable outside
of a single company.
금, 2024/04/12 - 10:55오후
Dirk Mueller has posted
a
lengthy analysis of the XZ backdoor on the openSUSE News site, with a
focus on openSUSE's response.
Debian, as well as the other affected distributions like openSUSE
are carrying a significant amount of downstream-only patches to
essential open-source projects, like in this case OpenSSH. With
hindsight, that should be another Heartbleed-level learning for the
work of the distributions. These patches built the essential steps
to embed the backdoor, and do not have the scrutiny that they
likely would have received by the respective upstream
maintainers. Whether you trust Linus Law or not, it was not even
given a chance to chime in here. Upstream did not fail on the
users, distributions failed on upstream and their users here.
금, 2024/04/12 - 10:25오후
Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).
목, 2024/04/11 - 11:26오후
The
Earliest Virtual Deadline First (EEVDF)
scheduler was merged as an option for the 6.6 kernel. It represents a
major change to how CPU scheduling is done on Linux systems, but the EEVDF
front has been relatively quiet since then. Now, though, scheduler
developer Peter Zijlstra has returned from a long absence to post
a patch
series intended to finish the EEVDF work. Beyond some fixes, this work
includes a significant behavioral change and a new feature intended to help
latency-sensitive tasks.
목, 2024/04/11 - 10:49오후
Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).
목, 2024/04/11 - 9:47오전
The LWN.net Weekly Edition for April 11, 2024 is available.
목, 2024/04/11 - 4:10오전
The Gentoo Linux project has announced
that it is now an Associated Project of Software in the Public Interest
(SPI), which will allow it to accept tax deductible donations in the
US and reduce its "non-technical workload":
The current Gentoo Foundation has bylaws restricting its behavior
to that of a non-profit, is a recognized non-profit only in New
Mexico, but a for-profit entity at the US federal level. A direct
conversion to a federally recognized non-profit would be unlikely to
succeed without significant effort and cost.
[...] SPI is already now recognized at US federal level as a
full-[fledged] non-profit 501(c)(3). It also handles several projects of
similar type and size (e.g., Arch and Debian) and as such has exactly
the experience and background that Gentoo needs.
According to the announcement, the goal is to "eventually
transfer the existing assets to SPI and dissolve the Gentoo
Foundation". How to do that is still under discussion. This will
not affect Förderverein
Gentoo e.V., which has public-benefit status in Germany and can
accept tax deductible donations in Europe.
목, 2024/04/11 - 12:25오전
Greg Kroah-Hartman has announced another round of stable kernel
updates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; each
contains another set of important fixes, including the mitigations for the
recently disclosed branch history injection
hardware vulnerability.
수, 2024/04/10 - 11:31오후
A recent book by
LWN guest
author Lee Phillips provides a nice introduction to the
Julia programming language.
Practical Julia
does more than that, however. As its subtitle ("A Hands-On Introduction
for Scientific Minds") implies, the book focuses on bringing Julia to
scientists, rather than programmers, which gives it something of a
different feel from most other books of this sort.
수, 2024/04/10 - 10:52오후
On April 3 security researcher Bartek Nowotarski
published the details of a new denial-of-service (DoS)
attack, called a "continuation flood", against many
HTTP/2-capable web
servers. While the attack is not terribly complex, it affects many independent
implementations of the HTTP/2 protocol, even though multiple
similar vulnerabilities over the years have given implementers plenty of warning.
수, 2024/04/10 - 9:53오후
Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4,
linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4,
linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4,
linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5,
linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5,
linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive,
linux-starfive-6.5, linux, linux-azure, linux-azure-5.15, linux-azure-fde,
linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,
linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,
linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency,
linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15,
linux-raspi, linux-azure, and xorg-server, xwayland).
수, 2024/04/10 - 4:22오전
The mainline kernel has just received a set of commits mitigating the
latest x86 hardware vulnerability, known as "branch history injection".
From
this commit:
Branch History Injection (BHI) attacks may allow a malicious
application to influence indirect branch prediction in kernel by
poisoning the branch history. eIBRS isolates indirect branch
targets in ring0. The BHB can still influence the choice of
indirect branch predictor entry, and although branch predictor
entries are isolated between modes when eIBRS is enabled, the BHB
itself is not isolated between modes.
See this commit for
documentation on the command-line parameter that controls this mitigation.
There are stable kernel releases (6.8.5,
6.6.26,
6.1.85,
and 5.15.154)
in the works that also contain the mitigations.
화, 2024/04/09 - 11:50오후
On February 20,
Linaro held the initial
get-together for what is intended to be a regular Linux Kernel Forum for
the Arm-focused kernel community. This gathering aims to convene
approximately a few weeks prior to the merge window opening and prior to
the release of the current kernel version under development. Topics
covered in the first gathering include preparing 64-bit Arm kernels for
low-end embedded systems, memory errors and
Compute Express
Link (CXL), devlink objectives, and scheduler integration.
화, 2024/04/09 - 11:18오후
Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released.
Changes include a number of additions to its QUIC protocol support, some
year-2038 improvements for 32-bit systems, and a lot of cryptographic
features with descriptions like "Added a new EVP_DigestSqueeze()
API. This allows SHAKE to squeeze multiple times with different output
sizes." See
the release
notes for details.
페이지