The Cockpit project has announced the first release of Cockpit Files, a plugin for Cockpit that allows file management on your server via a web browser:

Cockpit Files was initially started by Google Summer of Code (GSoC) student Mahmoud Hamdy and is now under active development by the Cockpit team. The goal is to replace the functionality of the cockpit-navigator plugin from 45Drives and include automated testing per commit, a standard PatternFly-based interface, and consistency with the rest of Cockpit.

Development builds for Fedora are available via a Copr repository, and packages are expected for Arch, Debian, and Fedora. LWN covered the Cockpit project in March.

CentOS Linux 7 was first released in July 2014, and is due to go end-of-life (EOL) on June 30. By now, anyone who pays attention to such things is aware that Red Hat pulled the plug on CentOS Linux in late 2020 to be replaced by CentOS Stream instead. CentOS Linux 8 support was wound down at the end of 2021 rather than in 2029 as originally stated. CentOS Linux 7 was allowed to serve out its full lifespan—but that EOL is approaching rapidly and there's no direct upgrade path. Users and organizations looking for a lifeline might want to consider AlmaLinux's ELevate utility, which allows CentOS users to migrate to alternate enterprise Linux (EL) operating systems.

The Python Software Foundation (PSF) has announced that nominations are open for the PSF Board election through June 25:

Who runs for the board? People who care about the Python community, who want to see it flourish and grow, and also have a few hours a month to attend regular meetings, serve on committees, participate in conversations, and promote the Python community.

The PSF has a video about serving on the board for those who might be interested. PSF members can nominate themselves or another member. Candidates will be announced on June 27. Voting begins on July 2 and will end on July 16.

The mseal() system call allows a process to prevent any future changes to portions of its address space (thus "sealing" them); it was patterned after the mimmutable() system call in OpenBSD. mseal() generated a lot of discussion, but it was finally merged for the upcoming 6.10 kernel release. While mseal() was initially aimed at securing the Chrome browser, the hope was that it would be useful elsewhere; as a step toward realizing that hope, Adhemerval Zanella has posted a patch series adding support for — and use of — mseal() to the GNU C library (glibc).

Systemd 256 has been released. As usual, the list of changes is long; see this article for an overview, or the announcement for all the details.

Greg Kroah-Hartman has announced another round of stable kernel updates: 6.9.4, 6.6.33, and 6.1.93 have been released. Each contains another set of important fixes, users of these kernels are advised to upgrade right away.

The openSUSE Leap 15.6 release is available; this is intended to be the last Leap 15.x release before Leap 16 comes out. "Leap 15.6 is projected to receive maintenance and security updates until the end of 2025 to ensure sufficient overlap with the next release". Changes include the addition of the Cockpit server-management tool, a 6.4 kernel, GNOME 45, and many other upgrades. This release also removes a long list of unmaintained Python packages. See the release notes for details.

Security updates have been issued by AlmaLinux (booth), Debian (cyrus-imapd and vlc), Fedora (firefox, libarchive, php, and singularity-ce), Oracle (ipa and ruby:3.3), Red Hat (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, gdk-pixbuf2, gvisor-tap-vsock, kernel, kernel-rt, kpatch-patch, libreoffice, podman, protobuf-c, python-idna, rpm-ostree, ruby, and tomcat), Slackware (cups and mozilla), SUSE (bind, cups, iperf, kernel, nano, and poppler), and Ubuntu (libapache-mod-jk, linux-aws, linux-aws-5.15, linux-aws, linux-oracle, linux-intel-iotg-5.15, linux-nvidia, and mysql-8.0).

The extensible scheduler class ("sched_ext") framework allows the writing of CPU schedulers as a set of BPF programs. It has been somewhat controversial, and its merging into the kernel has been blocked despite a clear level of interest from users. Linus Torvalds has now let it be known that he has made a decision and, overriding the scheduler maintainer, will merge sched_ext for the 6.11 release.

I honestly see no reason to delay this any more. This whole patchset was the major (private) discussion at last year's kernel maintainer summit, and I don't find any value in having the same discussion (whether off-list or as an actual event) at the upcoming maintainer summit one year later, so to make any kind of sane progress, my current plan is to merge this for 6.11.

BPF is in a unique position in terms of security. It runs in a privileged context, within the kernel, and can have access to many sensitive details of the kernel's operation. At the same time, unlike kernel modules, BPF programs aren't signed. Additionally, the mechanisms behind BPF present challenges to implementing signing or other security features. Three nearly back-to-back sessions at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit addressed some of the potential security problems.

Version 127.0 of the Firefox browser is out. Changes include support for DNS prefetching and the ability to close duplicate tabs in a window. The browser will now try to upgrade images and videos with HTTP URLs that are found in an HTTPS page to HTTPS as well; if that fails, the non-HTTPS resources will simply fail to load.

Update: this Mozilla Security Blog post describes the HTTPS-related changes in detail.

VFS maintainer Christian Brauner led a discussion about the possibility of selectively dropping the contents of the page cache for a filesystem in a session at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit. As he described in his topic proposal, the use case that started him down this path comes from GNOME, which wants to be able to safely suspend access to an encrypted home directory. While it is known to kernel developers, it is surprising to others that reads from encrypted filesystems that have been suspended will succeed if the data to be read still exists in the page cache.

Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff).

P4, short for "Programming Protocol-independent Packet Processors", is a programming language aimed at networking devices; it is useful for the configuration of firewalls and complicated routing architectures. Since a lot of advanced networking is done with Linux systems, it stands to reason that there would be value in supporting P4 and, indeed, an implementation of P4 in the kernel's traffic-control subsystem was first posted by Jamal Hadi Salim at the beginning of 2023. After nearly 18 months, though, this feature has not been merged, and the chances of that happening would appear to be getting worse.

Version 5.40.0 of the Perl language has been released. "Perl 5.40.0 represents approximately 11 months of development since Perl 5.38.0 and contains approximately 160,000 lines of changes across 1,500 files from 75 authors". Significant changes include a new __CLASS__ keyword, a :reader attribute for field variables, a new "^^" logical-XOR operator (because two of those were not enough), moving "try/catch" out of the experimental category, and more; see this page for lots of details.

Security updates have been issued by Fedora (galera and mariadb10.11), Mageia (0-plugins-base and plasma-workspace), Oracle (ruby:3.1 and ruby:3.3), Red Hat (bind, bind-dyndb-ldap, and dhcp), SUSE (apache2, glib2, libvirt, openssl-1_1, openssl-3, opera, python-Jinja2, python-requests, and squid), and Ubuntu (linux, linux-gcp, linux-gcp-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-xilinx-zynqmp, linux, linux-gcp, linux-gcp-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-raspi, linux, linux-ibm, linux-lowlatency, linux-raspi, linux-aws, linux-gcp, linux-azure, linux-azure-6.5, linux-starfive, linux-starfive-6.5, and linux-gke, linux-ibm, linux-intel-iotg, linux-oracle).

The 6.10-rc3 kernel prepatch is out. "So things look good, the water is warm, please jump right in and keep testing,"

Ladybird is an open-source project aimed at building an independent web browser, rather than yet another browser based on Chrome. It is written in C++ and licensed under a two-clause BSD license. The effort began as part of the SerenityOS project, but developer Andreas Kling announced on June 3 that he was "forking" Ladybird as a separate project and stepping away from SerenityOS to focus his attention on the browser completely. Ladybird is not ready to replace Firefox or Chrome for regular use, but it is showing great promise.

According to CrowdStrike, a vulnerability in the Linux kernel's nftables code that was discovered earlier this year is being actively exploited in the wild. The vulnerability allows for local privilege escalation. Most distributions have already released a fix.

As noted by the exploit developer, leveraging this POC is dependent on the kernel's unprivileged user namespaces feature accessing nf_tables. This access is enabled by default on Debian, Ubuntu and kernel capture-the-flag (CTF) distributions. An attacker can then trigger the double-free vulnerability, scan the physical memory for the kernel base address, bypass kernel address-space layout randomization (KASLR) and access the modprobe_path kernel variable with read/write privileges. After overwriting the modprobe_path, the exploit drops a root shell.