Kernel developers, like conscientious developers for many projects, will often include checks in the code for conditions that are never expected to occur, but which would indicate a serious problem should that expectation turn out to be incorrect. For years, developers have been encouraged (to put it politely) to avoid using assertions that crash the machine for such conditions unless there is truly no alternative. Increasingly, though, use of the kernel's WARN_ON() family of macros, which developers were told to use instead, is also being discouraged.

Version 0.81 of the PuTTY SSH client is out with a fix for CVE-2024-31497; some users will want to update and generate new keys:

PuTTY 0.81, released today, fixes a critical vulnerability CVE-2024-31497 in the use of 521-bit ECDSA keys (ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private key with any previous version of PuTTY, consider the private key compromised: remove the public key from authorized_keys files, and generate a new key pair.

However, this only affects that one algorithm and key size. No other size of ECDSA key is affected, and no other key type is affected.

(Thanks to Joe Nahmias).

Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).

The Open Source Security Foundation and the OpenJS Foundation have jointly posted a warning about XZ-like social-engineering attacks after OpenJS was seemingly targeted.

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to "address any critical vulnerabilities," yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement.

The 6.9-rc4 kernel prepatch is out for testing. "Nothing particularly unusual going on this week - some new hw mitigations may stand out, but after a decade of this I can't really call it 'unusual' any more, can I?"

The 6.8.6, 6.6.27, 6.1.86, 5.15.155, 5.10.215, 5.4.274, and 4.19.312 stable kernel updates have all been released; each contains a relatively large number of important fixes.

The kernel project merges dozens of drivers with every development cycle, and almost every one of those drivers is entirely uncontroversial. Occasionally, though, a driver submission raises wider questions, leading to lengthy discussion and, perhaps, opposition. That is currently the case with two separate drivers, both with ties to the networking subsystem. One of them is hung up on questions of whether (and how) all device functionality should be made available to user space, while the other has run into turbulence because it drives a device that is unobtainable outside of a single company.

Dirk Mueller has posted a lengthy analysis of the XZ backdoor on the openSUSE News site, with a focus on openSUSE's response.

Debian, as well as the other affected distributions like openSUSE are carrying a significant amount of downstream-only patches to essential open-source projects, like in this case OpenSSH. With hindsight, that should be another Heartbleed-level learning for the work of the distributions. These patches built the essential steps to embed the backdoor, and do not have the scrutiny that they likely would have received by the respective upstream maintainers. Whether you trust Linus Law or not, it was not even given a chance to chime in here. Upstream did not fail on the users, distributions failed on upstream and their users here.

The Earliest Virtual Deadline First (EEVDF) scheduler was merged as an option for the 6.6 kernel. It represents a major change to how CPU scheduling is done on Linux systems, but the EEVDF front has been relatively quiet since then. Now, though, scheduler developer Peter Zijlstra has returned from a long absence to post a patch series intended to finish the EEVDF work. Beyond some fixes, this work includes a significant behavioral change and a new feature intended to help latency-sensitive tasks.

Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).

The mainline kernel has just received a set of commits mitigating the latest x86 hardware vulnerability, known as "branch history injection". From this commit:

Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.

See this commit for documentation on the command-line parameter that controls this mitigation. There are stable kernel releases (6.8.5, 6.6.26, 6.1.85, and 5.15.154) in the works that also contain the mitigations.

On February 20, Linaro held the initial get-together for what is intended to be a regular Linux Kernel Forum for the Arm-focused kernel community. This gathering aims to convene approximately a few weeks prior to the merge window opening and prior to the release of the current kernel version under development. Topics covered in the first gathering include preparing 64-bit Arm kernels for low-end embedded systems, memory errors and Compute Express Link (CXL), devlink objectives, and scheduler integration.

Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released. Changes include a number of additions to its QUIC protocol support, some year-2038 improvements for 32-bit systems, and a lot of cryptographic features with descriptions like "Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes." See the release notes for details.

Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).

The Google Open Source Blog is carrying an announcement for a new JPEG library called "Jpegli". There are a number of advantages claimed, including:

Jpegli can be encoded with 10+ bits per component. Traditional JPEG coding solutions offer only 8 bit per component dynamics causing visible banding artifacts in slow gradients. Jpegli's 10+ bits coding happens in the original 8-bit formalism and the resulting images are fully interoperable with 8-bit viewers. 10+ bit dynamics are available as an API extension and application code changes are needed to benefit from it.

The library is BSD-licensed.

Sometimes the smallest patches create the biggest discussions. A case in point would be the process by which the PostgreSQL community — not a group normally prone to extended, strongly worded megathreads — resolved the question of whether to merge a brief patch adding a new configuration parameter. Sometimes, a proposal that looks like a security patch is not, in fact, intended to be a security patch, but getting that point across can be difficult.

The 6.9-rc3 kernel prepatch is out for testing.

Ok, so this rc3 looks a bit different than the usual ones, because there's a large series to bcachefs to do filesystem repair after corruption. Not normally something we'd see in an rc kernel, but hey, if you had a corrupted bcachefs filesystem you'd probably want this, and if you thought bcachefs was stable already, I have a bridge to sell you. Special deal only for you, real cheap.

OpenBSD 7.5 has been released. The list of changes and improvements is, as usual, long; it includes the pinsyscalls() functionality covered here in January.

Version 7.0 of the FFmpeg audio/video toolkit is out. "The most noteworthy changes for most users are a native VVC decoder (currently experimental, until more fuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool". There's also the usual list of new formats and codecs, and a few deprecated features have been removed.