The LWN.net Weekly Edition for July 11, 2024 is available.

Version 128.0 of the Firefox browser has been released. Changes this time include the ability to translate highlighted phrases from the context menu, display of recent searches on opening the address bar (US/Canada only), a streamlined dialog for clearing user data, and more.

Alexander "Solar Designer" Peslyak has disclosed another OpenSSH vulnerability that can be exploited for remote code execution, but only on distributions that have applied a patch to add auditing support. Specifically, RHEL 9 and derivatives are affected, as are Fedora 36 and 37 (but not later releases).

The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.

Security updates have been issued by AlmaLinux (virt:rhel and virt-devel:rhel), Fedora (ghostscript, golang, httpd, libnbd, netatalk, rust-sequoia-chameleon-gnupg, rust-sequoia-gpg-agent, rust-sequoia-keystore, rust-sequoia-openpgp, and rust-sequoia-sq), Mageia (apache), Red Hat (booth, buildah, edk2, fence-agents, git, gvisor-tap-vsock, kernel, kernel-rt, less, libreswan, linux-firmware, openssh, pki-core, podman, postgresql-jdbc, python3, tpm2-tss, virt:rhel, and virt:rhel and virt-devel:rhel modules), SUSE (krb5, poppler, and python-docker), and Ubuntu (apache2, cinder, glance, nova, and Tomcat).

The 6.6.38 stable kernel update has been released, without the benefit of the usual review process. It reverts some BPF changes with patches that do not appear in the mainline (in this form, at least). "All powerpc and arm64 users of the 6.6 kernel series must upgrade. Everyone else probably should as well to be safe."

Version 15.1 of the GNU debugger has been released. Changes include a number of enhancements to GDB's Python support, some Debugger Adapter Protocol additions, some new GDBserver options, and more.

The 6.10-rc7 kernel prepatch is out for testing.

Things remain calm, although I do suspect that part of it is that it's been the July 4th week in the US, and a lot of Europe is starting to go away on summer vacation.

But hey, let's not look a gift horse too closely in the mouth. Maybe it's really just that 6.10 is shaping up well. Right? RIGHT?

Random numbers, it seems, can never be random enough, and they cannot be generated quickly enough. The kernel's getrandom() system call might, after years of discussion, be seen as sufficiently secure by most users, but it is still a system call. Linux system calls are relatively fast, but they are necessarily slower than calling a function directly. In an attempt to speed the provision of secure random data to user space, Jason Donenfeld has put together an implementation of getrandom() that lives in the virtual dynamic shared object (vDSO) area.

The LWN.net Weekly Edition for July 4, 2024 is available.

David Rosenthal looks back at 40 years of the X Window System:

A major reason for Sun's early success was that they in effect open-sourced the Network File System. X11 was open source under the MIT license. I, and some of the other Sun engineers, understood that NeWS could not displace X11 as the Unix standard window system without being equally open source. But Sun's management looked at NeWS and saw superior technology, an extension of the PostScript that Adobe was selling, and couldn't bring themselves to give it away.

Like many kernel subsystems, the Linux security module (LSM) subsystem makes extensive use of indirect function calls. Those calls, however, are increasingly problematic, and the pressure to remove them has been growing. The good news is that there is a patch series from KP Singh that accomplishes that goal. Its progress into the mainline has been slow — this change was first proposed by Brendan Jackman and Paul Renauld in 2020 — and this work has been caught up in some wider controversies along the way, but it should be close to being ready.

Security updates have been issued by AlmaLinux (httpd:2.4/httpd), Arch Linux (openssh), Fedora (cups, emacs, and python-urllib3), Gentoo (OpenSSH), Mageia (ffmpeg, gdb, openssl, python-idna, and python-imageio), Red Hat (golang and kernel), SUSE (booth, libreoffice, openssl-1_1-livepatches, podman, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, python-Js2Py, python310, python39, and squid), and Ubuntu (cups and netplan.io).

While the end of support for CentOS 7, which happened on June 30, is significant, it is also worth taking a moment to reflect on the end of Scientific Linux 7, which has also just occurred. Scientific Linux was once a popular RHEL rebuild supported by Fermilab, CERN, DESY, and ETH Zurich. Development of Scientific Linux stopped with SL7, with the labs switching to CentOS thereafter, but the SL7 release was supported through to the bitter end. Thanks are due to all who built and supported Scientific Linux; you provided a useful and stable platform for many years.

Security updates have been issued by Debian (dcmtk, edk2, emacs, glibc, gunicorn, libmojolicious-perl, openssh, org-mode, pdns-recursor, tryton-client, and tryton-server), Fedora (freeipa, kitty, libreswan, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-poppler, and mingw-python-urllib3), Gentoo (cpio, cryptography, GNU Emacs, Org Mode, GStreamer, GStreamer Plugins, Liferea, Pixman, SDL_ttf, SSSD, and Zsh), Oracle (pki-core), Red Hat (httpd:2.4, libreswan, and pki-core), SUSE (glib2 and kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t), and Ubuntu (espeak-ng, libcdio, and openssh).

OpenSSH 9.8 has been released, fixing an ugly vulnerability:

Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.

Exploitation on non-glibc systems is conceivable but has not been examined.

There is a configuration workaround for systems that cannot be updated, though it has its own problems. See this Qualys advisory for more details.

Linus has released 6.10-rc6 for testing. "This release continues to be fairly calm, and rc6 looks pretty small. It's also entirely just random small fixes spread all over, with no bigger pattern."

The academic and the Linux real-time and scheduling community mourns the premature death of Daniel Bristot de Oliveira. Daniel died at the age of 37 on Monday, June 24, 2024. Juri Lelli, Tommaso Cucinotta, Steve Rostedt, Kate Stewart, and Thomas Gleixner have come together to share their thoughts on his life and what he has left behind

It has been nearly one year since the first version of the device memory TCP patches was posted by Mina Almasry. Now on the 14th revision, this series appears to be stabilizing. Device memory TCP is a specialized networking feature requiring a certain amount of setup, but it could provide a significant performance improvement for some data-intensive applications.

The LWN.net Weekly Edition for June 27, 2024 is available.