Vue normale

Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.
À partir d’avant-hierFlux principal

Tor Browser 13.5 released

Par : corbet
20 juin 2024 à 20:10
Version 13.5 of the privacy-focused Tor browser has been released.

Regular readers of our release posts will know that for the past two years we've been gradually increasing our capacity to not only maintain, but bring tangible improvements to Tor Browser for Android. In that respect, Tor Browser 13.5 feels like a milestone: in addition to the dozens of bug fixes and minor improvements noted in the changelog below, this release features major changes to Android's connection experience in preparation for the future addition of Connection Assist, including full access to Settings before connecting and a new, permanent home for Tor logs.

The release also features desktop user-interface improvements and enhanced fingerprinting protection.

[$] A capability set for user namespaces

Par : corbet
20 juin 2024 à 18:37
User namespaces in Linux create an environment in which all privileges are granted, but their effect is contained within the namespace; they have become an important tool for the implementation of containers. They have also become a significant source of worries for people who do not like the increased attack surface they create for the kernel. Various attempts have been made to restrict that attack surface over the years; the latest is user namespace capabilities, posted by Jonathan Calmels.

[$] How kernel CVE numbers are assigned

Par : corbet
19 juin 2024 à 13:48
It has been four months since Greg Kroah-Hartman and MITRE announced that the Linux kernel project had become its own CVE Numbering Authority (CNA). Since then, the Linux CNA Team has developed workflows and mechanisms to help manage the various tasks associated with this challenge. There does however, appear to be a lack of understanding among community members of the processes and rules the team have been working within. The principal aim of this article, written by a member of the Linux kernel CNA team, is to clarify how the team works and how kernel CVE numbers are assigned.

Plasma 6.1 released

Par : corbet
18 juin 2024 à 13:26
Version 6.1 of the Plasma desktop environment has been released.

Plasma 6 hits its stride with version 6.1. While Plasma 6.0 was all about getting the migration to the underlying Qt 6 frameworks correct (and what a massive job that was), 6.1 is where developers start implementing the features that will take you desktop to a new level.

Enhancements include better remote-desktop support, improved customization, persistent apps, smoother animation under Wayland, and more; see the changelog for the full list.

Security updates for Tuesday

Par : corbet
18 juin 2024 à 13:03
Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd).

PostmarketOS v24.06 released

Par : corbet
17 juin 2024 à 18:45
PostmarketOS is an Alpine Linux derivative distribution aimed at mobile devices; the v24.06 release claims support for over 250 devices, though the level of that support varies widely. "This release is geared mainly towards Linux enthusiasts. We are working hard on stability improvements and automated testing, but if you expect Android or iOS levels of polish, then this is not for you yet." Changes include an upgrade to Alpine Linux 3.20, newer GNOME and KDE versions, and more.

[$] Nested bottom-half locking for realtime kernels

Par : corbet
17 juin 2024 à 14:27
Software-interrupt handlers (also called "bottom halves") have a long history in the Linux kernel; for much of that history, developers have wished that they could go away. One of their unfortunate characteristics is that they can add unexpected latency to the execution of unrelated processes; this problem is felt especially acutely in the realtime-preemption community. The solution adopted there has created problems of its own, though; in response Sebastian Andrzej Siewior is proposing a new locking mechanism for realtime builds of the kernel that may have benefits for non-realtime users as well.

Reports from the Python Language Summit

Par : corbet
15 juin 2024 à 19:38
The Python Software Foundation has published a set of reports from the 2024 Python Language summit. Topics covered include version numbering, the limited C API, a new default read-eval-print loop, and Python's security model in light of the XZ backdoor:

For multiple reasons like being able to fix bugs and single-maintainer modules, CPython doesn't require reviewers on the pull requests of core developers. This can lead to "unilateral action", meaning that a change is introduced into CPython without the review of someone besides the author. Other situations like release managers backporting fixes to other branches without review are common.

Driving forward in Android drivers (Project Zero)

Par : corbet
14 juin 2024 à 14:24
This Project Zero article looks at the exploitation of a few Android driver bugs in great detail.

As it becomes more difficult to find 0-days in core Android, third-party Linux kernel drivers continue to become a more and more attractive target for attackers. While the bulk of present-day detected ITW [in-the-wild] Android exploitation targets GPU drivers, it's equally important that other third-party drivers are encouraged towards the same security standards.

[$] Memory sealing for the GNU C Library

Par : corbet
12 juin 2024 à 13:49
The mseal() system call allows a process to prevent any future changes to portions of its address space (thus "sealing" them); it was patterned after the mimmutable() system call in OpenBSD. mseal() generated a lot of discussion, but it was finally merged for the upcoming 6.10 kernel release. While mseal() was initially aimed at securing the Chrome browser, the hope was that it would be useful elsewhere; as a step toward realizing that hope, Adhemerval Zanella has posted a patch series adding support for — and use of — mseal() to the GNU C library (glibc).

OpenSUSE Leap 15.6 released

Par : corbet
12 juin 2024 à 12:57
The openSUSE Leap 15.6 release is available; this is intended to be the last Leap 15.x release before Leap 16 comes out. "Leap 15.6 is projected to receive maintenance and security updates until the end of 2025 to ensure sufficient overlap with the next release". Changes include the addition of the Cockpit server-management tool, a 6.4 kernel, GNOME 45, and many other upgrades. This release also removes a long list of unmaintained Python packages. See the release notes for details.

Extensible scheduler class to be merged for 6.11

Par : corbet
11 juin 2024 à 21:49
The extensible scheduler class ("sched_ext") framework allows the writing of CPU schedulers as a set of BPF programs. It has been somewhat controversial, and its merging into the kernel has been blocked despite a clear level of interest from users. Linus Torvalds has now let it be known that he has made a decision and, overriding the scheduler maintainer, will merge sched_ext for the 6.11 release.

I honestly see no reason to delay this any more. This whole patchset was the major (private) discussion at last year's kernel maintainer summit, and I don't find any value in having the same discussion (whether off-list or as an actual event) at the upcoming maintainer summit one year later, so to make any kind of sane progress, my current plan is to merge this for 6.11.

Firefox 127.0 released

Par : corbet
11 juin 2024 à 16:07
Version 127.0 of the Firefox browser is out. Changes include support for DNS prefetching and the ability to close duplicate tabs in a window. The browser will now try to upgrade images and videos with HTTP URLs that are found in an HTTPS page to HTTPS as well; if that fails, the non-HTTPS resources will simply fail to load.

Update: this Mozilla Security Blog post describes the HTTPS-related changes in detail.
