Vue lecture

Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.

Samba 4.20.0 released

Version 4.20.0 of the Samba Windows interoperability suite has been released. Changes include better support for group-managed service accounts, an experimental Windows search protocol client, support for conditional access control entries, and more.

The PostgreSQL community mourns Simon Riggs

The PostgreSQL community is dealing with the loss of Simon Riggs, who passed away on March 26:

Simon was responsible for many of the enterprise features we find in PostgreSQL today, including point in time recovery, hot standby, and synchronous replication. He was the founder of 2ndQuadrant which employed many of the PostgreSQL developers, later becoming part of EDB where he worked as a Postgres Fellow until his retirement. He was responsible for the UK PostgreSQL conferences for many years until he passed that responsibility to PostgreSQL Europe last year.

[$] The rest of the 6.9 merge window

The 6.9-rc1 kernel prepatch was released on March 24, closing the merge window for this development cycle. By that time, 12,435 non-merge changesets had been merged into the mainline, making for a less-busy merge window than the last couple of kernel releases (but similar to the 12,492 seen for 6.5). Well over 7,000 of those changes were merged after the first-half merge-window summary was written, meaning that the latter part of the merge window brought many more interesting changes.

Emacs 29.3 released

Version 29.3 of the Emacs editor has been released:

Emacs 29.3 is an emergency bugfix release; it includes no new features except a small number of changes intended to resolve security vulnerabilities uncovered in Emacs 29.2.

Those vulnerabilities mostly have to do with executing untrusted Lisp code; see the NEWS file for a bit more information.

[$] Hardening the kernel against heap-spraying attacks

While a programming error in the kernel may be subject to direct exploitation, usually a more roundabout approach is required to take advantage of a security bug. One popular approach for those wishing to take advantage of vulnerabilities is heap spraying, and it has often been employed to compromise the kernel. In the future, though, heap-spraying attacks may be a bit harder to pull off, thanks to the "dedicated bucket allocator" proposed by Kees Cook.

Rust 1.77.0 released

Version 1.77.0 of the Rust language has been released. Changes include support for NUL-terminated C-string literals, the ability for async functions to call themselves recursively, the stabilization of the offset_of!() macro, and more.

Perl 5.39.9 released

Verson 5.39.9 of the Perl language has been released. Changes this time include a new "medium-precedence" logical exclusive-or operator, a number of updated modules, and more; see this page for details.

Redis is no longer free software

The Redis in-memory database system has had its license changed to either the Redis Source Available License or the Server Side Public License (covered here in 2018); neither license qualifies as free software.

Under the new license, cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge. For example, cloud service providers will be able to deliver Redis 7.4 only after agreeing to licensing terms with Redis, the maintainers of the Redis code.

Distributors like Fedora are already looking at removing Redis as a consequence. (Thanks to Emmanuel Seyman).

The "Nova" driver for NVIDIA chipsets

Danilo Krummrich has announced the existence of the "Nova" project within Red Hat.

We just started to work on Nova, a Rust-based GSP-only driver for Nvidia GPUs. Nova, in the long term, is intended to serve as the successor of Nouveau for GSP-firmware-based GPUs.

With Nova we see the chance to significantly decrease the complexity of the driver compared to Nouveau for mainly two reasons. First, Nouveau's historic architecture, especially around nvif/nvkm, is rather complicated and inflexible and requires major rework to solve certain problems (such as locking hierarchy in VMM / MMU code for VM_BIND currently being solved with a workaround) and second, with a GSP-only driver there is no need to maintain compatibility with pre-GSP code.

Besides that, we also want to take the chance to contribute to the Rust efforts in the kernel and benefit from from more memory safety offered by the Rust programming language.

Given that the effort has just begun, it will be a while before this driver shows up in a distribution release.

GNOME 46 released

Version 46 of the GNOME desktop has been released. "GNOME 46 is code-named 'Kathmandu', in recognition of the amazing work done by the organizers of GNOME.Asia 2023." Significant changes include a new global search feature, enhancements to the Files app, improved remote login support, and more.

Firefox 124.0 released

Version 124.0 of the Firefox browser is out. Changes include support for "caret browsing mode" in the PDF viewer and the ability to control the sorting of tabs in the Firefox View screen.

Security updates for Tuesday

Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).

Man Yue Mo: Gaining kernel code execution on an MTE-enabled Pixel 8

Man Yue Mo explains how to compromise a Pixel 8 phone even when the Arm memory-tagging extension is in use, by taking advantage of the Mali GPU.

So, by using the GPU to access physical addresses directly, I'm able to completely bypass the protection that MTE offers. Ultimately, there is no memory safe code in the code that manages memory accesses. At some point, physical addresses will have to be used directly to access memory.

[$] Toward a real "too small to fail" rule

Kernel developers have long been told that any attempt to allocate memory might fail, so their code must be prepared for memory to be unavailable. Informally, though, the kernel's memory-management subsystem implements a policy whereby requests below a certain size will not fail (in process context, at least), regardless of how tight memory may be. A recent discussion on the linux-mm list has looked at the idea of making the "too small to fail" rule a policy that developers can rely on.

[$] The first half of the 6.9 merge window

As of this writing, just over 4,900 non-merge changesets have been pulled into the mainline for the 6.9 release. This work includes the usual array of changes all over the kernel tree; read on for a summary of the most significant work merged during the first part of the 6.9 merge window.

[$] A new filesystem for pidfds

The pidfd abstraction is a Linux-specific way of referring to processes that avoids the race conditions inherent in Unix process ID numbers. Since a pidfd is a file descriptor, it needs a filesystem to implement the usual operations performed on files. As the use of pidfds has grown, they have stressed the limits of the simple filesystem that was created for them. Christian Brauner has created a new filesystem for pidfds that seems likely to debut in the 6.9 kernel, but it ran into a little bump along the way, demonstrating that things you cannot see can still hurt you.

Today's hardware vulnerability: register file data sampling

The mainline kernel has just received a set of commits addressing the "register file data sampling" hardware vulnerability.

RFDS may allow a malicious actor to infer data values previously used in floating point registers, vector registers, or integer registers. RFDS does not provide the ability to choose which data is inferred

Only Atom cores are affected, but those cores can be found inside a number of processors. See this documentation commit for more information.

❌