lwn.net

Greg Kroah-Hartman released a set of stable kernels that should *not* be used, including: 4.20.9, 4.19.22, 4.14.100, and 4.9.157. Those kernels caused a regression that was reverted in the following kernels: 4.20.10, 4.19.23, 4.14.101, and 4.9.158.

Security updates have been issued by Debian (firefox-esr and unbound), Fedora (docker, libexif, and runc), openSUSE (mozilla-nss, python, rmt-server, and thunderbird), Slackware (mozilla), and SUSE (couchdb, dovecot23, kvm, nodejs6, php53, podofo, python-PyKMIP, rubygem-loofah, util-linux, and velum).

The cynical among us might be tempted to think that an announcement from the GNOME project about the removal of a feature — a relatively unused feature at that — would be an unremarkable event. In practice, though, Debarshi Ray's announcement that the GNOME Online Accounts (GOA) subsystem would no longer support the "documents" access point touched off a lengthy discussion within the project itself. The resulting discussion revealed a few significant problems with GOA and, indeed, with the concept of online-account management in any sort of open-source umbrella project like GNOME.

Security updates have been issued by Debian (python-gnupg), Mageia (avahi, dom4j, gvfs, kauth, libwmf, logback, mad, python, python-django, and radvd), openSUSE (curl, haproxy, lua53, python-slixmpp, runc, spice, and uriparser), Red Hat (flash-plugin), Slackware (mozilla), and SUSE (build and docker-runc).

The PostgreSQL project has put out updated releases for all supported versions. "This release changes the behavior in how PostgreSQL interfaces with 'fsync()' and includes fixes for partitioning and over 70 other bugs that were reported over the past three months." The fsync() issue was covered here in April 2018.

The LWN.net Weekly Edition for February 14, 2019 is available.

The io_uring mechanism that was described here in January has been through a number of revisions since then; those changes have generally been fixing implementation issues rather than changing the user-space API. In particular, this patch set seems to have received more than the usual amount of security-related review, which can only be a good thing. Security concerns became a bit of an obstacle for io_uring, though, when virtual filesystem (VFS) maintainer Al Viro threatened to veto the merging of the whole thing. It turns out that there were some reference-counting issues that required his unique experience to straighten out.

Security updates have been issued by Arch Linux (aubio, curl, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-gnutls, libu2f-host, python-django, python2-django, rdesktop, and runc), Debian (flatpak), Fedora (flatpak, pdns-recursor, rdesktop, tomcat, and xerces-c27), Mageia (cinnamon, docker, dovecot, golang, java-1.8.0-openjdk, jruby, libarchive, libgd, libtiff, libvncserver, opencontainers-runc, openssh, python-marshmallow, thunderbird, and transfig), openSUSE (python-slixmpp), Oracle (kernel), Red Hat (redhat-virtualization-host), Slackware (lxc), SUSE (curl, firefox, LibVNCServer, nginx, php7, python-numpy, runc, SMS3.2, and thunderbird), and Ubuntu (gvfs, python-django, snapd, and webkit2gtk).

Stable kernels 4.20.8, 4.19.21, 4.14.99, and 4.9.156 have been released. They all contain a relatively large number of fixes and users should upgrade.

KDE has announced the release of Plasma 5.15. "Plasma 5.15 brings a number of changes to the configuration interfaces, including more options for complex network configurations. Many icons have been added or redesigned to make them clearer. Integration with third-party technologies like GTK and Firefox has been improved substantially." This release also features improvements to the Discover software manager. Many other tweaks and improvements are covered in the changelog.

Bradley Kuhn works for the Software Freedom Conservancy (SFC) and part of what that organization does is to think about the problems that software freedom may encounter in the future. SFC worries about what will happen with the four freedoms as things change in the world. One of those changes is already upon us: the Internet of Things (IoT) has become quite popular, but it has many dangers, he said. Copyleft can help; his talk is meant to show how.

Anybody running containerized workloads with runc (used by Docker, cri-o, containerd, and Kubernetes, among others) will want to make note of a newly disclosed vulnerability known as CVE-2019-5736. "The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host." LXC is also evidently vulnerable to a variant of the exploit.

Security updates have been issued by Arch Linux (chromium, dovecot, firefox, and spice), Debian (curl, php5, rssh, and wordpress), Fedora (curl, ghostscript, mingw-libconfuse, and radvd), openSUSE (java-11-openjdk and python-urllib3), Red Hat (chromium-browser and kernel), and SUSE (etcd and kernel).

The Free Software Foundation has announced that its annual report for fiscal year 2017 is available. "The Annual Report reviews the FSF's activities, accomplishments, and financial picture from October 1, 2016 to September 30, 2017. It is the result of a full external financial audit, along with a focused study of program results. It examines the impact of the FSF's events, programs, and activities, including the annual LibrePlanet conference, the Respects Your Freedom (RYF) hardware certification program, and the fight against Digital Restrictions Management (DRM)."

Matrix is an open platform for secure, decentralized, realtime communication. Matthew Hodgson, the Matrix project leader, came to FOSDEM to describe Matrix and report on its progress. Attendees learned that it was within days of having a 1.0 release and found out how it got there. He also shed some light on what happened when the French reached out to them to see if Matrix could meet the internal messaging requirements of an entire national government.

Security updates have been issued by CentOS (ghostscript, spice, spice-server, and thunderbird), Debian (coturn, freerdp, ghostscript, libreoffice, libu2f-host, mosquitto, and openssh), Fedora (buildbot, java-1.8.0-openjdk, java-11-openjdk, phpMyAdmin, slurm, and spice), openSUSE (python3 and rsyslog), Red Hat (docker and runc), SUSE (avahi, fuse, and LibVNCServer), and Ubuntu (poppler).

Version 7.0.0 of the PyPy Python interpreter is out. This release supports no less than three upstream Python versions: 2.7, 3.5, and 3.6 (as an alpha release). "All the interpreters are based on much the same codebase, thus the triple release."

The 5.0-rc6 kernel prepatch is out. "So while I would have wished for less at this point, nothing in there looks all that odd or scary. I think we're still solidly on track for a normal release."

For those wondering what the Cloud Native Computing Foundation is up to, its 2018 annual report [PDF] is now out. "KubeCon + CloudNativeCon has expanded from its start with 500 attendees in 2015 to become one of the largest and most successful open source conferences ever. The KubeCon + CloudNativeCon North America event in Seattle, held December 10-13, 2018, was our biggest yet and was sold out several weeks ahead of time with 8,000 attendees."

The LibreOffice 6.2 release is out. The headline feature this time around appears to be "NotebookBar": "a radical new approach to the user interface - based on the MUFFIN concept". Other changes include a reworking of the context menus, better change-tracking performance, better interoperability with proprietary file formats, and more.