lwn.net

lwn.net 피드 구독하기
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
업데이트: 1시간 32분 지남

Security updates for Thursday

목, 2019/11/21 - 11:33오후
Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb).
카테고리:

[$] LWN.net Weekly Edition for November 21, 2019

목, 2019/11/21 - 9:48오전
The LWN.net Weekly Edition for November 21, 2019 is available.
카테고리:

[$] LSM stacking and the future

목, 2019/11/21 - 5:19오전
The idea of stacking (or chaining) Linux security modules (LSMs) goes back 15 years (at least) at this point; progress has definitely been made along the way, especially in the last decade or so. It has been possible to stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for some time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may not seem like a truly important feature, but there is a use case where it is pretty clearly needed: containers. Longtime LSM stacker (and Smack maintainer) Casey Schaufler gave a presentation at the 2019 Linux Security Summit Europe to report on the status and plans for allowing arbitrary LSM stacking.
카테고리:

Security updates for Wednesday

목, 2019/11/21 - 12:43오전
Security updates have been issued by Debian (redmine), Fedora (libidn2), Mageia (clamav, ghostscript, kernel, kernel-linus, libexif, libjpeg, mariadb, microcode, and systemd), and openSUSE (libjpeg-turbo).
카테고리:

[$] Enhancing KVM for guest protection and security

수, 2019/11/20 - 11:03오후
A key tenet in KVM is to reuse as much Linux infrastructure as possible and focus specifically on processor virtualization. Back in 2007, this meant a smaller code base and less friction with the other kernel subsystems, especially when compared with other virtualization technologies such as Xen. This led to KVM being merged into the mainline with relative ease. A talk at this year's KVM Forum looks at ways to better protect guests, perhaps by moving away from that tenet.
카테고리:

SystemTap 4.2 release

수, 2019/11/20 - 3:49오전
SystemTap 4.2 is out. This release features "support for generating backtraces of different contexts; improved backtrace tapset to include file names and line numbers; eBPF support extensions including raw tracepoint access, prometheus exporter, procfs probes and improved looping structures".
카테고리:

[$] A recap of KVM Forum 2019

수, 2019/11/20 - 2:00오전
The 13th KVM Forum virtualization conference took place in Lyon, France in October 2019. One might think that development may have finished on the Kernel Virtual Machine (KVM) module that was merged in Linux 2.6.20 in 2007, but this year's conference underscored the amount of work still being done, particularly on side-channel attack mitigation, I/O device assignment with VFIO and mdev, footprint reduction with micro virtual machines (VMs), and with the ability to run VMs nested within VMs. Many talks also involved the virtual machine monitor (VMM) user-space programs that use the KVM kernel module—of which QEMU is the most widely used.
카테고리:

Security updates for Tuesday

수, 2019/11/20 - 12:25오전
Security updates have been issued by Debian (python-psutil, slurm-llnl, symfony, and thunderbird), Fedora (gd and ghostscript), and SUSE (ceph, haproxy, java-11-openjdk, and ncurses).
카테고리:

[$] Some near-term arm64 hardening patches

화, 2019/11/19 - 3:36오전
The arm64 architecture is found at the core of many, if not most, mobile devices; that means that arm64 devices are destined to be the target of attackers worldwide. That has led to a high level of interest in technologies that can harden these systems. There are currently several such technologies, based in both hardware and software, that are being readied for the arm64 kernel; read on for a survey on what is coming.
카테고리:

Two stable kernels

화, 2019/11/19 - 1:04오전
Stable kernels 4.9.202 and 4.4.202 have been released. They both contain important fixes and users should upgrade.
카테고리:

Security updates for Monday

화, 2019/11/19 - 12:53오전
Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa).
카테고리:

Kernel prepatch 5.4-rc8

월, 2019/11/18 - 11:06오후
As expected, 5.4-rc8 was released on November 17 rather than the final 5.4 release. "I'm not entirely sure we need an rc8, because last week was pretty calm despite the Intel hw workarounds landing. So I considered just making a final 5.4 and be done with it, but decided that there's no real downside to just doing the rc8 after having a release cycle that took a while to calm down."
카테고리:

[$] Keeping memory contents secret

토, 2019/11/16 - 4:46오전
One of the many responsibilities of the operating system is to help processes keep secrets from each other. Operating systems often fail in this regard, sometimes due to factors — such as hardware bugs and user-space vulnerabilities — that are beyond their direct control. It is thus unsurprising that there is an increasing level of interest in ways to improve the ability to keep data secret, perhaps even from the operating system itself. The MAP_EXCLUSIVE patch set from Mike Rapoport is one example of the work that is being done in this area; it also shows that the development community has not yet really begun to figure out how this type of feature should work.
카테고리:

Security updates for Friday

금, 2019/11/15 - 11:42오후
Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, ImageMagick, kernel, libjpeg-turbo, openconnect, and squid), and Ubuntu (ghostscript, imagemagick, and postgresql-common).
카테고리:

Cook: Security things in Linux v5.3

금, 2019/11/15 - 10:10오후
Kees Cook catches up with the security improvements in the 5.3 kernel. "In recent exploits, one of the steps for making the attacker’s life easier is to disable CPU protections like Supervisor Mode Access (and Execute) Prevention (SMAP and SMEP) by finding a way to write to CPU control registers to disable these features. For example, CR4 controls SMAP and SMEP, where disabling those would let an attacker access and execute userspace memory from kernel code again, opening up the attack to much greater flexibility. CR0 controls Write Protect (WP), which when disabled would allow an attacker to write to read-only memory like the kernel code itself. Attacks have been using the kernel’s CR4 and CR0 writing functions to make these changes (since it’s easier to gain that level of execute control), but now the kernel will attempt to 'pin' sensitive bits in CR4 and CR0 to avoid them getting disabled. This forces attacks to do more work to enact such register changes going forward."
카테고리:

[$] The Yocto Project 3.0 release

금, 2019/11/15 - 4:26오전
The Yocto Project recently announced its 3.0 release, maintaining the spring/fall cadence it has followed for the past nine years. As well as the expected updates, it contains new thinking on getting the best of two worlds: source builds and prebuilt binaries. This fits well into a landscape where reproducibility and software traceability, all the way through to device updates, are increasingly important to handle complex security issues.
카테고리:

Security updates for Thursday

목, 2019/11/14 - 11:00오후
Security updates have been issued by Arch Linux (kernel, linux-lts, and linux-zen), CentOS (kernel, sudo, and thunderbird), Debian (linux-4.9), Fedora (samba), openSUSE (apache2-mod_auth_openidc, kernel, qemu, rsyslog, and ucode-intel), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and microcode_ctl), and Ubuntu (kernel, libjpeg-turbo, linux, linux-hwe, linux-oem, linux, linux-hwe, linux-oem-osp1, and qemu).
카테고리:

[$] LWN.net Weekly Edition for November 14, 2019

목, 2019/11/14 - 9:04오전
The LWN.net Weekly Edition for November 14, 2019 is available.
카테고리:

[$] Analyzing kernel email

목, 2019/11/14 - 7:54오전
Digging into the email that provides the cornerstone of Linux kernel development is an endeavor that has become more popular over the last few years. There are some practical reasons for analyzing the kernel mailing lists and for correlating that information with the patches that actually reach the mainline, including tracking the path that patches take—or don't take. Three researchers reported on some efforts they have made on kernel email analysis at the 2019 Embedded Linux Conference Europe (ELCE), held in late October in Lyon, France.
카테고리:

Announcing the Bytecode Alliance

목, 2019/11/14 - 2:47오전
The Bytecode Alliance is an industry partnership with the aim of forging WebAssembly’s outside-the-browser future by collaborating on implementing standards and proposing new ones. The newly formed alliance has "a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations". The alliance is currently working on a standalone WebAssembly runtime, two use-case specific runtimes, runtime components, and language tooling.
카테고리:

페이지