lwn.net

Security updates have been issued by CentOS (qemu-kvm and sudo), Debian (chromium), Mageia (gpac, libseccomp, and tomcat), openSUSE (gd and postgresql10), Oracle (qemu-kvm), Red Hat (chromium-browser), Scientific Linux (qemu-kvm), Slackware (firefox), and SUSE (ipmitool, java-1_7_0-openjdk, librsvg, and tomcat).

The Let's Encrypt project has made real strides in helping to ensure that every web site can use the encrypted HTTPS protocol; it has provided TLS certificates at no charge that are accepted by most or all web browsers. Free certificates accepted by the browsers are something that was difficult to find prior to the advent of the project in 2014; as of the end of February, the project has issued over a billion certificates. But a bug that was recently found in the handling of Certificate Authority Authorization (CAA) by the project put roughly 2.6% of the active certificates—roughly three million—at risk of immediate revocation. As might be expected, that caused a bit of panic in some quarters, but it turned out that the worst outcome was largely averted.

The latest release of Firefox features some login management improvements, the ability to add custom sites to the Facebook Container, better privacy for web voice and video calls, and better add-on management. See the release notes for more information.

Security updates have been issued by Debian (libvpx and network-manager-ssh), Fedora (cacti, cacti-spine, and podman), openSUSE (chromium and python-bleach), Oracle (curl), Red Hat (ansible and qemu-kvm), SUSE (gd, ipmitool, and php7), and Ubuntu (runc and sqlite3).

The Linux development community is spread out over the planet and interacts primarily through email and online systems. It is widely felt, though, that there is great value in getting people together in person occasionally to talk about current issues and get to know each other as people. This year, though, the coronavirus pandemic is disrupting the conference schedule to an extent that won't be known for some time. But there are longer-term concerns as well, to the point that the head organizer for one of the kernel community's most successful events is questioning whether it should continue to exist.

LibrePlanet was scheduled for March 14-15 but it has been canceled. "However, just because we won't be holding a conference in person this year doesn't mean that we've given up our fight to "free the future." Instead, LibrePlanet will be a fully free (as in freedom) virtual conference and livestream. We had an extremely exciting program planned, and we're going to try and maintain as much of that schedule as possible with all of the speakers who are willing and able to participate remotely. The resulting livestream will be run on and entirely accessible via free software, so that you can enjoy these amazing talks from the comfort of your home."

The Chemnitzer Linux-Tage that was to take place March 14-15 has been canceled. "Whether we meet later this year or first in March 2021, we will discuss within the organization team in the next few days."

The openSUSE Summit in Dublin, Ireland was scheduled for March 27-28. The event has been canceled due to travel bans. SUSECON is still scheduled for March 23-27, however it will be a digital event. The in-person meeting in Dublin has been canceled.

Security updates have been issued by Fedora (seamonkey), Mageia (apache-mod_auth_openidc, binutils, chromium-browser-stable, dojo, firejail, gcc, glib2.0, glibc, http-parser, ilmbase, libarchive, libgd, libsolv, mbedtls, pcre, pdfresurrect, php, proftpd, pure-ftpd, python-bleach, ruby-rake, transfig, weechat, and xen), openSUSE (chromium, ovmf, python-bleach, and yast2-rmt), Oracle (curl, http-parser, kernel, sudo, and xerces-c), Red Hat (chromium-browser and kernel-alt), Scientific Linux (sudo), and SUSE (gimp, kernel, and librsvg).

Linus has put out a high-altitude 5.6-rc5 prepatch release. "That said, everything looks mostly fine. I say 'mostly', because while nothing in particular looks worrisome, this rc5 is bigger than I'd have liked. In fact, it's not only bigger than rc4 was, but it's bigger than we historically are at this point."

Systemd 245 is out. As usual, the list of new features is long; perhaps the one that has gained the most attention is systemd-homed:

A small new service systemd-homed.service has been added, that may be used to securely manage home directories with built-in encryption. The complete user record data is unified with the home directory, thus making home directories naturally migratable.

There is also a new database for holding user and group data and a systemd-repart tool for the management of partitions on storage-devices at boot time.

DNF, the Fedora package manager, is going to be significantly rewritten; it seems it is truly "development not finished" for now. "We've managed to drop a lot of redundant code across the whole DNF stack in the past years, but we have reached a point when it's nearly impossible to consolidate the code any further without breaking the API/ABI. Especially with PackageKit being dead, we can't move with the old 'libhif' API in libdnf, because making any bigger changes to PackageKit is clearly out of scope."

System calls on Linux are relatively cheap, though the mitigations for speculative-execution vulnerabilities have made them more expensive than they once were. But even cheap system calls add up if one has to make a large number of them. Thus, developers have been working on ways to avoid system calls for a long time. Currently under discussion is a pair of ways to reduce the number of system calls required to read a file's contents, one of which is rather simpler than the other.

Security updates have been issued by Arch Linux (chromium, opensc, opensmtpd, and weechat), Debian (jackson-databind and pdfresurrect), Fedora (sudo), openSUSE (openfortivpn and squid), Red Hat (virt:8.1 and virt-devel:8.1), Scientific Linux (http-parser and xerces-c), and SUSE (gd, kernel, postgresql10, and tomcat).

Over on the Collabora blog, Julian Bouzas writes about PipeWire, which is a relatively new multimedia server for the Linux desktop and beyond. "PipeWire was originally created to only handle access to video resources and co-exist with PulseAudio. Earlier versions have already been shipping in Fedora for a while, allowing Flatpak applications to access video cameras and to implement screen sharing on Wayland. Eventually, PipeWire has ended up handling any kind of media, to the point of planning to completely replace PulseAudio in the future. The new 0.3 version is marked as a preview for audio support. But why replace PulseAudio? Although PulseAudio already provides a working intermediate layer to access audio devices, PipeWire has to offer more features that PulseAudio was not designed to deliver, starting with a better security model, which allows isolation between applications and secure access from within containers. Another interesting feature of PipeWire is that it unifies the two audio systems used on the desktop, JACK for low-latency professional audio and PulseAudio for normal desktop use-cases. PipeWire was designed to be able to accommodate both use cases, delivering very low latency, while at the same time not wasting CPU resources. This design also makes PipeWire a much more efficient solution than PulseAudio in general, making it a perfect fit for embedded use cases too."

The Positive Technologies blog is reporting on an unfixable flaw the company has found in Intel x86 hardware that has the potential to subvert the hardware root of trust for a variety of processors. "The EPID [Enhanced Privacy ID] issue is not too bad for the time being because the Chipset Key is stored inside the platform in the One-Time Programmable (OTP) Memory, and is encrypted. To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS). However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time. When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted." Intel has said that it is aware of the problem (CVE-2019-0090), but since it cannot be fixed in the ROM, Intel is "trying to block all possible exploitation vectors"; the fix for CVE-2019-0090 only blocks one such vector, according to the blog post.

Greg Kroah-Hartman has announced the release of the 5.5.8, 5.4.24, and 4.19.108 stable kernels. There are fixes throughout the tree, as usual; users should upgrade.

Like many larger free-software projects, openSUSE has an elected board that is charged with handling various non-technical tasks: organizing events, dealing with conduct issues, managing the project's money, etc. Sitting on such a board is usually a relatively low-profile activity; development communities tend to pay more attention to technical contributions than other types of service. Every now and then, though, board-related issues burst into prominence; that is the case now in the openSUSE project, which will be holding a special election after the abrupt resignation of one-third of its board.

KubeCon + CloudNativeCon Europe 2020, which was originally scheduled for March 30-April 2 in Amsterdam, has been postponed until July or August due to COVID-19 concerns. In addition, KubeCon + CloudNativeCon China 2020, scheduled for July in Shanghai, has been canceled "due to the uncertainty around travel to China and our ability to assemble the speakers, sponsors, and attendees necessary for a successful event". It seems likely that these are not the last conferences that will be affected in our communities.

Security updates have been issued by CentOS (http-parser and xerces-c), Debian (tomcat7), Fedora (opensmtpd), openSUSE (openfortivpn and permissions), Red Hat (http-parser, openstack-octavia, python-waitress, and sudo), Slackware (ppp), and SUSE (kernel).