lwn.net

Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox).

Version 19.07.0 of the OpenWrt router distribution is available. "With this release, the OpenWrt project brings all supported targets back to a single common kernel version and further refines and broadens existing device support. It also introduces a new ath79 target and brings support for WPA3." There are some known issues; read through the full announcement before updating.

Stable kernels 5.4.10, 5.4.9, 4.19.94, and 4.14.163 have been released. PowerPC users should update to 5.4.10 to get a missing patch. Other users can stay with 5.4.9.

In response to a growing desire for ways to control groups of processes from user space, the kernel has added a number of mechanisms that allow one process to operate on another. One piece that is currently missing, though, is the ability for a process to snatch a copy of an open file descriptor from another. That gap may soon be filled, though, if the pidfd_getfd() system-call patch set from Sargun Dhillon is merged.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss).

Samuel Maddock writes that the adoption of the "encrypted media extensions" by the World Wide Web Consortium has had just the sort of effect that people were worried about four years ago. "No longer is it possible to build your own web browser capable of consuming some of the most popular content on the web. Websites like Netflix, Hulu, HBO, and others require copyright content protection which is only accessible through browser vendors who have license agreements with large corporations."

There is another Firefox release out there; this advisory suggests that updating quickly would be a good idea: "Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw."

The LWN.net Weekly Edition for January 9, 2020 is available.

One of Guido van Rossum's last items of business as he finished his term on the inaugural steering council for Python was to review the Python Enhancement Proposal (PEP) that proposes a new update and union operators for dictionaries. He would still seem to be in favor of the idea, but it will be up to the newly elected steering council and whoever the council chooses as the PEP-deciding delegate (i.e. BDFL-Delegate). Van Rossum provided some feedback on the PEP and, inevitably, the question of how to spell the operator returned, but the path toward getting a decision on it is now pretty clear.

Security updates have been issued by Arch Linux (firefox), Debian (python-django and wordpress), Fedora (dovecot), Mageia (opensc, radare2, and varnish), Red Hat (rh-java-common-apache-commons-beanutils), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, java-1_8_0-ibm, java-1_8_0-openjdk, libzypp, openssl-1_0_0, sysstat, and tomcat), and Ubuntu (clamav, linux-azure, and linux-lts-xenial, linux-aws).

It has taken longer than anybody might have liked, but the IPv6 protocol is slowly displacing IPv4 across the Internet. A quick, highly scientific "grep the access logs" test shows that about 16% of the traffic to LWN.net is currently using IPv6, and many large corporate networks are using IPv6 exclusively internally. This version of the IP protocol was designed to be more flexible than IPv4 in a number of ways; the "extension header" mechanism is one way in which that flexibility is achieved. A proposal to formalize extension-header processing in the kernel's networking stack has led to some concerns, though, about how this feature will be used and what role Linux should play in its development.

Lars Ingebrigtsen provides details on the current status of the Gmane archive server and asks for feedback on whether it is still useful. "Over the past few years, people have asked me what happened to Gmane, and I’ve mostly clasped my hands over my ears and gone 'la la la can’t hear you', because there’s nothing about the story I’m now finally going to tell that I don’t find highly embarrassing. I had hoped I could just continue that way until I die, but perhaps it would be more constructive to actually tell people what’s going on instead of doing an ostrich impression." (Thanks to Giovanni Gherdovich).

Firefox 72.0 has been released. In this version Firefox’s Enhanced Tracking Protection now blocks fingerprinting scripts. Also picture-in-picture video is available. See the release notes for the details of these features and other changes.

Security updates have been issued by Debian (nss and pillow), Red Hat (java-1.8.0-ibm and kernel), Slackware (firefox), SUSE (virglrenderer), and Ubuntu (linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-kvm, linux-oracle, linux-raspi2, and linux-snapdragon).

The random-number generation facilities in the kernel have been reworked some over the past few months—but problems in that subsystem have been addressed over an even longer time frame. The most recent changes were made to stop the getrandom() system call from blocking for long periods of time at system boot, but the underlying cause was the behavior of the blocking random pool. A recent patch set would remove that pool and it would seem to be headed for the mainline kernel.

Security updates have been issued by Fedora (chromium, cyrus-imapd, drupal7-l10n_update, drupal7-webform, htmldoc, nethack, php, and singularity), Mageia (advancecomp, apache-commons-compress-, cyrus-imapd, cyrus-sasl, dia, freeimage, freeradius, igraph, jhead, jss, libdwarf, libextractor, libxml2, mediawiki, memcached, mozjs60, openconnect, openssl, putty, python-ecdsa, python-werkzeug, shadowsocks-libev, and upx), Oracle (container-tools:1.0 and container-tools:ol8), and Red Hat (kpatch-patch).

The 5.5-rc5 kernel prepatch has been released. Linus added a note to the release announcement: "One sad piece of news I got this past week was that Bruce Evans has passed away. Bruce wasn't really ever really much directly involved in Linux development - he was active on the BSD side - but he was the developer behind Minix/i386, which was what I used for the original Linux development in the very early days before Linux became self-hosting."

On the stable-update side, 5.4.8, 4.19.93, 4.14.162, 4.9.208, and 4.4.208 are all available with another set of important fixes.

Anybody who has ever taken a numerical analysis course understands that floating-point arithmetic on computers is a messy affair. Even so, it is easy to underestimate just how messy things can be. This topic came to the fore in an initially unrelated python-ideas mailing-list thread; what should the Python statistics module do with floating-point values that are explicitly not numbers?

It is not all that often that the mainstream press looks at issues in the open-source world, but this article from The Atlantic does just that; it looks at the controversy surrounding GitHub renewing its contract with the US Immigration and Customs Enforcement (ICE) agency and the concerns some have had with their code being used by ICE. "So when news of GitHub’s contract with ICE emerged, its employees weren’t the only ones outraged. Because of the transitive nature of open source, volunteer developers—who host code on the site to share with others—may have unwittingly contributed to the code GitHub furnished for ICE, the agency responsible for enforcing immigration policy. Some were troubled by the idea that their code might in some way be used to help agents detain and deport undocumented migrants. But their outrage—and the backlash to it—reveals existential questions about the very nature of open source."

Security updates have been issued by Debian (netty) and Fedora (libssh, nethack, php, samba, and xen).