lwn.net

It turn out that the X.org server, versions 1.19.0 and after, contain an easily exploitable privilege escalation vulnerability. Anybody who is running a system that has X installed setuid root, and which has untrusted users on it, will want to install the update. "X.Org recommends the use of a display manager to start X sessions, which does not require Xorg to be installed setuid."

Jiri Kosina kicked off a session on hardware vulnerabilities at the 2018 Kernel Maintainers Summit by noting that there are few complaints about how the kernel community deals with security issues in general. That does not hold for Meltdown and Spectre which, he said, had been "completely mishandled". The subsequent handling of the L1TF vulnerability suggests that some lessons have been learned, but there is still plenty of room for improvement in how hardware vulnerabilities are handled in general.

Cosmin Truta reports the death of Glenn Randers-Pehrson. "Glenn is one of the original designers of the PNG format, and a co-founder of the PNG Development Group, back in the mid-90's. He took good care of the PNG Specification, as a contributing author for PNG version 1.0, and as the main editor for all of the subsequent editions through PNG 1.1 and 1.2, until the current W3C/ISO/IEC standard PNG Specification, Second Edition. In addition, all of the related Specifications, i.e., the registered PNG extensions, and the companion MNG Specification version 1.0 and JNG Specification version 1.0, had Glenn at the front as the main editor and moderator-in-chief." (Thanks to Paul Wise)

Security updates have been issued by Debian (389-ds-base, clamav, firefox-esr, and mosquitto), openSUSE (Chromium and firefox), Oracle (firefox and kernel), Red Hat (chromium-browser, firefox, java-1.6.0-sun, java-1.7.0-oracle, and java-1.8.0-oracle), SUSE (dom4j, exempi, mercurial, ntp, python-cryptography, tiff, tomcat, and webkit2gtk3), and Ubuntu (audiofile and firefox).

The LWN.net Weekly Edition for October 25, 2018 is available.

The Python language project has been officially "leaderless" since the mid-July announcement that Guido van Rossum was stepping down. He is, of course, the founder of the language and had served for more than two decades as its Benevolent Dictator for Life (BDFL). But he did not appoint a successor and left it up to the project's core developers to come up with a new governance structure. In the three months since, a great deal of work has gone into that effort, which has to bootstrap itself since there was not even any mechanism to choose how to select a new governance model.

The kernel community tries to never change the user-space API in ways that will break applications, but it explicitly allows any internal API to be changed at any time if a solid technical reason to do so exists. But that doesn't mean that such changes are easy to do. At the 2018 Kernel Maintainers Summit, Kees Cook led a discussion on the challenges he has encountered when trying to effect large-scale API changes and what might be done to make such changes go more smoothly.

Security updates have been issued by Fedora (hesiod, lighttpd, and opencc), openSUSE (apache-pdfbox, net-snmp, pam_pkcs11, rpm, tiff, udisks2, and wireshark), SUSE (dhcp, ghostscript-library, ImageMagick, libraw, net-snmp, ntp, postgresql96, rust, tiff, xen, and zziplib), and Ubuntu (mysql-5.5, mysql-5.7).

Improving the quality of stable kernel releases is a perennial subject at the Kernel and Maintainers Summit events, and this year was no exception. This session, led by Fedora kernel maintainer Laura Abbott, discussed a range of ideas but found no silver bullets. There is, it seems, not much that can be done to create better stable kernels except to perform more and better testing.

Ars technica takes a look at the Enhanced Tracking Protection (ETP) feature in Firefox 63. "Firefox has long had the ability to block all third-party cookies, but this is a crude solution, and many sites will break if all third-party cookies are prohibited. The new EPT option works as a more selective block on tracking cookies; third-party cookies still work in general, but those that are known to belong to tracking companies are blocked. For the most part, sites will retain their full functionality, just without undermining privacy at the same time. At least for now, however, Mozilla is defaulting this feature to off, so the company can get a better idea of the impact it has on the Web. In testing, the company has found the occasional site that breaks when tracking cookies are blocked. Over the next few months, Firefox developers will get a better picture of just how much breaks, and, if it's not too severe, the plan is to block trackers by default starting in early 2019." The article also mentions a second privacy-related feature; the offer of a subscription to the ProtonVPN service.

The Firefox 63 release notes contain other details.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Fedora (mosquitto), openSUSE (binutils, clamav, exiv2, fuse, haproxy, singularity, and zziplib), Slackware (firefox), SUSE (apache-pdfbox, net-snmp, pam_pkcs11, postgresql94, rpm, tiff, and wireshark), and Ubuntu (kernel, libssh, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, net-snmp, paramiko, requests, and texlive-bin).

The Linux Foundation's Technical Advisory Board is chosen by a vote at the Kernel Summit each year; this year, that will happen during the Linux Plumbers Conference in November. The call for nominations to the board has gone out; it remains open until the voting happens. "The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. We're also working with kernel maintainers to help refine the new code of conduct, and serving as the initial point of contact for code of conduct issues."

The 2018 Kernel Maintainers Summit convened in Edinburgh, UK on October 22 with a number of things to discuss, but the top subject on most minds was the recently (and hastily) adopted code of conduct. Linus Torvalds made his reentry into the kernel community with a discussion of how we got to the current state of affairs, and the assembled maintainers had a relatively good-natured discussion on how this situation came about and where things can be expected to go from here.

The Samba team has announced a set of guidelines for the project. "Please note this is not a "Code of Conduct" as such, but a set of advisory guidelines we'd like people to follow, with a way for people (privately if they prefer) to raise issues if they see them. I hope everyone will find this document acceptable as a way for us to agree on how we want our community to be a welcoming one for all members."

Richard Stallman has released an initial version of the GNU Kind Communications Guidelines, and asks all GNU contributors to make their best efforts to follow these guidelines in GNU Project discussions. "The idea of the GNU Kind Communication Guidelines is to start guiding people towards kinder communication at a point well before one would even think of saying, "You are breaking the rules." The way we do this, rather than ordering people to be kind or else, is try to help people learn to make their communication more kind. I hope that kind communication guidelines will provide a kinder and less strict way of leading a project's discussions to be calmer, more welcoming to all participants of good will, and more effective."

Security updates have been issued by Arch Linux (thunderbird), Debian (drupal7, exiv2, and ghostscript), Fedora (apache-commons-compress, git, libssh, and patch), Mageia (389-ds-base, calibre, clamav, docker, ghostscript, glib2.0, libtiff, mgetty, php-smarty, rust, tcpflow, and vlc), openSUSE (Chromium, icinga, and libssh), and SUSE (clamav, fuse, GraphicsMagick, haproxy, libssh, thunderbird, tomcat, udisks2, and Xerces-c).

Greg Kroah-Hartman has released the 4.19 kernel. Headline features in this release include the new AIO-based polling interface, L1TF vulnerability mitigations, the block I/O latency controller, time-based packet transmission, the CAKE queuing discipline, and much more. "And with that, Linus, I'm handing the kernel tree back to you. You can have the joy of dealing with the merge window".

Greg Kroah-Hartman has posted a series of patches making some changes around the newly adopted code of conduct. In particular, it adds a new document describing how the code is to be interpreted in the kernel community. "I originally sent the first two patches in this series to a lot of kernel developers privately, to get their review and comments and see if they wanted to ack them. This is the traditional way we have always done for policy documents or other 'contentious' issues like the GPLv3 statement or the 'closed kernel modules are bad' statement. Due to the very unexpected way that the original Code of Conduct file was added to the tree, a number of developers asked if this series could also be posted publicly before they were merged, and so, here they are."

A new set of stable kernels is now available: 4.18.16, 4.14.78, 4.9.135, and 4.4.162. As usual, there are important fixes contained therein; users should upgrade.

After four years of development since 1.14.0, version 1.16.0 of the cairo 2D graphics library has been released. "Of particular note is a wealth of work by Adrian Johnson to enhance PDF functionality, including restoring support for MacOSX 10.4, metadata, hyperlinks, and more. Much attention also went into fonts, including new colored emoji glyph support, variable fonts, and fixes for various font idiosyncrasies. Other noteworthy changes include GLESv3 support for the cairo_gl backend, tracking of SVG units in generated SVG documents, and cleanups for numerous test failures and related issues in the PDF and Postscript backends." More information can be found in the change log.