lwn.net

The mainline kernel has just received a set of commits mitigating the latest x86 hardware vulnerability, known as "branch history injection". From this commit:

Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.

See this commit for documentation on the command-line parameter that controls this mitigation. There are stable kernel releases (6.8.5, 6.6.26, 6.1.85, and 5.15.154) in the works that also contain the mitigations.

On February 20, Linaro held the initial get-together for what is intended to be a regular Linux Kernel Forum for the Arm-focused kernel community. This gathering aims to convene approximately a few weeks prior to the merge window opening and prior to the release of the current kernel version under development. Topics covered in the first gathering include preparing 64-bit Arm kernels for low-end embedded systems, memory errors and Compute Express Link (CXL), devlink objectives, and scheduler integration.

Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released. Changes include a number of additions to its QUIC protocol support, some year-2038 improvements for 32-bit systems, and a lot of cryptographic features with descriptions like "Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes." See the release notes for details.

There are many mechanisms for deferred work in the Linux kernel. One of them, workqueues, has seen increasing use as part of the move away from software interrupts. Alison Chaiken gave a talk at SCALE about how they compare to software interrupts, the new challenges they pose for system administrators, and what tools are available to kernel developers wishing to diagnose problems with workqueues as they become increasingly prevalent.

Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).

Version 4.2.0 of the Rivendell radio automation system has been released. Changes include a new data feed for 'next' data objects, improvements to its podcast system, numerous bug fixes, and more.

The Google Open Source Blog is carrying an announcement for a new JPEG library called "Jpegli". There are a number of advantages claimed, including:

Jpegli can be encoded with 10+ bits per component. Traditional JPEG coding solutions offer only 8 bit per component dynamics causing visible banding artifacts in slow gradients. Jpegli's 10+ bits coding happens in the original 8-bit formalism and the resulting images are fully interoperable with 8-bit viewers. 10+ bit dynamics are available as an API extension and application code changes are needed to benefit from it.

The library is BSD-licensed.

Sometimes the smallest patches create the biggest discussions. A case in point would be the process by which the PostgreSQL community — not a group normally prone to extended, strongly worded megathreads — resolved the question of whether to merge a brief patch adding a new configuration parameter. Sometimes, a proposal that looks like a security patch is not, in fact, intended to be a security patch, but getting that point across can be difficult.

Version 2.4.0 of the GNU Stow symbolic-link manager has been released. This marks the first release for GNU Stow since 2019. Maintainer Adam Spires wrote:

I would like to sincerely apologise to all Stow users for this incredibly overdue release, the cadence of which is perhaps vaguely reminiscent of releases by the great Donald Knuth, except with none of the grace and deliberate planning.

Spires notes that this release "makes considerable efforts to make the internals more understandable and easy to maintain", and has put out a call for a co-maintainer.

Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen).

The 6.9-rc3 kernel prepatch is out for testing.

Ok, so this rc3 looks a bit different than the usual ones, because there's a large series to bcachefs to do filesystem repair after corruption. Not normally something we'd see in an rc kernel, but hey, if you had a corrupted bcachefs filesystem you'd probably want this, and if you thought bcachefs was stable already, I have a bridge to sell you. Special deal only for you, real cheap.

Wayne Davison has announced the release of rsync version 3.3.0, which contains a number of bug fixes and minor enhancements. Davison has also announced a change in maintainers and a move to a new GitHub project:

The github repos have moved to a new RsyncProject organization. Because various life events have been monopolizing my time, I reached out to Tridge [Andrew Tridgell] (the original author) and he has graciously agreed to get back into rsync work, along with Paul Mackerras, who was also an early contributor to rsync. This new team will be working mainly on maintenance tasks, and not so much on new features. If you want to get involved, feel free to reach out on the new discord RsyncProject channels.

The new GitHub organization is here.

The nominations have closed and campaigning is underway to see who will be the next Debian Project Leader (DPL). This year, two candidates are campaigning for the position Jonathan Carter has held for four eventful years: Sruthi Chandran and Andreas Tille. Topics that have emerged so far include how the prospective DPLs would spend project money, their opinions on handling controversial topics, and project diversity.

OpenBSD 7.5 has been released. The list of changes and improvements is, as usual, long; it includes the pinsyscalls() functionality covered here in January.

The Eclipse Foundation, the organization behind the Eclipse IDE and many other software projects, announced a collaboration between several different open-source-software foundations to create a specification describing secure software development best practices. This work is motivated by the European Union's Cyber Resilience Act (CRA).

The leading open source communities and foundations have for years developed and practised secure software development processes. These are processes that have often defined or set industry best practices around things such as coordinated disclosure, peer review, and release processes. These processes have been documented by each of these communities, albeit sometimes using different terminology and approaches. We hypothesise that the cybersecurity process technical documentation that already exists amongst the open source communities can provide a useful starting point for developing the cybersecurity processes required for regulatory compliance.

(Thanks to Martin Michlmayr.)

Version 7.0 of the FFmpeg audio/video toolkit is out. "The most noteworthy changes for most users are a native VVC decoder (currently experimental, until more fuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool". There's also the usual list of new formats and codecs, and a few deprecated features have been removed.

Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

The 6.8.4 and 6.6.25 stable kernels have been released. They both contain 11 reversions of workqueue patches.

V8, the JavaScript engine used in Chrome, announced that its memory sandbox is no longer experimental.

Chrome 123 could therefore be considered to be a sort of "beta" release for the sandbox. This blog post uses this opportunity to discuss the motivation behind the sandbox, show how it prevents memory corruption in V8 from spreading within the host process, and ultimately explain why it is a necessary step towards memory safety.

Among the numerous approaches to funding the development and advancement of open-source software, corporate sponsorship in the form of donations to umbrella organizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brien presented a slice of his recent research into the landscape of such sponsorship arrangements, with an overview of the identifiable trends of the past ten years and some initial insights he hopes are valuable for sponsors and community members alike.