[$] The Data Transfer Project

Social networks are typically walled gardens; users of a service can
interact with other users and their content, but cannot see or interact
with data stored in competing services. Beyond that, though, these walled
gardens have generally made it difficult or impossible to decide to switch
to a competitor—all of the user’s data is locked into a particular site. Over
time, that has been changing to some extent, but a new project has the
potential to make it straightforward to switch to a new service without
losing everything. The Data
Transfer Project
(DTP) is a collaborative project between several internet
heavyweights that wants to “create an open-source, service-to-service
data portability platform
“.

Source: LWN

Security updates for Wednesday

Security updates have been issued by CentOS (kernel), Debian (kernel, linux-4.9, postgresql-9.4, and ruby-zip), Fedora (cgit, firefox, knot-resolver, mingw-LibRaw, php-symfony, php-symfony3, php-symfony4, php-zendframework-zend-diactoros, php-zendframework-zend-feed, php-zendframework-zend-http, python2-django1.11, quazip, sox, and thunderbird-enigmail), openSUSE (python-Django and seamonkey), Oracle (kernel), Red Hat (kernel, kernel-rt, and redhat-virtualization-host), Scientific Linux (kernel), Slackware (openssl), SUSE (clamav, firefox, kernel, and samba), and Ubuntu (kernel, libxml2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-raspi2, and samba).

Source: LWN

[$] CVE-2018-5390 and “embargoes”

A kernel bug that allows a remote denial of service via crafted packets was
fixed recently and the resulting patch
was merged on July 23. But an announcement of the flaw
(which is CVE-2018-5390)
was not released until August 6—a two-week window where users
were left in the dark. It was not just the patch that might have alerted
attackers; the flaw was publicized in other ways, as well,
before the announcement, which has led to some discussion of embargo
policies on the oss-security mailing list. Within free-software circles,
embargoes are generally seen as a necessary evil, but delaying the
disclosure of an already-public bug does not sit well.

Source: LWN

[$] Meltdown strikes back: the L1 terminal fault vulnerability

The Meltdown CPU vulnerability, first disclosed in early January, was frightening
because it allowed unprivileged attackers to easily read arbitrary memory
in the system. Spectre, disclosed at the same time, was harder to exploit
but made it possible for guests running in virtual machines to attack the
host system and other guests. Both vulnerabilities have been mitigated to
some extent
(though it will take a long time to even find
all of the Spectre
vulnerabilities
, much less protect against them). But now the newly
disclosed
“L1 terminal fault” (L1TF) vulnerability
(also going by the name Foreshadow) brings back both
threats: relatively
easy attacks against host memory from inside a guest. Mitigations are
available (and have been merged
into the mainline kernel
), but they will be expensive for some users.

Source: LWN

Security updates for Tuesday

Security updates have been issued by Arch Linux (thunderbird), Debian (gdm3 and samba), openSUSE (cgit and lxc), SUSE (grafana, kafka, logstash, openstack-monasca-installer and samba), and Ubuntu (gdm3 and libarchive).

Source: LWN

[$] The importance of being noisy

Hundreds (at least) of kernel bugs are fixed every month. Given the
kernel’s privileged position within the system, a relatively large portion
of those bugs have security implications. Many bugs are relatively easily
noticed once they are triggered; that leads to them being fixed. Some
bugs, though, can be hard to detect, a result that can be worsened by the
design of in-kernel APIs. A proposed change to how user-space accessors
work will, hopefully, help to shine a light on one class of stealthy bugs.

Source: LWN

Security updates for Monday

Security updates have been issued by Debian (blender, openjdk-8, postgresql-9.6, and sam2p), Fedora (libmspack, mingw-glib2, mingw-glibmm24, and rsyslog), Mageia (blender, glpi, godot, kernel, lftp, libjpeg, libsndfile, libsoup, mariadb, mp3gain, openvpn, and soundtouch), openSUSE (cgit, libvirt, mailman, NetworkManager-vpnc, and sddm), Slackware (bind), and SUSE (ffmpeg, glibc, and libvirt).

Source: LWN

The 4.18 kernel is out

Linus has released the 4.18 kernel.
It was a very calm week, and arguably I could just have released on
schedule last week, but we did have some minor updates.

Some of the significant features in this release include
unprivileged filesystem mounts,
restartable sequences,
a new zero-copy TCP receive API,
support for active state management for
power domains,
the AF_XDP mechanism for
high-performance networking,
the core bpfilter packet filter
implementation,
and more. See the KernelNewbies 4.18 page for
more details.

Source: LWN

[$] The mismatched mount mess

“Mounting” a filesystem is the act of making it available somewhere in the
system’s directory hierarchy. But a mount operation doesn’t just glue a
device full of files into a specific spot in the tree; there is a whole set
of parameters controlling how that filesystem is accessed that can be
specified at mount time. The handling of these mount parameters is the
latest obstacle to getting the proposed new
mounting API
into the mainline; should the new API reproduce what is
arguably one of the biggest misfeatures of the current mount()
system call?

Source: LWN

Security updates for Friday

Security updates have been issued by Fedora (exiv2, kernel-headers, kernel-tools, libgit2, and thunderbird-enigmail), openSUSE (blueman, cups, gdk-pixbuf, libcdio, libraw, libsoup, libtirpc, mysql-community-server, python-mitmproxy, sssd, and virtualbox), Red Hat (cobbler), SUSE (ceph, firefox, NetworkManager-vpnc, openssh, and wireshark), and Ubuntu (openjdk-7 and openjdk-8).

Source: LWN