Linux Weekly News

Subscribe to Linux Weekly News feed is a comprehensive source of news and opinions from and about the Linux community. This is the main feed, listing all articles which are posted to the site front page.
Updated: 22 min 12 sec ago

Kroah-Hartman: Meltdown and Spectre Linux Kernel Status

Sat, 01/06/2018 - 12:53
Here's an update from Greg Kroah-Hartman on the kernel's response to Meltdown and Spectre. "If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck. The lack of patches to resolve the Meltdown problem is so minor compared to the hundreds of other known exploits and bugs that your kernel version currently contains. You need to worry about that more than anything else at this moment, and get your systems up to date first. Also, go yell at the people who forced you to run an obsoleted and insecure kernel version, they are the ones that need to learn that doing so is a totally reckless act."

[$] Addressing Meltdown and Spectre in the kernel

Fri, 01/05/2018 - 18:36
When the Meltdown and Spectre vulnerabilities were disclosed on January 3, attention quickly turned to mitigations. There was already a clear defense against Meltdown in the form of kernel page-table isolation (KPTI), but the defenses against the two Spectre variants had not been developed in public and still do not exist in the mainline kernel. Initial versions of proposed defenses have now been disclosed. The resulting picture shows what has been done to fend off Spectre-based attacks in the near future, but the situation remains chaotic, to put it lightly.

Haas: The State of VACUUM

Fri, 01/05/2018 - 17:20
Robert Haas continues his series on the PostgreSQL VACUUM operation with this survey of recent work and unsolved problems. "What is left to be done? The PostgreSQL development community has made great progress in reducing the degree to which VACUUM performs unnecessary scans of table pages, but basically no progress at all in avoiding unnecessary scanning of index pages. For instance, even a VACUUM which finds no dead row versions will still scan btree indexes to recycle empty pages."

More details about mitigations for the CPU Speculative Execution issue (Google Security Blog)

Fri, 01/05/2018 - 13:47
One of the main concerns about the mitigations for the Meltdown/Spectre speculative execution bugs has been performance. The Google Security Blog is reporting negligible performance impact on Google systems for two of the mitigations (kernel page-table isolation and Retpoline): "In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” -- a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance. In addition, we have deployed Kernel Page Table Isolation (KPTI) -- a general purpose technique for better protecting sensitive information in memory from other software running on a machine -- to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform. There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."

Three new stable kernels

Fri, 01/05/2018 - 11:09
Greg Kroah-Hartman has announced the release of the 4.14.12, 4.9.75, and 4.4.110 stable kernels. The bulk of the changes are either to fix the mitigations for Meltdown/Spectre (in 4.14.12) or to backport those mitigations (in the two older kernels). There are apparently known (or suspected) problems with each of the releases, which Kroah-Hartman is hoping to get shaken out in the near term. For example, the 4.4.110 announcement warns: "But be careful, there have been some reports of problems with this release during the -rc review cycle. Hopefully all of those issues are now resolved. So please test, as of right now, it should be 'bug compatible' with the 'enterprise' kernel releases with regards to the Meltdown bug and proper support on all virtual platforms (meaning there is still a vdso issue that might trip up some old binaries, again, please test!)"

Security updates for Friday

Fri, 01/05/2018 - 10:36
Security updates have been issued by Arch Linux (kernel), CentOS (kernel, libvirt, microcode_ctl, and qemu-kvm), Debian (kernel and xen), Fedora (kernel), Mageia (backintime, erlang, and wildmidi), openSUSE (kernel and ucode-intel), Oracle (kernel, libvirt, microcode_ctl, and qemu-kvm), Red Hat (kernel, kernel-rt, libvirt, microcode_ctl, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (libvirt and qemu-kvm), SUSE (kvm and qemu), and Ubuntu (ruby1.9.1, ruby2.0, ruby2.3).

A collection of Meltdown/Spectre postings

Thu, 01/04/2018 - 13:38
There's lots of material out on the net regarding the just-disclosed processor vulnerabilities and their impact on users. Here is a list of worthwhile stuff we have found.

Security updates for Thursday

Thu, 01/04/2018 - 10:53
As might be guessed, a fair number of these updates are for the kernel and microcode changes to mitigate Meltdown and Spectre. More undoubtedly coming over the next weeks.

Security updates have been issued by CentOS (kernel, linux-firmware, and microcode_ctl), Debian (imagemagick), Fedora (kernel, libvirt, and python33), Mageia (curl, gdm, gnome-shell, libexif, libxml2, libxml2, perl-XML-LibXML, perl, swftools, and systemd), openSUSE (kernel-firmware), Oracle (kernel), Red Hat (kernel, kernel-rt, linux-firmware, and microcode_ctl), Scientific Linux (kernel, linux-firmware, and microcode_ctl), SUSE (ImageMagick, java-1_7_0-openjdk, kernel, kernel-firmware, microcode_ctl, qemu, and ucode-intel), and Ubuntu (apport, dnsmasq, and webkit2gtk).

[$] Weekly Edition for January 4, 2018

Wed, 01/03/2018 - 21:17
The Weekly Edition for January 4, 2018 is available.

[$] Notes from the Intelpocalypse

Wed, 01/03/2018 - 19:42
Rumors of an undisclosed CPU security issue have been circulating since before LWN first covered the kernel page-table isolation patch set in November 2017. Now, finally, the information is out — and the problem is even worse than had been expected. Read on for a summary of these issues and what has to be done to respond to them in the kernel.

[$] Varlink: a protocol for IPC

Wed, 01/03/2018 - 18:40

One of the motivations behind projects like kdbus and bus1, both of which have fallen short of mainline inclusion, is to have an interprocess communication (IPC) mechanism available early in the boot process. The D-Bus IPC mechanism has a daemon that cannot be started until filesystems are mounted and the like, but what if the early boot process wants to perform IPC? A new project, varlink, was recently announced; it aims to provide IPC from early boot onward, though it does not really address the longtime D-Bus performance complaints that also served as motivation for kdbus and bus1.

The disclosure on the processor bugs

Wed, 01/03/2018 - 17:25
The rumored bugs in Intel (and beyond) processors have now been disclosed: they are called Meltdown and Spectre, and have the requisite cute logos. Stay tuned for more.

See also: this Project Zero blog post. "Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01."

See also: this Google blog posting on how it affects users of Google products in particular. "[Android] devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices. Supported Nexus and Pixel devices with the latest security update are protected."

[$] A Modularity rethink for Fedora

Wed, 01/03/2018 - 17:19

We have covered the Fedora Modularity initiative a time or two over the years but, just as the modular "product" started rolling out, Fedora went back to the drawing board. There were a number of fundamental problems with Modularity as it was to be delivered in the Fedora 27 server edition, so a classic version of the distribution was released instead. But Modularity is far from dead; there is a new plan afoot to deliver it for Fedora 28, which is due in May.

A press release from Intel

Wed, 01/03/2018 - 15:31
Intel has responded to reports of security issues in its processors:

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Stay tuned, there is certainly more to come.

[$] Statistics for the 4.15 kernel

Wed, 01/03/2018 - 14:33
The 4.15 kernel is likely to require a relatively long development cycle as a result of the post-rc5 merge of the kernel page-table isolation patches. That said, it should be in something close to its final form, modulo some inevitable bug fixes. The development statistics for this kernel release look fairly normal, but they do reveal an unexpectedly busy cycle overall.

Announcing the OpenWrt/LEDE merge

Wed, 01/03/2018 - 14:27
The OpenWrt and LEDE projects have announced their unification under the OpenWrt name. The old OpenWrt CC 15.05 release series will receive a limited amount of security and bug fixes, but the current LEDE 17.01 series is the most up-to-date. "The merged project will use the code base of the former LEDE project. OpenWrt specific patches not present in the LEDE repository but meeting LEDEs code quality requirements got integrated into the new tree. The source code will be hosted at with a continuously synchronized mirror hosted at Github. The original OpenWrt codebase has been archived on Github for future reference."

[$] Future directions for PGP

Wed, 01/03/2018 - 11:10

Back in October, LWN reported on a talk about the state of the GNU Privacy Guard (GnuPG) project, an asymmetric public-key encryption and signing tool that had been almost abandoned by its lead developer due to lack of resources before receiving a significant infusion of funding and community attention. GnuPG 2 has brought about a number of changes and improvements but, at the same time, several efforts are underway to significantly change the way GnuPG and OpenPGP are used. This article will look at the current state of GnuPG and the OpenPGP web of trust, as compared to new implementations of the OpenPGP standard and other trust systems.

Security updates for Wednesday

Wed, 01/03/2018 - 11:05
Security updates have been issued by Debian (poppler), Fedora (glibc, phpMyAdmin, python33, and xen), Mageia (awstats, binutils, connman, elfutils, fontforge, fossil, gdb, gimp, jbig2dec, libextractor, libical, libplist, mbedtls, mercurial, OpenEXR, openldap, perl-DBD-mysql, podofo, python-werkzeug, raptor2, rkhunter, samba, w3m, and wayland), and Ubuntu (firefox).

Another set of stable kernel updates

Wed, 01/03/2018 - 09:50
The 4.14.11, 4.9.74, 4.4.109, and 3.18.91 stable kernel updates have been released with another set of significant fixes and updates. Note that 4.14.11 also includes the remainder of the kernel page-table isolation patches.

[$] Welcome to 2018

Tue, 01/02/2018 - 16:42
Welcome to the first feature article for 2018. The holidays are over and it's time to get back to work. One of the first orders of business here at LWN is keeping up with our ill-advised tradition of making unlikely predictions for the coming year. There can be no doubt that 2018 will be an eventful and interesting year; here's our attempt at guessing how it will play out.