Linux Weekly News
Security updates for Wednesday
[$] Eliminating indirect calls for security modules
Security updates for Tuesday
Scientific Linux 7 reaches end of life
[$] Arithmetic overflow mitigation in the kernel
On May 7, Kees Cook sent a proposal to the linux-kernel mailing list, asking for the kernel developers to start working on a way to mitigate unintentional arithmetic overflow, which has been a source of many bugs. This is not the first time Cook has made a request along these lines; he sent a related patch set in January 2024. Several core developers objected to the plan for different reasons. After receiving their feedback, Cook modified his approach to tackle the problem in a series of smaller steps.
Security updates for Monday
Serious vulnerability fixed with OpenSSH 9.8
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.
Exploitation on non-glibc systems is conceivable but has not been examined.
There is a configuration workaround for systems that cannot be updated, though it has its own problems. See this Qualys advisory for more details.
Kernel prepatch 6.10-rc6
[$] FreeDOS turns 30
FreeDOS is an open-source operating system designed to be compatible with the now-defunct MS-DOS. Three decades have now passed since the FreeDOS project was first announced, and it is still alive and well with a small community of developers and users committed to running legacy DOS software, classic DOS games, and developing modern applications that extend its functionality well beyond the original MS-DOS. It may well be around in another 30 years.
FSF Europe condemns Apple's DMA noncompliance
The Free Software Foundation Europe has submitted a joint position to the European Commission (EC), claiming that Apple has failed to comply with the EU's Digital Markets Act (DMA). This is the law that requires Apple to support alternative application stores on the devices it makes.
Apple's unfair behaviour against Free Software highlights the critical need to monitor the implementation of the DMA. The FSFE collaborated with F-Droid, the AppFair project, and other interoperability experts to scrutinize Apple's DMA compliance, and it's impact on Free Software. Since then, we coordinated several expert workshops with stakeholders, discussed with regulators in FOSDEM, had official meetings with the EC's DMA team, and submitted a comprehensive position to the EC detailing several problematic elements in the Apple compliance that will harm the Free Software.[$] Redox: An operating system in Rust
With the Rust-for-Linux project starting to gain some ground, it is worth looking at other operating systems that use Rust in their kernels. There are many attempts to use Rust for operating system development, but Redox may be the most complete. Redox is an MIT-licensed microkernel and corresponding user space, designed around concepts taken from Plan 9. While nowhere near being usable as a replacement for Linux, it already provides a graphical user interface and the ability to run many POSIX programs.
Security updates for Friday
Highlights from the FreeBSD Developer Summit
The FreeBSD Foundation has published a set of reports from the May 2024 FreeBSD Developer Summit held in Ottawa, Canada. The topics include FreeBSD Core Team updates, FreeBSD 15 release planning, Integration with Rust, and OCI containers on FreeBSD:
Doug Rabson began by providing an overview of the current state of FreeBSD support for OCI containers, noting that while FreeBSD has long supported containers through its jail and vnet features, the ecosystem around OCI containers requires further development. "FreeBSD has been able to do containers for a long time, but we need to align better with OCI standards to make our containers more compatible and easier to use," Rabson remarked.Mourning Daniel Bristot de Oliveira
Free Software Foundation adds three board members
The Free Software Foundation (FSF) has announced the addition of three new members to its board: John Gilmore, Christina Haralanova, and Maria Chiara Pievatolo. This is part of FSF governance changes announced in January 2023. The next step is a review of current board members:
These three new members of the FSF's board of directors are the first to be appointed since 2020, when Odile Bénassy joined. Given the importance of the FSF to the free software movement, and the importance of its board to ensure preservation of the software freedom definition, the board has not taken its task lightly. Next, the FSF will evaluate current board members with the FSF's associate members in August, after which the voting members will review the feedback received and decide if each current board member should remain.More information on the process, and a short biography of each new board member, is available in the full announcement.
[$] Direct-to-device networking
[$] Python grapples with Apple App Store rejections
An upgrade from Python 3.11 to 3.12 has led to the rejection of some Python apps by Apple's app stores. That led to Eric Froemling submitting a bug report against CPython. That, in turn, led to an interesting discussion among Python developers about how far the project was willing to go to accommodate app store review processes. Developers reached a quick consensus, and a solution that may arrive as soon as Python 3.13.