Brief items
Security
Git security fixes released
Git maintainer Junio C Hamano has announced the release of v2.35.2, along with multiple other Git versions ("v2.30.3, v2.31.2, v2.32.1, v2.33.2, and v2.34.2"), to fix a security problem that can happen on multi-user machines (CVE-2022-24765). This GitHub blog post has more details, though the GitHub service itself is not vulnerable. The description in the announcement seems a bit Windows-centric, but Linux multi-user systems are apparently vulnerable as well:
On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in `C:\.git`, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user.
Security quotes of the week
But [John] Oliver then does something entertaining: he reveals that his show directly approached data brokers and purchased the online behavior and location data of many people who are likely lawmakers working in or around the Capitol building. Oliver only makes a few vague nods to some of the questionable browsing activity he discovered, while hoping lawmakers are now motivated to do something about it [...]— Karl Bode (and John Oliver) on adtechWhat I still think will happen is eventually there will be a data scandal too massive and problematic to ignore, featuring a lot of very powerful and influential people. Likely a scandal that puts human lives at risk in some way. Only then will DC wake up to the perils of letting the adtech market run amok, and even then my faith in DC competently crafting helpful solutions in response remains shaky at best.
Motherboard requested records mentioning AirTags in a recent eight month period from dozens of the country's largest police departments. We obtained records from eight police departments.— Samantha ColeOf the 150 total police reports mentioning AirTags, in 50 cases women called the police because they started getting notifications that their whereabouts were being tracked by an AirTag they didn't own. Of those, 25 could identify a man in their lives—ex-partners, husbands, bosses—who they strongly suspected planted the AirTags on their cars in order to follow and harass them. Those women reported that current and former intimate partners—the most likely people to harm women overall—are using AirTags to stalk and harass them.
[Slovakian cybersecurity firm] ESET and CERT-UA [Ukrainian Computer Emergency Response Team] say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review today, stated that power had been temporarily switched off to nine electrical substations.— Andy Greenberg in WiredBoth CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine's deputy minister of energy.
Kernel development
Kernel release status
The current development kernel is 5.18-rc2, released on April 10. "Things look fairly normal here, although it's early in the release cycle so it's a bit hard to say for sure. But at least it's not looking particularly odd, and we have fixes all over."
Stable updates: 5.17.2, 5.16.19, 5.15.33, and 5.10.110 were released on April 8, followed by 4.9.310 on April 12, and by 5.17.3, 5.16.20, 5.15.34, and 5.10.111 on April 13.
Development
Malcolm: The state of static analysis in the GCC 12 compiler
David Malcolm has posted an update on the state of static analysis in GCC 12.
Some other languages, such as Perl, can track input and flag any variable that should not be trusted because it was read from an outside source such as a web form. Flagging variables in this manner is called tainting. After a program runs the variable through a check, the variable can be untainted, a process called sanitization.Our GCC analyzer's taint mode is activated by -fanalyzer-checker=taint (which should be specified in addition to -fanalyzer). Taint mode attempts to track attacker-controlled values entering the program and to warn if they are used without sanitization.
OpenSSH 9.0 released
OpenSSH 9.0 has been released. It is claimed to be primarily a bug-fix release, but it also switches to a new, quantum-computer-proof key-exchange protocol by default and includes a number of sftp changes, some of which may create some compatibility issues (described in the announcement) with scp.
We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Qt 6.3 released
Version 6.3 of the Qt graphics library has been released. "Qt 6.3 also comes with a decent set of new functionality. A total of 250 user stories and tasks implementing new functionality have been completed for 6.3. Those are of course too many to list individually, and if you want to have all the details, have a look at our new features page and our Release Notes."
Rust 1.60.0 released
Version 1.60.0 of the Rust language is available. Changes include coverage-testing improvements, the return of incremental compilation, and changes to the Instant type:
Prior to 1.60, the monotonicity guarantees were provided through mutexes or atomics in std, which can introduce large performance overheads to Instant::now(). Additionally, the panicking behavior meant that Rust software could panic in a subset of environments, which was largely undesirable, as the authors of that software may not be able to fix or upgrade the operating system, hardware, or virtualization system they are running on.
Page editor: Jake Edge
Next page:
Announcements>>